Tuesday, July 30, 2013

Defense against Cyber Trolls

A troll's main objective is to intentionally lure a victim into a pointless or annoying discussion by responding to rude questions or statements. The troll amuses himself while the unsuspecting victim is emotionally riled up.
The anonymous quote “Never argue with an idiot. They will drag you down to their level, then beat you with experience” represents the soundest advice when dealing with an Internet Troll.
Remain calm and civil; if you lose your temper, the troll wins.  The troll may alert other trolls to join together to harass the victims. Assume the perpetrator is having a bad day and respond as such. A few good words cost nothing but are priceless.

If this does not work then ignore or better still block the person and if the comments cross the line of civility then report it to the police.

In short, Be Nice, Ignore, Block and Report when tackling a troll

Related articles on Internet Trolls

Sunday, July 28, 2013

ATM Skimming Best of the Web Cyber Safety Video

ATM skimming is a form of low value financial fraud, wherein cyber crooks clone ATM cards using an ATM Skimmer; a device which is attached onto an ATM to capture a victims magnetic stripe data and pin.

In my Best of the Web Cyber Safety Videos we pay tribute to an informative video by the Queensland Police Department on ATM Skimming and what could be done to detect tampered ATM. If this video fails to appear for the lack of shockwave or flash support in your browser. Go to YouTube " Fiscal the Fraud Fighting Ferret: Episode 3 - ATM Skimming "

Related Reads

Other Best of the Web Cyber Safety Video’s


Saturday, July 27, 2013

Embarrassed to find a Crook as your Facebook friend

In India, the use of the Internet and Social Networking is predominant among the more literate middle classes, and it is quite unlikely to find semiliterate domestic helps using Facebook. Therefore, it was with a great degree of shock and trepidation that a retired couple and their adult children woke up to Facebook friend requests from a crook who stole Rs 25 Lakhs (50,000 USD) from their home, after  sedating them with a spiked sweetmeat.
Reclining comfortably on a double bed in a white vest, the thief appeared to mock their efforts to track him down. He was quick to change his phone SIM card to prevent the police from tracing him, and seems to be able to procure SIMs without ID’s or using fake ids. The thief’s attempt caught the eye of the local newspaper that promptly splashed the article on its front page, with his photograph. 
Catching the eye of the people and the public mocking of law enforcement efforts to track him will narrow his chances of escaping the noose of the law. Use of information technology always leaves a trail of breadcrumbs, and I would not be surprised if our cyber cops are hot on their scent.

Out of curiosity, I did a little digging of my own to find out what type of person he was, his friends and his posts. It was not without surprise that the thief and his friends were clueless about the privacy settings on FaceBook and their default settings allowed public access to all their profiles.  I was not motivated to undertake an in-depth study of this information, but the little I saw convinced me that there was quite a bit going on. Quite a few profiles appeared to be of  gay’s openly soliciting sex, other thieves posting that the law was after them, and perhaps a few educated people who must be ashamed that they can be seen on his friend list.
The thief also has set-up three profiles under the same name with a different set of friends, and posts in English. In India, a person who can write and speak in English, a second language would have had a school education. The use of computers, internet and Facebook indicates a fair amount of literacy.
The daily described the thief as a computer savvy domestic help, but it seems more likely to be a case of an educated professional thief posing as a domestic help.
Either way, it seems more important to set our privacy settings on Facebook to prevent people other than our friends from viewing our timelines and making our posts readable to an extended set of friend of friends, restrict information on wealth and travel, and not accept strangers as friends.
To be a friend with the crook on Facebook is a sure blot on one's reputation bringing along undue attention from other friends, the law and employers.
photo credit: kabils via photopin cc

Wednesday, July 24, 2013

Two good reasons to vote for Online Censorship

The word “online censorship” conjures images of a autocratic government enacting laws to curb a netizens online freedom of speech and expression. The slightest mention of the phrase instantly raises the hackles of interest groups, hacktivists and many Internet users.

In the midst of the polarized debate on free speech, the rationale behind Internet Censorship and on whose responsibility it lies is left unquestioned.  It is assumed that censorship is from governments and cyber citizens have no role to play in it. This notion is flawed as censorship by cyber citizens is urgently needed to control abusive and inappropriate content by other cybercitizens. The unattractive alternative is to be policed by the government or law enforcement using loosely defined laws, which are subject to misuse.

Cybercitizens can censor in two ways.

Firstly, by instantly and collectively reprimanding objectionable online comments made by cyber bullies, trolls, racists and fanatics as and when they write such posts. Cybercitizens cannot remain mere bystanders and have to step in to actively demonstrate that such behavior is not appreciated. Cyber citizens must own the responsibility to evolve and build an ethical online social order based on a collective consciousness; one, which can be taught in school and passed to the next generation of digital users.

Secondly, the institutions that collect, store and disseminate user generated contents such as social networking platforms and websites must be coerced to actively implement measures to reduce net anonymity, filter objectionable content, and remove hateful ideology by acting on reports by net users. Most of these sites do not play a role in moral or ethical policing and remain protected by laws which pass on the accountability to users. Many of whom, are anonymous or even in other countries where they are safe from prosecution. Free online platforms sustain themselves and their stock valuation by being able to mine a user’s behavior for ad revenue. This motive allows them to be lax on an individual’s security, privacy and tolerant to a wide range of content. Even today, any user can build a fictitious profile on almost all such sites.

Cybercitizens can encourage such sites to pay attention, take action and to be transparent on actions taken on reported abuse, by publicly showing disapproval on the sites forums and blogs and prodding their respective governments to enact stringent laws for content management.

Related Reads

Redefining Section 66 of the Indian IT Act

Billions of Unverified Identities creating an Online Identity Crisis


Tuesday, July 23, 2013

Internet Trolls, more of an Internet nuisance less of a cyber threat

Wikipedia defines a troll as “someone who posts inflammatory, extraneous, or off-topic messages in an online community, such as a forum, chat room, or blog, with the primary intent of provoking readers into an emotional response or of otherwise disrupting normal on-topic discussion”
The main objective of a troll is to intentionally lure a victim into a pointless or annoying discussion by responding to rude questions or statements. The troll amuses himself while the unsuspecting victim is emotionally riled up. Trolls have their own online troll communities where they boast of their exploits and rant on sites that have banned them.

Trolls use anonymous identities and create long term elaborate fictitious profiles not simply in name but in role, age, disability and sex. Some may be outright rude; others may act subtly to ruin the online experience of others posing as a newcomer deliberately making silly errors on a multiplayer game or on use groups asking stupid questions to derail discussions. The troll has very little accountability and acts online in a manner he never would in real life.
A troll works by casting baits, making provocative statements on RIP pages, blogs, Youtube, chatrooms, forums, and message boards, waiting for a victim to bite the bait and respond. If the bait is picked up, the troll then begins a vitriolic discussion with the victim. The Troll is always a winner, having nothing to lose and all to gain. The victim is always a loser.

Trolls are usually an online nuisance but there are instances when Trolls cross the line of rude behavior to criminality. This happens, when trolls post death threats, cyber bully, publish phone numbers of decent women for sex chats, or post fake advertisements for sale of goods online.
Why do people troll? Sometimes to settle personal vendetta’s or further a political agenda, but in a large number of cases, trolls have no agenda except to derive sadistic pleasure or to relieve real life frustration on strangers. Trolling could be the outcome of poor social skills, bad behavior, and lack cyber ethics or according to physiatrists a mental illness which needs treatments.

Related articles on Internet Trolls

Monday, July 22, 2013

Free Gift Subscriptions by uKnowKids for Parental Monitoring

Dear Readers,

LuciusonSecurity recently took the fifth place in the uKnowKids Parenting Blog of the Year Contest. uKnowKids is a company which helps parents monitor their children online to protect them from cyber risks. The product helps parents review their children’s social network to identify predatory intentions, cyber bullying and to be informed of new online friends.
As part of the prize, uKnowKids has been kind enough to offer you, dear reader, 25 totally free, year-long uKnowKids Premier accounts (social, mobile and location monitoring) -- you won't even have to put in a credit card!
All you have to do is visit this link: http://updates.uknowkids.com/parenting-blog-of-the-year-giveaway. And enter the below promotion code, and the name of my blog. 
Promotion Code: LOS101 (once this gets used 25 times, it will cut off)

Do avail of this opportunity,

Thanks uKnowKids


Sunday, July 21, 2013

"Cyber Bullying " Best of the Web Cyber Safety Video

The digital medium allows teenagers to use mobile devices and computers to send sms’s, mms’s, posts, tweets, pictures, chat and to write blogs. Teenager’s set-up social networks with friends, acquaintances and even strangers using social networking platforms like Facebook, twitter, and MySpace. Writing a post online is akin to shouting in a room full of friends.  When rumors, gossips or something hurtful is said about another, in a spate of anger, envy, or fun, it may trigger a mob reaction where the bully is actively cheered on by others in the online room emotionally scarring the victim.

In my Best of the Web Cyber Safety Videos, we pay tribute to a video which explains cyber bullying. If this video fails to appear for the lack of shockwave support in your browser. Go to YouTube “Cyber Bullying Virus "



Thursday, July 18, 2013

“I’m killing 200 people minimum at school. I will be on CNN” said Carlos

In a small US town, students mourned the untimely death of two of their popular teenage schoolmates in a car crash. Condolences poured in on an online memorial page for the two girls.  
Within, twenty-four hours, a man named Carlos issued a dire warning on the RIP page.

“My father has three guns. I'm planning on killing him first and putting him in a dumpster.”

“Then I'm taking the motor and I'm going in fast. I'm gonna kill hopefully at least 200 before I kill myself. So you want to tell the deputy, I'm on my way.”

Stop it responded an indignant Miss Phillips, a school teacher.

To which Carlos replied You have been chosen tomorrow at school to receive 1 of my bullets. The doctors will have to unscrew the bullet from your skull !@$#.”

He added: “I'm killing 200 people minimum at school. I will be on CNN.”

The little town had never experienced dire threats before. Cell phones rang noisily as worried parents called the school, police and other parents fearing for the safety of their children. Local authorities rushed in reinforcements and immediately locked down all the schools in the area. Half of the 6000 students stayed at home behind locked doors. Armed guards patrolled the corridors, and checked the school bags of every pupil. There was muted conversation in the hallway as children walked consciously to their classrooms. Nervous teachers taught to sparsely populated classes.  Everyone was on the edge. Two months ago in another school not far away 20 children and six adults were shot dead by another student.

Tuesday, July 16, 2013

Cyber Arms Race leaves Enterprises without a fix

Governments are spending up to half a million US dollars to stock up cyber arsenals with zero day vulnerabilities. Zero day vulnerabilities are not found by specialist firms, but by individual or small groups of security researchers.

Security researchers currently report vulnerabilities to product firms under responsible disclosure norms who fix such flaws before they are published. Product companies do not monetarily incentivize security researchers to report vulnerabilities; instead they offer a mention or appreciation on their web site. Bug bounty programs to motivate third party researchers to find and report bugs have payouts ranging between five to twenty thousand US dollars.

Hawking zero days to governments requires that these flaws are kept alive and not reported to product companies. Such flaws remain discoverable to others, including cyber criminals who use them to target enterprises for financial and ideological gains.

Exorbitant payouts and an opportunity to sell a single zero days to multiple governments will increase the number of security researchers who specialize in this trade. Product companies are forced to be vigilant, and safeguard against employees who deliberately introduce software backdoors, in collusion with grey market operators.

Sunday, July 14, 2013

Nigerian 419 Scam Best of the Web Cyber Safety Videos

Today, we pay tribute to a fascinating video of an ABC News Nigerian Scam Documentary filmed in 2006 but remarkably relevant in 2013. If this video fails to appear for the lack of shockwave or flash support in your browser. Go to YouTube " ABC News Nigerian Scam Documentary " at http://youtu.be/Q0e-pPfITts

Other Best of the Web Cyber Safety Video’s

Cyber Bullying using Social Networks ! Best of Web Cyber Safety Videos

Cyber bullies use social networks to post pictures, write comments and create tags which may be mean, hurtful, or threatening to their victims. As social networks are inherently designed for collaboration, a bully’s comment rapidly circulates among others members of a group who may further comment on or like the post. When they do, it automatically adds credibility to a bully’s action lowering a victim’s self esteem, and bringing in a sense of isolation and depression.

In my Best of the Web Cyber Safety videos we pay tribute to a fascinating video of how social networks can be used to cyber bully. If this video fails to appear for the lack of shockwave support in your browser. Go to YouTube " A #NoTagsWithoutPermission Story: Cyberbullyingvia tagging on social networks "

Other Best of the Web Cyber Safety Video’s

Thursday, July 11, 2013

LuciusonSecurity wins the 5th place in uKnowKids Parent Blog of the Year Contest

Dear Readers,

Great news!!!

LuciusonSecurity has won the 5th spot in the uKnowKids Parenting Blog of the year contest.

I am privileged to have such a great set of supportive readers. I started this blog two years ago and at that time could not have imagined that my passion would eventually lead to my writing of over 200 posts and publishing one widely read book “StaySafe CyberCitizen”. When I look back, I see not the start, but the road on which I must continue to walk upon with better ideas, innovation and content.

Thank You once Again


Wednesday, July 10, 2013

Never issue terror or death threats on social networks in either jest or anger


What you post online remains online? Occasionally, these posts transcend the thinly veiled line of bad humor into the threats Americans fear most; shootings in school and terror attacks.  Catching the attention of the law, these words haunt their teenage authors in dark and lonely prison cells where they wait out their sentences. 
In India, the line is crossed when politicians feel defamed or religious communities have their sensitivities offended. Posts that criticize politicians never fail to instigate mobs of vigilante party workers.  Two girls who wrote and liked a banal post attracted the wrath of overzealous party men and police officers who quickly filed criminal charges. Petitions, media outrage and an alert Indian judiciary fuelled quick justice in a country where cases can languish for years, making the girls instant celebrities of free speech.
As I read the passionate appeal of an American father whose son lies imprisoned for posting a threat to shoot kids at his school, it struck me how difficult it was to accurately preempt a crime from an interpretation of an online comment. The parents and boy argue that the comment was innocent and nothing more than a trashy rap line written in haste after a tiff with another online video gamer. The law thought otherwise.
Threats of death or harm from cyber trolls and cyber bullies are more common. Coming from strangers and friends alike, these comments create feelings of anxiety, depression, and isolation among teens.
Drawing the line on gross misdemeanors on social networks requires a tolerant and compassionate judiciary, police, parents and teachers. Institutions that must balance soft alternatives such as awareness, education, warnings and community service with the stricter punishment of jail sentences.
Milder posts, which do not attract much attention, may however haunt children when they apply to schools or for a job or even in their relationship with teachers. In a recent survey, 53%of teens reported posting something online which they subsequently deleted for being mean or disclosing personal information about themselves.
photo credit: .m for matthijs via photopin cc

Monday, July 8, 2013

Should security social workers test websites without authorization to prove that they are insecure?

Earlier this month, the Electronic Frontier Foundation filed an appeal against the 41 month conviction of Andrew “Weev” Auernheimer, who along with a colleague exploited a hole in AT&T’s public website to siphon of 114,000 email addresses of AT&T’s ipad customers. Andrew erred in sending these email addresses to “Gawker” which published a few of them, prompting an investigation. Andrew was charged with identity theft and felony under the Computer Fraud and Abuse Act of 1986 (CFAA). Andrew’s colleague who wrote the script the “iPad 3G Account Slurper” which extracted the email addresses pleaded guilty and was not sentenced.

On June 6 , 2103  mainstream Indian media went ballistic on a blog post by a Cornell student of Indian origin who had scraped the entire ICSE Class X and ISC Class 12th  result off an online website, and analyzed the marks distribution. Luckily for the student, neither the 1, 50,000 students or the council of Indian School Certificate Examination (CICSE) board filed a case. The hacker fortuitiously did not disclose the data online as Andrew did.

In both these events the hackers claimed in defense that their act could not be equated to a hack, as they scraped data that was publicly available for anyone with reasonable technical knowledge. Notwithstanding, that in both these cases a script was written to extract bulk data, using randomized inputs.

There are security professionals and firms who test a company’s websites without authorization and utilize found vulnerabilities as a sales pitch. This practice prevalent in the early days of the dotcom era was acceptable to firms, who did not spend money in routine security assessments, as the largest risk was website defacements. At that time, amateur hackers were a nuisance to business, nothing more. Nowadays, the risk and benefits of cyber crime are far bigger and it is difficult to distinguish between well meaning professionals and crooks.

Should this practice be encouraged? I believe not. Should people like Andrew Auernheimer or Aaron Swartz be punished severely? I believe not. This is where an informed and aware judiciary has to draw the line. In first instance of new forms of crime, sentences are handed out to set an example.  This in my view is unjust to the person who was caught first, as others who follow may be more fortunate.
On a similar note, people and companies who do not take steps to protect their net infrastructure and customer data should be penalized. The fault for not using an encrypted wifi or not changing the wifi default password or for not using an update antirust or patching a computer should squarely rest on the owner, as its impact can have consequence for other people, firms or even national security.

Product vendors have found a way to motivate security researchers through legitimized bug finding through bug bounty programs. Bug bounty programs offer a bounty, which may be up to 1,00,000 US$ for every security bug found and disclosed responsibly. Responsible disclosure allows the product vendor time to fix the vulnerability before public disclosure. Such programs are unsuitable for companies and unauthorized non professional testing has the ability to create site outages.

photo credit: geoftheref via photopin cc

Saturday, July 6, 2013

Buying Fake Passports for a Paltry Rs 20,000

Fake passports rackets are rampant in most parts of the world that depend on photographs as the principal form of identity proof. Aside from their use as a travel document, passports are an authentic source of citizenship in countries like India which do not have a national identity card.

Falsified passports are used for escape into exile, identity theft, age deception, illegal immigration, and organized crime. Passports are therefore sought after by immigrants from Bangladesh, those seeking low skilled foreign jobs, terrorists, criminals, and convicts fleeing from the country. Terrorists need to circumvent immigration laws and law enforcement "watch lists" to travel internationally in order to raise funds, recruit operatives, train the operatives and send them out to plan and conduct terrorist attacks.
Gangs that specialize in forged passports offer a wide range of services which include arranging a fake passport, replacement of photographs in the passport, fake visa, fake ECNR and even forged arrival/departure stampings. Passports are prepared in three ways: getting genuine passports using fake documents and bribes, physically alter a valid stolen passport by replacing pages/photographs with fake ones and fabricating passports.
Many of the passport rackets are in active connivance with corrupt passport, government and police officials who charge between Rs 20,000 to Rs 50,000 for each passport. The number of passports seized during each raid is in their hundreds which points to a significant demand for forged documents.
A Google search for passport rackets unearthed in India shows the scam to be prevalent in every major city. The most prized passport is a genuine one issued in a fake name as shown in this live new report of a recent bust in the northern Indian city of Kanpur. This weakness in our countries primary source of reliable identification is truly worrisome. It  will continue to remain so, until the Aadhar program for biometric identification for all Indians is fully operational and used by government departments like immigrations and banks.

Click to watch the clip on youtube at http://youtu.be/QfiFCLwwlyM .


Interestingly the scam seems to be going online. An investigative article on the Russian cybercrime underground describes a Do It Yourself site for passports and other credentials. The web site promises a quick set of documents at a slightly lower quality and price. Many of these online solutions are actually scammers who believe that there is a quick buck to be made.
Passports are not the only documents that are fabricated and available for a price on the market. Other documents like pan cards, birth certificates, educational certificates, employment certificates are all available for a price. Besides fake credentials there have been instances of bogus universities set-up only for the purpose of issuing degree credentials and the hiring of substitutes to sit in for entrance examinations of prestigious colleges.

photo credit: gabriel.jorby via photopin cc

Thursday, July 4, 2013

Russell Crowe’s tweet embarrasses a million fans

Russell Crowe, the Australian actor best known for his role as Roman general Maximus Decimus Meridius in the epic film the Gladiator gave his one million fans a rude shock when a sultry picture of a women’s pubic area appeared in his twitter feed. His public relation team claimed that his twitter account was hacked into, and Crowe himself denied any knowledge of the pubic tweet.
Posting a nude picture would perhaps be the silliest action by any hacker, and therefore seems improbable. Typically hackers tweet spam links or broadcast their achievement once a celebrity account is compromised.  A good example is the very real hack of the vivacious Lady Gaga’s twitter and Facebook accounts, to tweet/post a fake survey link masked as an attractive free ipad giveaway gimmick.

Whatever the truth may be; we must ensure that no one get holds of our unattended phone and tweets onto our twitter feed. Technically, you are hacked but by someone known; naughty children, colleagues or an estranged partner for example. Password protecting your phone is a useful defense.

Another intriguing but largely improbable theory, based on the recent Chinese incident of a technician accidentally broadcasting a porn film on public LED screen, is of a PR manager accidently tweeting on a client’s account, while viewing pictures on his device.

Tweet happy fingers is a strict no no; but that advice happens to be good old commonsense not cyber security.
photo credit: id-iom via photopin cc

Wednesday, July 3, 2013

Best of the Web Cyber Safety Videos " How Safe is Your Personal Information Online "

Many companies and organizations have charitably funded cyber security and cyber safety videos. These well meaning initiatives have not gained the visibility they truly deserve, as the budget for promotion of community initiatives is usually small. Yet, they hold the potential to create instant awareness.
In the best of the web cybersecurity video’s list, I endeavor to link these brilliant videos together on my blog and Facebook page, to help educationists, individuals and parents easily find and use them.
Today, we pay tribute to a fascinating video on personal online privacy for teenagers and adults. Watch on!.

if this video fails to appear for the lack of shockwave or flash support in your browser. Go to YouTube " Amazing Mind Reader reveals his gifts "http://www.youtube.com/watch?v=F7pYHN9iC9I


Other Best of the Web Cyber Safety Video’s


Tuesday, July 2, 2013

Untested Logic allow hackers to hijack Facebook accounts

Well written and tested software seems to be an idealist assumption, with sites like Skype and Facebook failing to eliminate flaws in the components which ensure security and privacy on their platforms.

There have been two reported cases where Skype and Facebook had their accounts hijacked by the exploitation of logical flaws in their account set-up mechanism.

The security researchers who uncovered these flaws, smartly attempted to combine features available to set-up and reset accounts, to gain full control over their victims account. None of these attacks required coding knowledge or special skills and the attacker did not require the knowledge of secret credentials to gain access to accounts; only email ids or profile names. In both these attacks the owners of the targeted account, had no indication that the hack was underway until they were no longer able to access their account.
Very recently Facebook fixed a flaw where a victims account could be hijacked using an SMS in under a minute. The account hijack was a two step process. In the first step an arbitrary mobile phone was associated with the targets  Facebook account,  and the second step was to initiate a password-reset process using the attackers phone to choose a new password for a targeted account, thus giving him complete access.

The blog post How to hack any Facebook account in under a minute, by sending just one SMS provides a step by step description of how this attack was carried out.
Last year, a Skype account was easily exploited with the knowledge of a victims email address. The blog post Your Skype account be hijacked with just your email address provides a step by step description of how this attack was carried out.

These sites have been in operation for many years, but yet were susceptible to the introduction of new flaws or perhaps the reintroduction of old ones, as new functionality was added. The root cause of the problem is the pressure of rapid release cycles coupled with limited feature testing.
As a cybercitizen, there are limited defenses to such types of flaws. Use of one time authentication, if provided by the site enhances log in security. Another good practice is the use of two email ids, one kept secret and used only as a login credential and another for regular email. 

photo credit: Rosaura Ochoa via photopin cc