Sunday, October 12, 2014

Do Indian matrimonial sites guarantee the privacy of your most sensitive information?

I personally believe users of some of the Indian matrimonial sites face the risk of unconsented use of their sensitive personal information. When, I read the privacy polices of these sites, it felt quite apparent that there was a genuine lack of understanding as to what was needed to protect the privacy of the sites users. I would advise all users to first read the Privacy Policies of these sites to select a suitable one to use and to ensure the deletion of personal data when the matchmaking process is finished.
Users of matrimonial sites fully disclose sensitive personal information to make a match. Initially in the matching process their profiles remain anonymous, but as the selection narrows down, the level of disclosure increases as the parties interact on the site. Personal information includes a person’s name, email  address, sex, age, mailing address, credit card or debit card details  medical records and history , photograph, sexual orientation, biometric information,  interests, information tracked while navigation, horoscope and occupation.  If other services linked to the sites such as chats are used, the contents of these chats may also be recorded. Interestingly, some sites also allow users to submit public and private information on behalf of others like child, relative, and friends without their explicit consent.

Information stored on these sites is used for advertising and shared with partners companies. None of these sites stated what data was shared (I presume all of it) and for what purpose. Sites have to be transparent and obtain explicit consent of users on the way in which personal data is used. Under data protection laws, blanket permissions are not allowed.
Most of the sites were nonspecific about their process for deletion of personal information, in full or part, when requested by the user. One site stated that the deletion of information would take a long time because of residual copies on servers and could not guarantee their removal from backup systems.

What was left ambiguous was information on the sites mechanism to ensure anonymity of personal information at all times, except when the user consented to selectively disclose information to a selected match. While this is an implicit assumption, it was never explicitly confirmed. The two questions that came to mind was a) on how the employees of these matrimonial sites were authorized to access to the data and b) whether the data was secured using encryption. Reading through disclosure made by sites on their security mechanisms, my conclusion was that most of the sensitive data lies unencrypted (except for credit card information). Some sites openly disclaimed their inability to secure the data.
In event of a data breach, matrimonial sites would be liable to pay compensation or penalty under section 43 A of the Indian IT Act. To avoid penalty they need to prove that their security systems were adequate enough to secure sensitive private data. Without encryption, the ability to fully delete information and restrictions on sharing copies of personal data with advertising partners, it would be difficult to convince a court that reasonable practices were in place.

To reemphasize;
I would advise all users to first read the Privacy Policies of these sites to select a suitable one to use and ensure the deletion of personal data when the matchmaking process is finished.

Saturday, October 11, 2014

CyberCitizens logout of in country hosted messaging apps services

Instant messaging apps hosted out of a cybercitizens country of residence have become a favorite after fears that the home government could look into chat logs for evidence that may ultimately be used to prosecute the sender or receiver of the chat messages.  When the NSA PRISM spying episode unraveled, the loudest protests were from Americans.  A similar story appears to be playing out in South Korea where over 1.5 m users have abandoned their Korean messaging app service  Kakao Talk used by 70% of the population for the Telegram Messenger - an encrypted messaging service based in Germany, with no servers in South Korea. The secret chat technology ensures that the messages are not stored on the company’s server, self-destruct and are encrypted and therefore they cannot be handed over to law enforcement.
The underlying reason for the exodus has been the crackdown by law enforcement on people allegedly spreading rumors about the president of South Korea on Kakao Talk. Rumors were spreading due to the public discontent on the way the South Korean Sewol ferry disaster, where 304 people died was handled.

Cybercitizens seem to have more trust in foreign governments who have no apparent incentive to trawl their data. Receiving data from foreign sites even for genuine cases of cybercrime or harassment is an issue for law enforcement as they need to get appropriate court orders. Requests also have to be made before logs are deleted, these are usually retained for a limited time, usually a month.
Encryption is a two way sword it protects the privacy of the good and the bad. Terrorist, cybercriminals and other such elements can always use these apps. For this reason there will be pressure from law enforcement on any provider of encrypted communication to ensure that there is a way to decrypt the message. Encrypting a message which cannot be decrypted only protects the content of the message, other details such sender, receiver, attachment size, date and time, ip addresses (and hence location) of both sender and receiver would be still available.

Thursday, October 9, 2014

Conmen use fake matrimonial profiles to scam prospective grooms seeking arranged marriages

News reports of matrimonial scams are becoming increasingly frequent in India. Undertaken by lone operatives, these cons put up attractive fake profiles on dating and matrimonial sites to lure prospective suitors into online relationships, and then pry small sums of money from them. Once drawn into emotional relationship, the con asks for small sums of money to fund a medical emergency or a friend’s urgent need for cash. The sums are small enough not to arouse suspicion until the con vanishes. When a request for money is made after several months of building an online relationship it becomes difficult for the victim to exhibit a lack of trust by questioning the need for money or denying the request.

Participants on these online matrimonial sites exchange personal information during the get to know each other period. Personal information and pictures may later be used to tarnish reputation for blackmail or revenge. Most of these sites do not offer any validation or verification as to the authenticity of the profiles on the sites. It would not be appropriate to engage with any prospective suitors online without real world verification. Users of matrimonial sites should bear in mind that the conmen have a lot of patience and engage multiple victims simultaneously for months. A request for money is usually a warning indicator.

There was also the interesting case of a man suing a popular matrimonial profile for allegedly putting fake profiles of beautiful girls on their site to lure members to take a paid membership. When the man subscribed and found that none of the attractive girls seemed interested in his profile, he faked several profiles which met their requirements of an ideal groom and found a similar lack of response. This led him to conclude the profiles were faked, and besides having been cheated of the subscription fee, deprived him of his self-confidence.

Tuesday, October 7, 2014

Stalker Apps - the first arrest

In a blog I wrote four years ago titled “I can spy on your mobile and read your SMS”, I highlighted the fast growing mobile spyware product market producing stalker apps which monitor a victims’ phone calls, text messages, videos, emails and other communications "without detection" when installed on a target's phone. These apps were advertised as solutions to keep track of cheating spouses and to monitor the online activities of children. Obviously, there are a variety of nefarious ways stalkers, domestic abusers, cybercriminals, private detectives, and inquisitive colleagues can use the app for; such as corporate espionage, snooping on the private lives, and monitoring employees – all without the victims’ knowledge.
Use of these apps violates laws which mandate that any surveillance on individuals has to be done with a court approval and by law enforcement.  Over the last four years, these applications have become even more sophisticated with features that send alerts when a mobile phone crosses a certain geographic boundaries, records and forwards incoming and outgoing calls, forwards messages based on keyword triggers and even allows remote activation of the app in order to monitor all surrounding conversations within a 15-foot radius. These apps are available for all versions of mobile operating systems and messaging application such as SMS, WhatsApp and Email. The very fact that there are atleast four companies subsisting through online sales indicates that there is a thriving market place for these apps.

In what is a first, a US District court has arrested the founder of one such company and charged him with conspiracy, sale of a surreptitious interception device, advertisement of a known interception device and advertising a device as a surreptitious interception device.
While this is in itself is a positive development, much more activism is required from the judiciary and law enforcement to take cognizance of the many ways individual privacy can be compromised online using surreptitious devices or by misusing personal information without consent.

Saturday, October 4, 2014

Large data breaches enable sophisticated profiling making cybercitizens vulnerable to frauds

JP Morgan reported that 76 million households and 8 million small businesses were exposed in a data breach. The firm in a SEC filing disclosed that user contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised. The immediate impact of the breach on cybercitizens may be limited given that the bank also stated that there was is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.
What remain unexplained is the rationale behind the cyber breach and the value that cyber criminals would extract from it. Banks invest large amounts of money on security. JP Morgan would have done no less. This gives us a clue as to how determined and sophisticated the cybercriminal ring was. Cybercriminals operate for financial gain and apparently invested a lot of money to penetrate the bank. What we do not know is whether they successfully completed the acquisition of the data they wanted before they were found out, and if so, it would be apparent that the extracted data was valuable to them.
I wrote in a previous blog “Beware, your email id and possibly your password is with atleast one organized cyber-criminal gang” on how the large scale aggregation of personal data in large banks, egovernance services and popular service provider’s makes them juicy targets for cybercriminals and offensive nation state actors.
 In my opinion, the real value behind large data breaches is the enrichment of underground criminal data bases which profile cybercitizens. Such databases, built by accumulating personal data stolen from multiple breaches allow the execution of fraudulent attacks in a manner designed to bypass security mechanisms and existing methods of fraud detection. The pairing of information from two of the recent big US breaches, at JP Morgan (bank) and Target (retailer) would tie together a user’s credit card information with their home address thereby allowing cybercriminals using cloned credit cards to mimic buying behavior which allows their fraudulent use to go undetected for a longer-time or even provide sufficient information to answer user verification questions for call center services.  While companies notify stolen data mandated by law they may exclude details of other stolen data which may allow cybercriminals to contextualize each user – for example data on their financial status based on products subscribed.
Once a critical mass of user data is acquired, enriching the database by linking it with self-disclosed data found on social media is a simply task for criminal call centers. In the coming years these mature databases when used with sophisticated algorithms (which guess passwords for example), will be used to defeat existing security mechanism for password resets and fraud alerts creating a major challenge for the security of our online infrastructure.

Falling victim to fake lottery scams

The Audit - A funny take on how some employees view the importance of security audits

Friday, October 3, 2014

Launch of the LuciusonSecurity Security Awareness YouTube Channel

There is no better occasion than the  Indian festival of Dussehera which commemorates the victory of good over evil to launch the LuciusonSecurity Youtube channel which will feature security awareness talks, training and cartoons. The first video is a short cartoon titled “The Lottery” which highlights the plight of unfortunate victims who fall for the fake lottery scam.

Eleven Pledges a Good Cyber Citizen Should Take to Stay Safe Online

1.    I pledge not to cyber bully and act as an active or passive participant in cyberbullying. Wherever I see it, I will condemn it and inform my parents or teachers.

2.    I pledge to not make inappropriate comments on social media, blogs and websites because they are hurtful. I will ignore cyber trolls and their nasty comments wherever I come across them

3.    I pledge to not disclose personal information and pictures which may embarrass the person who sent it to me without their explicit consent

4.    I pledge to pressurize online service providers that use my personal data for advertisement and other commercial activities to act in a responsible manner which protects my privacy and dignity

5.    I pledge to pressurize online service providers to invest in security solutions that make their services, more private and secure. To show their commitment to strong authentication, transparent disclosures, data breach notifications and hassle free filtrations of inappropriate content.

6.    I pledge to not indulge in any immoral or criminal activity either for fun or profit such as the hacking of colleagues or partner’s social media accounts, sending anonymous insulting messages, harassing, posting pictures of sexual nature on revenge sites, stealing from online accounts of family members, selling household items online without consent or setting up online scams for quick money.

7.    I pledge to take onto myself the responsibility to ensure that my personal (and family) digital devices are made secure and kept free from malware. I will learn to set and keep configured minimum technical security controls such as software and patches.

8.    I pledge to take on the self-responsibility of protecting myself from cyber risks by keeping  aware of cyber risks and the means to safeguard against them

9.    I pledge to not fall victim to online solicitations from online scams the promise quick gains from money transfers, weight loss, international dating, lottery wins or whatever the enticing offer may be. Each time, I receive such solicitations, I will GOOGLE to verify their authenticity.

10.  I pledge to be a good cyber parent and to take on the responsibility of keeping my children safe online and to be their role model for ethical online behavior.

11.  I pledge to abide by my companies security policy and online code of conduct irrespective of my personal beliefs.


Thursday, October 2, 2014

Six Actions Cybercitizens can take as part of the National Cyber Security Awareness Month (#NCSAM)

The National Cyber Security Awareness Month (OCT 1-31) organized in joint participation between the public sector partners and the US Government is an opportunity for citizens to better understand  cyber security risks, cyber ethics and to own their part in the  collective responsibility  of making the Internet  a safer place. Reduction of cyber risks will not come about even after large cyber security investments, technology advances, improved laws and the best efforts of law enforcement. It will only occur if cybercitizens use situational awareness and common sense as they go about their digital lives. 

Start now with Six Simple Actions to keep you safe

  1. Start a family discussion on cyber risks that every member may face when they connect to the Internet.
  2. Audit the security measures on your digital devices. Ensure the antimalware program is updated, the latest operating system (Windows, MAC) patches are applied and each device is password protected using a strong password.
  3. Immediately reset passwords to online accounts that are not strong or unique to each service.
  4. Self-pledge to think before you post, email or message personal information and pictures that may damage your reputation if widely publicized
  5. Keep and offline back-up of data stored on the cloud.
  6. And if you are a parent, accept the additional responsibility of understanding cyber risks that your children face, the means to mitigate them and to be their guide to online safety. Get started with my short primer titled "Keeping your child safe online".

Program and participation details for NCSAM are available at the following link