Sunday, June 30, 2013

Personal Information you child discloses online

Children use social networking sites like Facebook extensively to communicate and chat with their friends and strangers. Children are exposed to “stranger danger” or “cyber bullying” or trolling when they post information of value and their privacy settings are not appropriately set allowing criminals, bullies, perverts and pedophiles to view their posts.
Many of these sites have member enabled privacy settings to restrict the viewing audience to preset categories such as friends, friends of friends and public. These broad privacy mechanisms are not sufficient to prevent determined strangers from viewing posts by surreptiously becoming part of these categories.

If your child does not accept strangers as friend because you have taught him well, but his friend does, then his post with a friend of friend restriction will be viewed by the stranger. The stranger can then comment on the post which will in turn be seen by your child. Eventually, this familiarity and the fact that the stranger is a friend of a friend may eventually lead to the stranger’s acceptance as a friend.
Types of personal information that puts a child or family at risk are:

  • Disclosure of identity, home address and movements
  • Disclosure of information on family issue or wealth
  • Financial information
  • Sharing of passwords due to teen culture
  • Sexual explicit messages and videos sent to partners can be put online when the relationship sours
  • Embarrassing photo’s or video’s and hurtful or insulting contents

Personal information may be posted voluntarily or in chat room conversation. In chat rooms children may disclose information that they would not normally post when asked a question by a trusted strangers or even because they believe that they are anonymous. Personal information can be disclosed through a variety of ways. Listed below are a few of them:
  • Profile Pages
  • Pictures
  • Posts and Chats
  • Using Webcams
  • Using SMS, IM’s and MMS
  • Video Chats

photo credit: Spree2010 via photopin cc

Saturday, June 29, 2013

How do you con a person to part with hard earned money for a fake scheme?

One would think it impossible. If we look at recruitment scams as an example; an analysis would show that in reality such cons are fairly common and claim highly educated engineers and graduates as victims (India’s eager IT graduates fall for fake interview scams). Most of these schemes thrive on fake mails, advertisements and even offer fake appointment letters (Fake job letters scam in Air India). The con artist makes money by convincing each interview applicant to deposit a small sum of money into a personal bank account prior to the job interview.
Most people fall into such schemes because these artists sweet talk prospective job seekers by preying on their emotional needs for a blue chip job. So perfect is their selling pitch that their victims fail to apply basic reason and do reference checks to verify the claims made. In the IT  recruitment job scam, the recruitment pages of these companies have a clear warnings on these scams. In one such scam 1,500 victims were provided with fake employee letters and travelled from many North Indian cities to Pune, a city in West India. They only found out that their appointments were not real, when they reported for work.

Every request for money is backed by a believable story. In the IT job interview scam the money was to be used for travel expenses, and the rationale behind the use of a third party and not a company account was to be able to refund the money quickly, post the interview.
Similar confidence tricks are used in various types of financial frauds. The job recruitment scheme nets around Rs 7500 or USD 200 for each victim, but financial frauds can wipe away entire savings and lead victims to commit suicide.

Many of these fraudulent financial schemes actually operate from a registered company with many employees. They use celebrities to endorse their schemes and build credibility. Most of these employees may not be aware that their company is actually involved in large scale fraud until it fails to repay investors. A good example is the case of an Indian couple who fooled 200,000 investors for a net collection of 60m$.
A former con artist turned do-gooder; post his prison sentence has this advice;

a)    Never make a buying decision immediately after you have heard the sales pitch for a get rich quick scheme. Give it 24 hours for the emotional effect to wear off and your logically mind to check and verify the scheme

b)    Don’t share personal information, such as your worries as this will be used to sell the scam to you. Con artist normally asks more questions than the victims do. Greed is the surest means to convince people to take part in schemes.

c)    Always ask “What in it for them”. If this is such a great scheme than why are they calling me about it?

Thursday, June 27, 2013

Top CISO’s would like their role to be more independent and empowered

I recently moderated a panel on the topic “Should the Role of the CISO be more independent” at the TOP 100 CISO award function in Mumbai, India. 

The increasing awareness of the vulnerability of organizations to cyber-security risks such as corporate espionage and compromise of intellectual property resulting in service failures and reputational damage, has made visible the gaps in appropriate cyber-protection strategies
Unfortunately, these changes have not yet resulted in raising the visibility of the CISO function or enabling a higher degree of autonomy for the role. The limited exposure of the CISO’s role to the organization’s CEO significantly limits the ability of the CISO to articulate such risks in a contextual manner to business, consequently reducing the CEO’s visibility into cyber-security risks that could eventually impact profits & growth.
Over 60% of today’s CISOs still report to the CIO, and are considered a part of the IT function. In a recent show of hands by the Top 100 Indian CISOs during a panel event I moderated, over 90% voted for a more independent yet empowered structure. Most CISOs felt that the heightened accountability of the function should correspond with increased powers over budget allocations, technology adoption, recruitment decisions and operations.
In a poll which I ran amongst a few members of the ISF (Information Security Forum), the respondents emphatically voted for an independent & empowered CISO function which they felt would make the role more effective and strategic.
Involving the CISO in the strategic decision-making process will ensure that security is accorded due priority. In the near future, it is very likely that CISOs will play a strategic role due to the rising cost & impact of cybercrime, and the adoption of business & technical changes due to consumerisation and the cloud.  
Related Topic:

Tuesday, June 25, 2013

The Key Goal of Keeping Children Safe Online is to protect them from Cyber Harm

All children are exposed to cyber risks when online. In all there are four major categories of such risks namely content, conduct, contact and cybercrime; with content being the largest of all. My earlier blog “Keep children safe by being aware of the 4C’s of risks children face online” provides a view of these risks.
A child suffers abuse when cyber risks translate into cyber harm. The Top 9 mild and severe cyber risks that kids face online” illustrates the key risks parents should be aware off. Most children adapt and shrug of exposure to mild cyber risks, but encounters with severe risk scar children for a long time. Mild risks are commonplace and usually dealt with by the child without parental involvement; as is to be expected in an emerging Gen Y society which is establishing the social rules for the use of cyberspace.

Instances of severe cyber risks are much fewer. Most go unreported and untracked by crime statistics which reduces their importance to society as against other forms of more violent and physical crime.  Cyber risk turns in to cyber harm when a vulnerable child is exposed to a severe form of cyber risks such as pedophiles or excessive content.  If a child is a victim the psychological damage can rob the child of his/her childhood..
Parents with intimate knowledge of their child’s psychology and behavior can easily identify if their children are susceptible to cyber harm. Typical evidence of vulnerability is excessive interests in adult or violent contents, fixations on adult issues such as to look slim due to peer pressure, or simply the need to confide in strangers because of problems at home.

Parental guidance and regular frank discussions on the use of the Internet is the best way to provide your child with the ability to steer past these risks and enjoy a safer online experience.

Saturday, June 22, 2013

Top 9 mild and severe cyber risks that kids face online

Children constantly face cyber risks every time they go online. In all there are four major categories of such risks namely content, conduct, contact and cybercrime; with content being the largest of all. My earlier blog “Keep children safe by being aware of the 4C’s of risks children face online” provides an overview of these risks. The degree of cyber risks to which individual children are exposed to varies from mild to severe. Children normally cope with mild risks but need help when exposed to severe risks. Examples of mild and severe risks are depicted in the picture below.

Friday, June 21, 2013

LuciusonSecurity has been nominated for the uKnowKids Parenting Blog of the Year Award.

LuciusonSecurity has been nominated by uKnowKids subscribers to their favorite parenting blogs for the Annual uKnowKids Blog Awards. The blog has earned a spot in the top 25 semi-finalist list!

The finals will be decided by your vote. If my blog has been useful to you, then do vote for it. The process is simple; all you need to do is to click the voting link

Tuesday, June 18, 2013

Cyber Risks Indian School Children face while using the Internet and Facebook

A recent survey of 17,478 students between the ages of 12-18 years, in twelve Indian cities by Tata Consultancy Services (TCS) threw up an interesting set of statistics on how Indian Gen Y Kids used technology. I analyzed the cyber risk associated with these trends.
1 out of 4 students spent over an hour online each day, primarily for school work and to chat/connect/blog.
Risk: Children constantly face cyber risks every time they go online. The degree of cyber risks to which individual children are exposed to varies from mild to severe.  In all there are four major categories of such risks namely content, conduct, contact and cybercrime; with content being the largest of all.
Other popular uses were to download music, access email and view movies
Risk: Unknowing introduction of malware on home computers when children surf, exchange files and download attachments. These attachments contain unseen malicious software which hackers can then use for cybercrimes.

4 out of 10 student shop online for books, music, and tickets (movie, airline and railways)
Risk: These children have access to credit cards which can be misused for online shopping, games or to buy access to premium adult content.
6 out of 10 students owned a Smartphone and 1 out of 4 used then to browse the net.
Risk: Children can use the internet without parental supervision to access inappropriate content such as adult content and chats.  They can also fall victim to online predators who entice children. The Internet provides anonymity, which allows such individuals – on social networking sites, chat rooms, or elsewhere – to assume multiple personalities, and pretend to be of a different gender and a wrong age. The absence of physical interaction brings in a false sense of security.      
8 out of 10 students used Facebook for socializing and chatting
Risk: Loss of privacy as information children post about themselves and their family such as wealth, travel plans, and relationships can be used by thieves, predators, and others with bad intentions. Children need to be educated on what information could and should not be posted online. Another, key risk is Cyber bullying, in which a bully posts offensive, derogatory and hurtful comments which affects the victim’s self-image, esteem and relationship with other children. Information posted in blogs, posts, photos or comments, however thoughtless or baseless, do take an emotional toll of their victims.

Monday, June 17, 2013

Keep children safe by being aware of the 4C’s of risks children face online

Children constantly face cyber risks every time they go online. The degree of cyber risks to which individual children are exposed to varies from mild to severe.  In all there are four major categories of such risks namely content, conduct, contact and cybercrime; with content being the largest of all. 

Vulnerable or highly adventurous children normally face exposure to severe forms of cyber risks such as pedophiles. These children are sought out as targets due to their gullibility, ease of emotional exploitation or simply due to their interests in adult subjects. Most children who are affected by mild cyber risk have learned to cope, without much support. Vulnerable children who fall victim, display signs of anxiety, withdrawal from the Internet and may even not want to go to school for several weeks. These children require support from peers, family and teachers to bail them out of the situation they are in.
Parents should be able to determine when their children are exposed to cyber risks and to what extent they are vulnerable. Frequent conversations with their child on net use are the most popular method, practiced by over 75% of parents. When children report a problem, parents must be supportive.

Monday, June 10, 2013

Protect Twitter Accounts from Seven Types of Hacking Attacks

Sending embarrassing tweets, posting merchandising spam, or deliberate lock outs are a normal consequence of hacked twitter accounts. An account is compromised when an unauthorized user has been able to obtain (and perhaps change) the original username and password or has gained access to an open twitter session (such as via access to a phone or tablet with stored credentials). Indications of a hacked account are:
  • Noticing unexpected tweets or unintended direct messages
  • Hijacking of the twitter accounts, deactivation or change of username
  • Access granted to new applications
  • Unexpected behavior like following, unfollowing, and blocking

A hacker may be a disgruntled friend, a prankster, someone who found your lost phone or a professional hacker motivated by financial or ideological gain. As one would imagine, hacking a twitter account may be as simple as seizing an opportunity to access an unattended mobile device with an active twitter connection, using phishing a social engineering technique to convince a user to part which his/her credentials, or even by guessing weak passwords. Most of us fail to follow security best practices, are security unaware or simply falling victim to a convincing con scheme to give away our security credentials.

A small subset of hacking attacks is technically sophisticated even beating the defense put up by security conscious users. Typically, such attacks are targeted against prominent individuals, media firms, companies and celebrities. The objective of these attacks are to propagate an ideology, embarrass a firm or to make money by sending spam to a large follower base from a celebrity twitter account.

There are several ways twitter accounts can be hacked into. Some attacks directly compromise twitter accounts and others indirectly, via associated email and third party accounts.  In the table below, we examine how we can defend against seven types of attacks.

The key objective of our exercise is (a) to defeat the attempts of non skillful hackers,  (b) to make it difficult for professional hackers to compromise our account, and (c) to reduce the impact of a compromise if it so happens. We must also assume that being fallible humans it is not possible for us to follow security best practices.

Guess You Password
Your weak password was easily guessed by a hacker  e.g. twitter123
Use Twitter two factor authentication (2FA) i.e additional authentication using SMS), which forces a hacker to obtain additional access to your phone or to intercept the twitter 2FA SMS to take control of your account, which poses quite a challenge.
Use strong passwords
Twitter 2 FA Service is not offered by all mobile companies
Password Resets
Your password was changed by a hacker who previously compromised your email id registered for twitter password resets. The hacker simply reset you twitter password, received the reset link in the compromised email account and then changed the twitter password
For both your twitter and email accounts
Use 2FA (additional authentication using SMS)
Use strong passwords
Twitter 2FA Service is not offered through all mobile companies
Not all email services offer 2FA
Obtain Access to your cell phone or tablet
The hacker obtains access to your cell phone. Normally, users remain logged on to twitter as well as to their personal email account on mobile devices. Accounts can then be easily used or passwords reset.
Password protect your cell phone, and set the phone to lock out on ten failed tries. For a higher level of security, one can erase the phone data on ten failed lock out attempts. This works when you take a regular backup of the cell phone data.
Use complex passwords as simple passwords can be easily cracked with software. This is an inconvenience, which is worth the effort. Even a complex six digit numeric code, with ten lock out attempts will do
Reset your twitter, email and other passwords if your phone has been lost or stolen
Slight inconvenience when using the phone or tablet.
You part with your twitter credentials, in response to a con mail claiming to come from either twitter or your email providers customer support team
Be aware that you should never part with your credentials. No firm asks for these credentials
Trojan (malware) based attack
You download Trojans on your desktop or phone which steals credential and forwards them to the hackers
Use antivirus software
Use 2FA
It is difficult for users to recognize malicious apps and websites.
2FA Service is not offered through all mobile companies
Exploitation of Vulnerable Twitter API‘s
Your password is stolen through the exploitation of a technical vulnerability in the Twitter service
Twitter, on detecting such breaches, locks these accounts and sends a password reset notification
Exploit third party applications
Access to your twitter accounts is obtained via third party applications that have been given rights to write to your twitter feed.
Review your list of third party applications in the twitter account setting page (application tab) and revoke these applications.
Use strong passwords for these applications
Change the twitter password on detection of unintended posts through these accounts
Do not grant access to websites which promise more followers or applications which post advertisement. Some of these may be malicious or prone to being hacked themselves