Shell Shock vulnerability in UNIX discovered after thirty years hits core infrastructure

The last few days saw frenzied remediation of a critical vulnerability called Shell Shock which allows a hacker to fire remote privileged commands to UNIX servers. UNIX is an integral part of the core Internet infrastructure, and BASH (the shell which is vulnerable) is a well-used program. The program has been in use for the last thirty years before the flaw was recently uncovered.

A remote compromise simply means that websites, cloud services and internal datacenters are all vulnerable to cyber-attack either from malicious insiders or if accessible remotely, from cybercriminal across the globe. Such attacks result in data theft, downtime and outright wiping of data from these servers. Given the nature of BASH, there is the fearful possibility of automated exploitation of the vulnerability using a small piece of mobile code called “worms” which travels over the network infecting servers.

The good news for most cybercitizens using the Windows operating system is that it is not affected and therefore home networks which use Windows based laptops and desktops are relatively safe. Apple has released a patch for the Bash vulnerability for its OS X Lion, Mountain Lion and Mavericks software. Mac users are advised download the Bash update and patch their systems. Apple had earlier advised that OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.The bad news is that most online services are built on UNIX and unless they are patched quickly a potential breach would affect a cybercitizens security and privacy. 

Most of the large service providers will take quick steps to assess their vulnerability and ensure remediation with available patches and other countermeasures.  This should reduce the risk to most of the services cybercitizens commonly use. Cybercriminals will attempt to exploit the time to remediate by targeting vulnerable and financially lucrative systems. Therefore for system administrators and security professionals it is literally a race against time. For cybercitizens, who own Apple Mac’s the patch should be quickly installed.

There are multiple core vulnerabilities yet undiscovered or undisclosed, which in future will have an overriding effect on the resiliency of the networks and services that form the Internet. These exist due to the difficulty in security testing products, assumptions on the secure nature of mature products and as we are all well aware, due to governmental action which requires pre-installed backdoors or weakened security defenses :- such as in the case of data encryption.

Cybercitizens should be aware that core vulnerabilities are a lurking problem that may surface as targeted attacks on large companies at any point in time, and will most certainly be used during a proxy or cyberwar. Governments today, maintain a war chest of similar vulnerabilities.

The only tip that I could possible offer is to keep an offline copy of the data or transactions stored online. Paper back-up of critical documents may seem archaic but seems to be a good idea.

1.2 billion Indians need cybersecurity education in the next five years

Mid 2013, the Indian government in its Nation Cyber Security Policy outlined the need for India to create half a million security professionals to protect and assure its digital assets.  A policy focus of this magnitude necessitates the introduction of cybersecurity postgraduate programs in India’s higher education system and a larger fund outlay to promote academic research in security.  On the cards are venture funds to aid entrepreneurs invest in the local manufacture of indigenous telecom and security products, in an attempt to try and tap Indian IT talent to create a new industry sector.

While the economic need for security professionals to protect a strong and vibrant economy is a reality, with 1.2 billion Indian’s online we face a much larger social challenge to minimize security risk and instill ethical use. Citizens will engage in online social activities like games and social media, e-governance, personal communication, ecommerce and much more.  A digital India will comprise at least 5 billion individual owned digital assets online – now called the Internet of Everything – these include Internet connected refrigerators, microwaves, thermostats, net nannies, cars, wearables, health device and so on. All which are to be secured by each cybercitizen on their own.

State intervention in personal online security will be a daunting task. Today we face challenges in drafting legislation and in gearing up the law enforcement and judicial system to deal with infringements. Training of the Indian judiciary and law enforcement is itself a huge challenge. The numbers are at the minimum a 1,00,000 policemen and judges to provide the very basic investigation and forensic assistance at every police station and court house.

The greatest risk to a large citizen owned digital asset base is twofold. The first is the exploitation of unprotected or inadequately protected assets by cyber criminals. Compromised assets are used to steal money from cybercitizens themselves as well as a staging point to launch attacks on others.  The second and more importantly are the security issues introduced by the non-ethical and unsafe use of social media and technology by young Indians.

There is no doubt, a young India will immensely benefit from the opportunities that cyberspace brings and that we should gear up to openly embrace its spread and use. But, at the same time we need to instill in every Indian a culture of cyber ethics using traditional Indian values and the ability to protect themselves online. Online, as there is no attribution, no valid authenticity to digital content and crime being global, the opportunity for manipulation by exposure to content such as pornography, radical ideologies, divisive political elements and advertisement is immense.

Cybercitizens themselves, and not politicians will have to shape the future of this new world. A world which at minimum requires every school to have cyber-safety and ethics courses as part of their curriculum. A few awareness lectures will not suffice. We need to instill deep values in our children. More importantly given the divide between parents who grapple to use the Internet and their children who are digital adepts, attention has to be paid to the cyber safety education that parents receive to help them guide and be good role models to their children. Unfortunately there have been many cases where adults set a bad example themselves through their online comments and actions. For parents wanting to understand the basic of cyber risks  and their prevention faced by children, please read my short awareness course titled "Keeping your child safe online".

The Internet of the future will be all pervasive and bring in opportunities for children of all ages. Let us not fritter it away by not preparing our children to use it safely, securely and without fear.

How to recover money if your credit card was used to make a fraudulent online purchase

To make an online credit card purchase cybercriminals must have knowledge of the information on the front and back of the credit card, namely expiry date, cardholders name and CVV number. Online, it does not matter whether the credit card used the stronger chip and pin technology or the old fashioned magnetic stripe as the physical card is not needed.

Credit card information is a highly perishable asset in the underground market whose value is largely determined by its validity, and enhanced if additional information such as the owners buying behavior and home location is known.  Stolen credit card data is sold in batches using dedicated websites or forums to criminal outfits which either resells them in smaller batches -, much like a retail supply chain comprising of producers, distributors and resellers. At each stage the buyer may resell the same information multiple times. With time the value of the cards drop as the percentage of non-valid cards in a batch increase. To validate if a card is active; criminals use a process called “carding”. Carders will take a batch of stolen credit cards and attempt to use them to make small low-value purchases to verify the card works.

The continued spate of data breaches is a clear indication of the thriving market for credit card information. Once stolen, criminals normally are in a race for time to extract as much money as possible, usually within the first few weeks of a breach.  They exploit two time windows; the first between the actual theft and the victimized company notifying its affected customers and the second is the time taken by a notified card owner to deactivate it. The entire window of exposure from theft to card deactivation can range from between a few weeks to months. Data breaches are just one of the ways by which thieves get hold of credit card details; information could be obtained from normal use at stores, hotels, copies we make for visa’s applications and so on.

To facilitate a more secure online experience credit card companies have instituted an additional authentication measures called 3D Secure which requires a user to enter a preregistered secret code.  Unfortunately, getting past this additional authentication mechanism is not difficult as the cybercriminal could easily guess the code; reset it with publicly available information such as the credit card holder date of birth and mother’s name or as in most cases phish the information.  Very recently, the system seems to have been made more secure using a One Time Password sent directly to a mobile phone instead of having to enter a passcode. One lacuna is lack of an alert if an incorrect password was entered, which would indicate a criminals attempt to use the card online. While the OTP system is much more secure it can be compromised if your phone becomes infected with sophisticated malware designed to pass on such SMS’s to cybercriminals, but it will negate the value of bulk stolen data in underground markets.

The best way to protect against fraudulent losses is to maintain vigilance of transactions made and to swiftly block the card the moment a fraudulent transaction occurs. In India, credit card companies send a SMS alert to the card owner each time a transaction is made. If that fails, the next option is to scan the monthly credit card statement. Quick deactivation of the card helps to curb losses and to claim insurance.

Choose a credit card where there are few caveats and hassles to claim a refund for fraudulent transaction is a good idea. When signing up for a card, it is always a good idea to find out what the fine print reads when claiming a refund.  Most of these come with caveats, for example the value of the insurance, valid time to make a claim, in some cases the refund is applicable only if the fraudulent transaction is reported within 24 hours or if the card was previously reported as stolen.  Insurance payouts may be higher if transaction used 3DSecure authentication and some insurance companies may allow you to claim within 15 days of receiving your credit card statement. Most require that a police complaint is filed.

While the main intention behind this article was on online fraudulent purchases, in countries which still use magnetic strip cards, the stolen data is used to clone cards which are then used to make in store purchases. Chip and pin users are safer as the technology is difficult to clone. In many countries no alert is issued through SMS. If you are aware that your card was stolen, then report it immediately. The other advice remains the same as in online frauds.

Four ways your password is hacked by criminals and your best friend

Compromise of authentication credentials to gain access to online services is the weak link most often exploited by cybercriminals and casual hackers. Empowered with the genuine authentication codes the cyber intruder usually abuses the stolen identities to earn money through money transfers from Internet Banking accounts, online buying and selling, or cashing gaming points. The casual hacker is usually known to the account owner and hacks for fun or for revenge planting fake posts on social network sites, viewing personal pictures or reading personal emails.

Authentication Credentials are exploited in fours ways:

1. Passwords that are simple are easy to guess or crack using tools by cyber criminals. The secret questions used to reclaim a forgotten password in many cases are easier to guess than the password itself. If these passwords were reused on other more important sites, the cybercriminal gains access to those services too. To avoid, these types of attacks, cybercitizens should use strong passwords and difficult to guess secret questions and not reuse them. 
2. In large data breaches the entire password database was stolen by the misuse of privileged access rights by trusted insiders, compromised administrative authentication codes or via an application flaw. In this way the cyber intruder obtains a large bulk of passwords which are used to compromise accounts on the affected services as well as on other services where the password may have been reused. To avoid these types of attacks, cybercitizens should regularly change their passwords, not reuse them and if notified about a breach immediately change the password.
3. Sophisticated malware that has been unintentionally downloaded as part of free software or during a visit to malware infected sites helps steal authentication credentials from user devices.  Such malware intercepts user credentials when the user logons to online services. Sophisticated malware besides stealing authentication credentials can intercept one time passwords sent from financial sites via sms, which when used in conjunction with spoofed sites are highly effective in compromising a user’s financial transactions. Cybercitizens should install a reliable antimalware product that blocks malicious sites and filters malware. Though not foolproof, it helps reduce the risk. To avoid spoofed sites, it is best to check the ownership and validity of the SSL certificate by clicking on the padlock in the address field of the browser.
4. Passwords, in many instances are naively handed over to cybercriminals impersonating law enforcement officers, bank officials or even as IT support. Cybercitizens are tricked into believing that these requests to share passwords come from genuine and authoritative sources.  To avoid such types of attacks cybercitizens should never share their passwords, as no organization will ever ask for them by phone or mail.

Why countries where porn is illegal do not ban Internet porn sites?

It is quite well known that except for a very few countries that allow it, in most others the creation, distribution and consumption of pornographic content is not permissible. Actually, it is illegal and usually punishable with a prison sentence. Governments which allow porn, benefit from the 100 billion dollar or more Internet pornographic industry.

Today, the concept of soft porn which raged in the eighties no longer exists; it has been replaced by what we call sensual advertising. What is easily available on the Internet is hard porn showing erotic fantasies and sometimes violent or abusive sexual acts. Most of the pornographic sites do not even have the mandatory age notification and directly host hard porn on their home page. The ill effects of pornographic content on impressionable young children, starting from as early an age of eleven, are well known. Normal relationships and sexual acts are redefined, and as a consequence unnatural sex such as anal sex is on the rise.  It is a documented statistic that such acts reshape the perception of women in society and have led to a rise in cases of sexual misconduct and violence.  

Mobile phones and fast internet connections are making it easier for children to consume porn at odd hours, in schools and colleges and everywhere else. Entrepreneurial shopkeepers in India have seized on a business opportunity to sell preloaded memory cards with downloaded pornographic content to their customers who do not have an Internet connection. Instant messaging apps have made it easier to sext- sending nude or seminude selfies to partners. In many countries a nude selfie would actually contravene the law and one taken by an underage child would invoke the harsher penalty of child pornography.

Most companies rely on content filtering technologies and strict penalties to block pornographic sites. They are quite successful in blocking porn use with the added benefit of limiting exposure to malware that is normally found on illegitimate sites. Similar technologies, though not fool proof, can block the casual user from stumbling on pornographic material. Most countries have already mandated their telecom service providers to install technology to filter Internet sites based on court or government directives, as it is difficult to shut down sites hosted on Internet servers in other countries. True, these filters can be bypassed by proxies and there is the difficulty of pinning down the addresses of fast moving illegal pornographic sites but it would still restrict usage. Porn censorship will certainly limit the use of pornography, much in the away that prohibition cuts down alcohol consumption, though it still remains available through a thriving black market.

Personally, I believe the big reason why governments fail to censor is because of the assumed effect on their vote bank. Young voters in the digital age consider paramount their “freedom of expression online”. In reality, most of these digital citizens are themselves concerned as to the ill effects of pornography and would endorse any attempt to filter these sites, provided the decisions to filter are made transparently.

Terrorist and antisocials use Twitter to spread their ideology, spark hate or to gain notoriety

Militants from Islamic State (Isis) are so dependent on broadcast sites like Twitter that they recently threatened to kill Twitter employees if they continue to shut down their accounts used for propaganda. The group use hashtags of major events such as the World Cup to disseminate pro-Isis content, in addition to using various Isis-specific hashtags. Hashtags such as #WorldCup2014 allow Twitter users to easily search for related content.

As cybercitizens increasingly use closed group instant messaging channels like WhatsApp for their private conversations, twitter still remains a favorite public broadcast medium for extremist groups who propound their ideology to gain more recruits or to establish legitimacy, politicians who generate hate campaigns to polarize and gain votes, and individuals who deliberately write sensational comments to draw attention to themselves.

The ability of Twitter to police rogue usage is minimal. Many times their posts fall in “grey” areas of offensive versus inoffensive content, making it difficult to moderate. In most cases, deletion or inactivation of accounts happens much after the damage has occurred. This does not prevent the perpetrators from establishing alternate or slightly different twitter id’s to resume their propaganda.  Most of these rogue accounts cannot be acted upon by law enforcement because those countries from where they operate do not have effective law enforcement or they do not consider it a crime yet.

Inciteful posts have high impact, and are often unsubstantiated. Being public broadcasts they rapidly go viral and reach a large global audience. Posts such as those sent by ISIS have been effective in influencing youngster to join their ranks from across the world. Youngsters, taken up by these messages sign up for a cause from which there is no return even when the harsher realization dawns.

Governments, have an active interest to not bar these tweets, as they form a rich source of real-time information, in many ways more useful than covert intelligence. Sympathizers in countries with effective law enforcement may put themselves into trouble, if they draw attention through retweet or likes.  Of late, governments have attempted to spread counter messages to negate the effect of these broadcasts.

Indian Internet Addicts: Boy stabs mom for cutting internet access while another finds a Facebook Mom

It takes shocking incidents to bring to fore what is a rapidly growing problem with children; a predisposition to the excessive use of the Internet while avoiding studies, social interactions and physical activity. Recently in the Indian city of Pune, a 15-year-old student addicted to the Internet turned violent and tried to attack his teacher mother with a kitchen knife when she tried to take away his smartphone. The student spent hours on different messaging platforms and had around 500 friends, most of whom he had never met in person.  He even borrowed money from nearby shopkeepers to recharge his mobile. The boy was so addicted that after being taken for counselling he stripped naked in protest at the hospital and threatened to harm himself if his net access was taken away.

Online chatting offers children a way to escape emotional problems and they start to think that these online friends care for them more than their parents. Imagine the confusion last week in another part of India, when a twenty year old decided that an elderly nurse he met on Facebook was his “mother” and wanted to swap his real parents for her. The Facebook mom landed up at her “son’s” door, to add to the confusion of his parents, where he clasped her hand and expressed a desire to go with her.

According to Indian psychologists and child counsellors there is a 40 per cent year-on-year rise in the number of Internet addicts aged between 8 and 18, driven by the easy access to technology, peer pressure and messaging apps.

The most common form of Internet addictions are cybersex, online gaming, and cyber-relationships.

• Cybersex is the compulsive use of Internet pornography and adult chat rooms. 
•  Cyber-Relationship addiction is an addiction to social networking, chat rooms, texting, and messaging. 
• Online Gaming  addiction is compulsive online gaming with virtual friends and currency. 

To find out is your child is vulnerable to Internet addiction, watch for these behavioral changes:

• Becomes irritable or agitated when time online is interrupted. In the case of the Pune student he turned violent, threatened to harm himself and even stripped naked.
• Withdrawal from activities that involve socialization with real people. Most addicts isolate themselves from people and spend most of their time with virtual friends
• Spends a lot of time online at all or odd hours. Addicts constantly message driven by the urge to respond to their online constituency instantly. They carry their phone everywhere even to the toilet.

The only way to prevent such situations is to build an open relationship with your child, while limiting technology use, constantly watching for signs on addiction and to the extent possible supervising online behavior.  At the outset, set the rules of Internet use clearly distinguishing between productive Internet use for homework and nonproductive use such as social networking. Timely intervention could help prevent and reduce cases of Internet addiction

Speaking@I5Talks on Building a cyber-resilient & secure cyber space for industry and cyber citizens

It was a great delight to speak at the Tenth Edition of i5 Talks on “Building a cyber-resilient & secure cyber space for industry and cyber citizens " organized by Tech Mahindra.   The talks brought together insightful perspectives from the leading lights of the Indian security industry in vibrant talks and panel discussions. Speakers included eminent CISO’s, entrepreneurs, researchers, bloggers, consultants and hackers. I spoke on the three big risks to cyber security and resilience. The first was, what happens to a nation if the power grid is shot down by cyber-attacks and fails for long durations, the second demonstrated how exposed cyber citizens are due to the ubiquitous and seamless use of cloud storage and thirdly, the high level of organizational skill and investment, cyber criminals put in to commit high value cybercrime on financial institutions. A short summary of the speakers and their takeaways are:

Aseem Jhakar -  Director , Payatu Technologies

• Lack of communication between the hacker community and the industry is a big problem. Hackers are seem as untouchables except when they are needed he most
• Bug bounty trends are increasing and rewards are sufficient to sustain a hacker’s income
• Industry has maligned the word “hacker”. Today, the word and community is associated with criminals.

Vishal Salvi Chief Information Security Officer, HDFC

• Companies need to transform and build a new security architecture to meet new and emerging threats
• Industry competitors need to collaborate to build secure supply chains to ensure that common suppliers do not skip investing in security
• Agile security should be the new paradigm. The current models of reacting to incidents or building defense in depth is too slow to combat the spate of attacks
• Security is today beyond CIA and assets – looks towards the business

Keith Prabhu, Chairman, Cloud Security Alliance, Mumbai chapter

• We need to brave the risks of using the cloud by using secure technology. We cannot go back to the bullock cart age because cars today are unsafe
• It is a matter of time before we see the first big attack on a cloud provider. They are a big target that cybercriminals cannot ignore
• The case of a refrigerator sending spam, is simply the tip of the iceberg as far as the Internet of things is concerned

Dr Zia Saquib, ED CDAC

• The Indian Government is researching on the use of alternate protocols to IP for setting up our secure critical infrastructure like nuclear stations
• The Indian Government has allocated large funds to the enhancement of IT and security

Shomiron Dasgupta, founder NetMonastery

• Entrepreneurship is difficult and needs perseverance
• Signal protection will be the next security wave

LS Subramaniam CEO NISE and Blogger

• Consumer education is a must to thwart cloud risks as they are easy prey for social engineering attacks

Puneet Garkhel, Head-Fraud Risk Practice, Mahindra Special Services Group

• Many miss the gorilla in the room when focusing on routine tasks
• Fraud happens because enterprises miss the obvious

CLOUDSEC 2014 Internet of Everything CNBC Telecast

For those who missed attending Cloudsec 2014 at Mumbai, CNBC TV 18 has put out a 30 minute condensed version with the main messages on Youtube.  Cloudsec 2014 brought in expert perspectives on the security of cloud services and the fast growing Internet of Everything

Life-sized celebrity nude pictures draw attention to artist XVALA’s Internet privacy campaign

There was public outcry when the Los Angeles artist XVALA, nee Jeff Hamilton announced last week that his upcoming exhibition titled “No Delete” would include the recently leaked nude private images of Jennifer Lawrence and Kate Upton.

Lifesize and uncensored, Avala’s campaign called “Fear Google” as part of the ongoing privacy debate to protest over how large online businesses and search engines have turned an individual’s privacy into everybody’s business. AVALA’s earlier exhibitions had featured celebrity images, including a portrait of Britney Spears with her shaved head and nude images of Scarlett Johansson (at that time with the private parts covered with “Fear Google” logos). Early last year, he melted down trash collected from Jobs' home to build a sculpture of the Mac creator, complete with iPhone in hand, to demonstrate that individuals are “giving out all our information to the Internet just as we give our trash to the world." Besides Job’s, he targeted other leading figures like Mark Zuckerberg. His projects titled the "Not Very Well Hung Hangers Of Silicon Valley," was to build items from the personal belongings of people whose companies profit from the collection of our data.

XVALA used GOOGLE to find the addresses of Internet leading lights, and to mine for the compromised images either inadvertently posted or leaked by paparazzi or hackers.

He rightly states that once we share our images with technology our privacy is at stake. The tradeoff between free online services and privacy is raging and in the next few years, judging by the way the industry is moving there will be better privacy protection for users both paid and unpaid of online services. But, till them we all remain at risk.

Interested in Celebrity nudes! Are you not concerned about your own sexted photo?

Most of us have read or heard that on many online anonymous bulletin boards, were posted over 100 nude photographs of prominent celebrities like Jennifer Lawrence and Kate Upton. These celebrities had two things in common; firstly they used Apple iCloud to back up their store of photographs and secondly, many had deleted the published pictures one or two years prior.

Obviously, nude pictures or videos of celebrities are worth a lot of money to collectors who bought and sold these pictures on underground forums. Hackers targeted celebrity accounts for these pictures because of their high demand in the underground markets.  Reports suggested that hackers compromised iCloud accounts by either guessing the account password or the answer to the secret question, and probably held on to this access for several years because the account owner never changed the password or the answer to the secret question.  iCloud’s password protection services during this period lacked basic security features such as alerts on backups or one time authentication passwords which would have prevented this type of known attacks. In the near future, we may see an enriched set of security features such as one time authentication.

Nude photographs of celebrities certainly made hot news and sparked universal outrage, security awareness and a FBI hunt for these hackers. Yet, online sites such as the bulletin boards which notoriously benefited before they self-censored under the threat of legal action, have gone scot free.

Once online and public, these photographs besides finding their way into the hands of many individuals, have found home in several interesting places such as pornographic sites and even to an upcoming art event called “No Delete” in Los Angeles which will print onto life-sized canvas the leaked private images of Jennifer Lawrence and Kate Upton.

While we dwell on the sensational and juicy fallout of these nude revelations, all cybercitizens particularly those that sext should pause and reflect. Surely, it could have been your photo that is on one of these sub groups, porn sites, revenge site or circulating among peer to peer networks among your partners friends. Like collectors, partners may over a drink share or compare pictures in competition or conquest. To protect one self, reflect on the potential fallout when you create, transmit or store sensitive personal information that may be used against you by third parties that get their hands on it or when relationships sour. Would you regret a nude picture taken five years ago that suddenly appeared when you are happily in a relationship or be able to laugh it off? – Do ask yourself?

To find out what one must do to secure your password and be aware of cyber risks to personal privacy, do download and read my book “StaySafe CyberCitizen”

HOW DO YOU KNOW IF YOUR CHILD IS SAFE ONLINE?

I was delighted to have conducted my first tutorial for parents on "How to keep children safe online" on Teachers Day, 5th Sept. It was a proud moment and I was able to receive feedback from enthusiastic parents on how to improve the material. The audience was very touched and emotional as I showed them the video on Amanda Todd and explained to them what happened to her. For many she remains a teacher and a hope. The tutorial description is given below and for those interested; the training content “Keeping your child safe online” is available to download.

Cybersecurity Awareness for Parents

Is your child safe while using the Internet is a nagging question that all parents seek to answer? While parents are convinced that the every child must know how to use the Internet, most are unaware of the extent of cyber risk and the vulnerability of their children to them. Cyber-criminals will continue to reach your child in the confines of your homes, schools and in crowded places. Threats cannot be wished away, left to others or simply ignored. We need to assess such threats, take prudent steps and use best practices to reduce their danger.

Parents who are digital immigrants as compared to children, who are digital natives adept at navigating the bylanes of the Internet, find themselves at odds to guide and mentor their children on their online behavior. The session Keep Your Child Safe Online exposes parents to real life cyber risks and provides guidelines to identify vulnerable children and steps to protect their children from cyber risks.

Spend two hours in a frank, open and interactive guided session with cyber expert Lucius Lobo, author of the book “Stay Safe CyberCitizen” to understand the dark secrets behind the Internet and simple steps to protect your family.

 

Beware, your email id and possibly your password is with atleast one organized cyber-criminal gang

South Korea is a perfect example of a soon to be interconnected world where all its citizens have high speed broadband, regularly access online ecommerce and e-governance services and where online activities like games form a major part of social interactions. Large scale online services centralize the aggregation of user credentials such as email ids and passwords, making these online stores a juicy target for cybercriminals and offensive nation state actors.

Cyber criminals who obtain possession of these caches of personal data sell it to organized gangs which specialize in email frauds or who withdraw small sums from the online balance in gaming and other financial accounts. Nation state actors may use these credentials to disrupt vital economic operations by shutting down or altering the integrity of operation of financial system or utilities.

Not only are these credentials hacked through the exploitation of online vulnerabilities and poor system security design, but they are breached by trusted insiders with privileged access who steal and sell it for a fee.

Four major incidents, in South Korea, all in the last year where almost 50% of the credentials of the nation’s population were stolen, highlighted the impact and ease of exploitation of these online stores. According to press reports:

·             A group of hacker’s successfully compromised 220 million records of 27 million people from online gaming sites

·             Hackers broke into the popular Nate and Cyworld websites extricating names, email addresses, phone numbers and resident registration numbers of 35 million users.

·             Regulators fined three credit card companies after 20 million residents had their data stolen by an IT contractor.

·             12 million names, resident registration numbers and bank account details stolen from telecom company KT Corp were being investigated by the government.

These incidents will not remain isolated to South Korea but will happen across the world, as in-country online services proliferate.

Email addresses are no longer secret; they are freely given away by people on business cards, survey forms or even to solicit advertising mails. These emails have been aggregated and compiled into large databases which are sold globally for a small fee. There are also programs which trawl the net searching specifically for email addresses. Given the scale of data breaches or aggregation of email information, every cybercitizen should consider their email to be in the hand of atleast one organized cybercriminal ring.

Given, this assumption one should expect to be a target of an email scams or deliberate attacks to steal banking credentials or to install malware that will later be used to steal banking credentials and personal data. To minimize the impact of such adverse fallouts cybercitizens must ensure that they do not use the same password on multiple systems and use unique passwords for key banking and other services that can affect their wallet or reputation. Frequently changing passwords reduces the window of exposure and consequently losses. The other important consideration is to keep an eye on email scams. To know more do read “Online Email Scams a multibillion dollar business or not? You decide”.

To prevent malware, ensure that you do not log onto your computer with administrative rights when using the Internet. Create another profile without administrative rights for Internet use.