Thursday, August 20, 2015

Should one fret over the leaked Ashley Madison data?

Several news sites have reported that 15 GB of identity data stolen last month from online has been made available on the darknet. Three sites have since sprung up with allows interested parties to query the site to ascertain the identity of Ashley Madison users. allowed married people to have short extramarital affairs. While the morality of the services provided may be questionable, and is perhaps best left to judgment of individuals, there is a serious risk of reputation damage if the data is fake.
There are several reasons why it may be. Firstly this is not the first leak to appear online; there have been several in the span of the last month. Then, there is the question of the validity of the email address and other details which were never verified. There is always a probability that a prominent person or an associate’s identity was used to create a profile. From one analysis, it seems that 90% of the users were male and most of the female profiles were fake. If this is true than users subscribed but may not have been able to use the site. Many users may have subscribed due to curiosity or for fun. Some articles seem to suggest that once subscribed removing a personal profile from the site was not easy. Finally, there is a strong suspicion that some of this data may have been amalgamated from other breaches.

On the flip side there seems to be several reports of individuals claiming to verify that they were users of the site and confirming their email ids in the released data.
Whatever, may be the truth, I would like cybercitizens to know that though it seems to be a sordid affair not to disrupt your personal lives purely by data that cannot be verified put out on the net. 

Tuesday, August 18, 2015

8 steps to prevent a stolen phone from ruining you digital life

Smart phones are lost because they were accidental forgotten at public places or stolen. A phone today, is a cybercitizens gateway to their digital life. It allows use of apps for services such as for banking, social networking and taxi booking, storage for personal pictures and videos, email, instant messaging and telephony.
Most phones have an Internet finder program which helps to locate phones connected to the Internet. The service works well, if the phone is forgotten at places which are likely to have a lost and found counter like airports and restaurants where the staff is unlikely to pocket it. More often, the key risk is the loss of battery life effectively shutting down the phone. Even when a phone is lost and picked up by a person wanting to return it, a study has shown that most of the people browse private data like contact and pictures, understandably to locate the owner.
Most thieves quickly switch off the phone and remove the SIM card to effectively disable the Internet finder applications. When a phone is stolen or lost there are three risks that the owner face.
Financial Loss
Typically, you lose the value of the phone and the additional cost of calls made from the phone which obviously, one has to pay for. While there may be insurance that can be bought to recover part of the cost of the phone; to prevent fraudulent calls the cellular provider needs to be quickly alerted to deactivate the number.  Ensuring that the phone is protected by a strong screen saver password will mitigate the risk of expensive calls.
Reputation Loss
Many personal applications like Facebook, twitter, email or such social media accounts are logged on and can be accessed without a password allowing personal information to be read or malicious comments to be written. Such comments may affect personal reputation or be defamatory which may results in soured relationships or legal action. Hereto a strong screen saver password can help. If the thief is unable to crack the password, the simplest action would be to format the phone, reload the operating system and sell it in the black market
Privacy Loss
Privacy can be lost in two ways. By viewing data stored directly on the phone memory or on memory cards such as personal pictures, by reading private posts, email and by looking up the browsing history. Private data such as sexting pictures of other individuals received and stored on the phone may compromise their privacy.
Four steps that cybercitizens should take to reduce the risks to themselves and the incentive a thief gets from a stolen phone:-
1.        Set a strong password and short lock screen timeout.  If your phone provides the option to erase data after several unsuccessful tries to enter a passcode, typically 10, activate it. New phones disallow the formatting of the operating system without a password thereby rendering the phone worthless and reducing the incentive to steal it. A strong password or passcode has at least 8 characters that include some combination of letters, numbers, and special characters
2.        Try to avoid using external memory cards unless they are encrypted
3.        Update the phone regularly, to ensure that  vulnerabilities which can be exploited to unlock password protected phones is patched
4.         Backup contacts and other data
Four steps that cybercitizens should take when the phone has been stolen or lost and returned.
1.        Use the Internet finder app to locate the phone and erase data
2.        Reset all passwords for apps and accounts even if the phone has been returned
3.        If returned, reformat and reload the operating system to avoid any malware being surreptitiously loaded. Malware can be used to spy, steal credentials and cause an even bigger financial loss
4.        Block you SIM card by calling up your cellular provider

Saturday, August 15, 2015

LuciusonSecurity among the Top 50 Infosec Blogs 2015

Digital Guardian a Gartner Quadrant leader in the Data Protection product market has named this blog as one of the Top 50 Infosec Blogs you should be reading.

Thanks you Digital Guardian

Friday, August 14, 2015

I lost money because my petrol pump was hacked by attendants!

The neighborhood petrol pump which I occasional use, was in the news for allegedly tampering with the meter readings. Some of the staffers had hacked the circuitry to modify the pulser readings which converted the flow volume to the digital readout. As a consequence, 5% of the bill value was inflated. Hacking is typically associated with software and remote Internet connections, but all sort of meter readings can be tampered with to skim small sums of money or develop glitches that result in inflated bills.
The only way to tackle such misuse is by surprise calibration checks and stringent penalties. In the case of the above petrol pump, the ingenious system also had a switch to toggle back to normal values during a calibration inspection.

The police believes that this particular fraud may be widespread, which simply demonstrates the ease with which the perpetrator of the modified pulser is able to sell his invention without being caught.

Thursday, August 13, 2015

Hacking SMART services in Cars, Homes, and Medical Devices – a cinch!

Businesses are reinventing themselves by transforming traditional services and service delivery into digital services. Digital services utilize smart products to provide enhanced service quality, additional features and to collect data that can be used to improve performance. Smart products can be remotely controlled using Wi-Fi or cellular connections, software, sensors that makes smart dumb devices, cloud infrastructure and mobiles.
Examples of digital products and services are network connected cars, home appliances, surveillance systems, wearables, medical devices, rifles and so on. Very recently ethical hackers exploited a software glitch that allowed them to take control of a Jeep Cherokee while on the road and drive it into a ditch. All this with the hapless driver at the wheel!

While the car hack made headlines and led to the recall of 1.4 m vehicles, it also signaled the beginning of an era where cyber-attacks or software glitches cause physically harm to cyber citizens, blurring the lines between safety and security. Cyber-attacks in the near future will do a lot more damage than destroy reputations, steal money or spy on intimate moments people would prefer to keep private, it may maim or kill in a targeted or random fashion and that too in the privacy of one’s own home.
The severity of some of the demonstrated exploits by ethical hackers were downplayed because the attacker required physical access to the vehicle to execute the attack. I for one, do not know what happens to my vehicle while it is serviced or valet parked, both ideal opportunities to fiddle with the electronic systems and even modify the firmware.

All smart devices will be connected and updatable over wireless networks. Wireless updates are ideal opportunities for hackers to obtain access or control over these devices. However, digital products or services must have built in defenses not only for over the air hacks but equally on risks from technicians, mechanics or others that have physical access to the smart infrastructure.
Startups with limited budgets may struggle to provide adequate security to their new incubations, allowing ample opportunity for maliciously minded individuals and cyber criminals to find ways to compromise the service. Investment in smart product security will be driven by liabilities around safety regulations, compliance and strict penal provisions.

Saturday, August 8, 2015

Darknet, where child pornography is rampant

Child porn is rampant in what is known as the dark web or darknet. The part of Internet that cannot be reached by using a search engine like Google. It is that part which is accessed using a special browser (TOR) which is freely downloadable, and works to ensure the anonymity of the user online. It achieves this by use of encryption and bouncing encrypted communication across a network of nodes before it reaches the intended site. The information that the intended site possess is the IP address of the last node which makes the original destination anonymous. The downside of the TOR network is its slow speed.

Coupling an anonymous network with an anonymous currency like BITCOIN allows illegal activity such as the buying and selling of drugs, child porn, and counterfeits to flourish without the fear of tracking either information or financial flows. Cybercriminals, terrorists, drug peddlers and pedophiles among others, use the darknet to further their business as the darknet protects both them and their customer’s identities.

Criminal users on the darknet are savvy and sophisticated in covering their tracks and erasing the digital fingerprints they leave online. They conduct their business on secret password protected websites limited to trusted users (excluding undercover police), utilize sophisticated hard disk encryption (including some with multiple passwords, each opening up a different volume), distributed storage across multiple computers to ensure that each computer will not have a complete image and move sites frequently.  These tactics coupled with the volume of sites on the darknet makes it a formidable task for law enforcement to identify criminal rings and catch them.

Making the darknet safe requires detectives to impersonate criminals or their customers to infiltrate criminal rings. It is a tedious task with limitations in jurisdiction and prosecution. In the next few years this old fashioned method will be supplemented with technology to map and analyze darknet sites, contents and activity to profile criminal behavior.

For Governments wanting to crack down on child porn, like as in India, the only option is to set-up a team of specialized investigators to explore darknet activity originating from within the country and to partner with their counterparts from like thinking countries to nab criminals within their jurisdiction.

Thursday, August 6, 2015

Can child porn be blocked by banning websites?

The Indian government is trying to block child porn by banning websites, an ineffective strategy, primarily due to the difficulty in the identification of child porn websites. Child porn is traded within closed rings of pedophiles using the dark internet. The dark internet are sites on the Internet not accessible through the search engines. Pornographic material are actively bought and sold between collectors who form these rings using peer to peer software and encrypted communications. Some reports estimate that there are over 100000 individuals who deal in pornography through secret chat rooms and other communication channels.
Child porn is broadly defined as the creation, distribution and collection of photographs, audio or video recordings of sexual activity involving a prepubescent person. The pornographic content may range in severity from posing while clothed, nakedness to explicit sexual activity, assault and bestiality.
Children who are victims of child pornographers suffer physical pain, somatic symptoms and physiological distress. Many do not complain out of loyalty to the offender (who could be a relative) and a sense of shame.
One of ways child porn is produced is through the malicious use social networks and the Internet to groom innocent children into sharing explicit images of themselves and then blackmail them into producing more content. The content is then sold to other collectors for a fee. With the widespread availability of webcams and Internet, the remote pornographer has direct video access to a groomed child, within the once secure confines of the child bedroom.
Reducing the amount of child porn on the Internet is a noble initiative and one that requires the co-operation of several stakeholders such as law enforcement, parents, victims, social groups, ISP’s, search engines and the community. Catching and shutting down rings has to be a priority and ISP’s hosting dark sites need to quickly detect and shutdown such child abuse sites.  The catch rate of child pornographers is quite low, at around 1000 a year with no mechanism to prevent repeat offenses.
In India, I would believe simply going by the increased spate of media reports on physical child abuse in prominent schools, that physical child abuse is a larger problem than tackling online pedophilia. All parents must be alert to the cues that their child provides to quickly identify abuse.

Saturday, August 1, 2015

Sites you use online, may tarnish your reputation and relationships

Cybercitizens use sites on the Internet as resources that offer them services with scant thought as to how their data and activity information could be used by site owners and others who have access to it. The others are entities who are sold this information, cyber criminals who steal it, third parties who provide services to the site owners and also innocuous users who come across this data because the sites privacy protection or in some cases security is not adequate.

Cybercitizens should note that many sites provide services for free, supported by advertisement revenue. These sites collect and analyze profile and activity information which includes clicks, page visits, and transaction information to selectively display advertisements suited to the user’s demographic profile or searches. This helps advertisers obtain better returns on their advertisement dollar. Most of the larger and more popular sites make their users sign up to lengthy terms and conditions, which few read or understand, to enable them use personal data. Larger more established sites lay out well worded privacy statements on their websites which users can read. In all cases, information related to financial transactions are normally governed by strict regulations and compliances which regulates use and specifies standards for the security of card data.

But, there are many other firms with questionable credentials and whose ownership remain largely unknown. They may be popular sites too, but on the vast global highway, there is no way that one can truly ascertain where your data resides, who sees it and what use it is put too.  The case of the hack of the extramarital affair dating site Ashley Madison, clearly demonstrates the vulnerability of those users to reputational damage, blackmail and extortion. There are many sites, whose membership if disclosed could hurt the reputations of millions of people. Pornographic sites for instance.

The trail of personal data that one puts online remains. For example, curious users of the Ashley Madison site would have no way of proving to their spouse that they subscribed to the site out of curiosity and not for intended use. 

The effect of disclosure of personal data varies from tarnished reputation and financial losses to minor privacy intrusions. Cybercitizens should evaluate these risks and their potential consequences when they use certain sites.