Expert advice on cybersecurity, cybersafety and cybercrime. Using real incidents, I explain why cyber risks occur, what form they take, and how they affect cybercitizens as individuals, employees, citizens and parents. Opinions expressed in this blog represent my personal views
Wednesday, December 23, 2020
Friday, December 18, 2020
How to avoid seven types of tweets and posts that can get you jailed or fired?
Instances of people being fired from their job or jailed because of offensive, inappropriate or indiscreet tweets are plentiful!
Once a tweet or post is online, it is not possible to control who views it. Even without many follower’s tweets go viral. Intelligence and Police forces constantly analyze tweets and posts in the public domain to pick up information on potential suicides, terror threats and drugs.
Thinking before you post can save a lot of personal distress. Avoiding the seven types of posts and tweets illustrated below will improve your online image and prevent actions such as being fired, jailed, defamed or from lost opportunity and friends.
1. Posting personal tweets on corporate accounts
OOPs! I got fired because I sent a personal crib on my corporate account instead of my group of buddies. Quick thumbs are to blame but the damage cannot be redeemed. Once online on your company’s corporate accounts, it’s their reputation that’s at stake. What is posted on a corporate account represents the companies view and recovering from the mistake is usually a sack because that is what stakeholders expect. Even if you boss sympathized with you, your sack could not be prevented. Had you posted on your personal account representing your official position, it would have a similar outcome.
2. Posting offensive Jokes
We must keep in mind that what you post online is taken at face value, it is not interpreted in the same way as the people who know you would. Online, you reach an audience with widely differing ideologies and perspectives. Your version of the joke may be interpreted as being racist or sexist. A close analogy is to pick on a childhood memory where you did something that you thought was fun, but your parent or teachers chided you for it. They had a different perspective. Even in the adult world, there is lots to learn from the perspectives of others much like our childhood days. The net result is usually self-defamation, loss of friends and opportunity. Jokes on co-workers may results in HR warnings or action.
3. Using Threat Words - Bomb, Kill, Suicide, Rape
Words like these irrespective of intent would be interpreted as a call to action by police or anyone who viewed your post or tweet for that matter. I can assure you that even if the actions were a prank the arm of the law is not lenient. Many times, because of ideological reason we may use these words in a figurative way against a person of authority, “Kill the President” for instance which may result in severe consequences
4. Making Threats
When you make a threat online, it can be used as evidence in a court of law. Threats can be made in a fit of rage, with actual intent or even to delay a social function or plane. Once a threat is made with intent, however prankful or in a fit of emotion, it will be dealt with very severely by law.
5. Content which contains violence, porn, or is racist or sexist in nature
Companies are not tolerant of executives who post such type of content, if it does not get you fired it would hurt your job search prospects or rise in the organization. Companies expect their employees to be good corporate citizens, in the same way as we are expected to keep our political and religious views personal, and function in a neutral or secular way in the office. Obviously, pedophilic content will mean a jail sentence
6. Silly or Careless Comments
Many people generate their own version of events, spread half truth or deliberate lies. Posting these online can get you in serious harm. When these tweets or posts are made against people of authority, the law enforcement agencies quickly act on their complaints. Visits to the police station and the legal action that follows would be a harassment that would best be avoided. Most often the sentence results in a red-faced public apology. Sometimes, what we believe to be true is fake news or a narrative spread deliberately for political or business interests, we should keep this in mind when we compose online messages
7. Retweeting or Liking
Yes, retweeting or liking some types of post may be viewed as support to a campaign of hate or disinformation. In times of COVID, or civil unrest, malicious rumors are often circulated to stir the pot or for political interests. We must ensure that in these times we maintain calm and avoid spreading these rumors
Wednesday, December 16, 2020
Twitter, Facebook, Zoom, LinkedIn, Instagram, Microsoft Teams, Gmail, Hotmail are they safe to use?
This was a question that deeply interested me for two primary reasons. The first was that even if they were unsafe, people would continue to use them because not to, meant that societal and business connections would be hampered. Afterall, most of the world’s population have signed up on these social media and collaboration platforms creating a gigantic network and data repository. The second is simpler, its hard to tell if these platforms are unsafe until there is a public news outbreak, and at that time exit possibilities are limited.
The reality hit me, when a few large security companies continued to use a collaboration platform where several vulnerabilities had been publicly identified. Ideally one would think such an act would be counterproductive to their type of business and they should have shifted to a competitor.
Let us closely examine the dilemma. We have to sign up blindly to a popular platform assuming it to be safe and to keep private personal data.
With all the news on security and privacy breaches, it is obvious that there is no platform that is 100% safe. Even platforms that spend billions are not. The big players however are committed to improving their customer trust and protecting their brand and investments, but the need for profits and the speed to bring new features may hamper their efforts to improve security and privacy. The commercial relationship between a user and a free to use platform is still evolving. Money can only be made through the analysis or sale of its content. That content has been crowdsourced without the clear specification of how it will be used or processed. Sadly, there is no fixed line between what’s right or wrong, it’s a tug of war between the platforms business interest, regulators, governments and its user community. All four must happily coexist to ensure the success of the ecosystem.
Each user of the platform has to secure their interests using means at their disposal. Written below are five tips that could help improve security and privacy:
a) Set Security and Privacy Settings Appropriately: All platforms have privacy and security settings. Reviewing these settings and tailoring them to your requirement ensures personal information is retained within an approved set of people. Security and Privacy settings are important to ensure that your account is not hijacked, personal data is not visible to the public, to set limits for its use and to avoid ad spam.
b) Keep a look out for security alerts: Simply, GOOGLE the “platform name + breach” and the results will clearly show that large platforms are not immune to severe security problems. The bigger they are the bigger the target they become. Once a breach has been detected, the platform would send out an email intimation of the breach, listing the data stolen, its potential impact and mitigation measures. Stolen data may be misused to send phishing or spam emails. Do read and implement the recommendations
c) Keep a look out for privacy alerts: Platform companies have been sued by regulators or face government hearing because of the data they collect, use and share. While, most of the information is post fact, once penalized they do put in measures to ensure better compliance in the future.
d) Think before you Post: Ensure that you assess the personal value of what you post online and the risk or consequence for its loss. Do not post anything that may have consequences that you cannot accept. Remember what goes online stays online.
e) Join platforms with a reputation to lose: Platforms with a reputation to lose will fight to preserve it by making business changes, working with regulators and investing to improve safeguards. Having been penalized or breached does not make a platform good or bad, its the post actions that tell the tale.
I trust these tips will help make your experience online safer.
Monday, December 14, 2020
Online Safety Tips to keep 3rd and 4th Grade kids safe while Online Schooling and Surfing
The coronavirus pandemic has forced children to spend a large part of their working day on the computer and online. Our young kids are embracing the Internet at an accelerated pace. Today’s essentials like online schooling and virtual friends’ meetings cannot be regulated based on the screen time norms of the past. The one- or two-hour screen time limit rule has fallen apart, as children are on the Internet for almost 6-8 hours a day.
At the age of 7 to 9, logic and critical reasoning are still in the formative stages. It becomes difficult to explain to kids what Internet risks are and how to avoid them. While instructions and advice must be given, and continually reinforced, it would be unwise to believe that your child would be safe all the time, simply based on the instructions you once gave.
At this age, a child is usually not on social media or email or uses a personal mobile phone. This is a good thing because it avoids your child becoming a target for pedophiles who normally target children after viewing their online photos and videos, and trolls or surprisingly even jealous colleagues and their parents, for what they post online.
What the child is a master off is the use of collaboration technology (video and chat) like Zoom, playing online games like Minecraft and surfing the Internet. At this age an interested child has already mastered how to learn from online instructional videos on YouTube or to research the Internet for topics of Interest.
Cyber risk must be assessed based on how the child uses the Internet. The child digital assets normally are a computer and an email id. The child may not use the email id, but it is usually needed to access online portals, such as for schoolwork.
The three main risks faced by children in these grades are from:
Malware: Cyber criminals embed malware in pirated or specifically prepared copies of games or software or images that children download. The malware would exfiltrate data such as pictures or files from the computer drive, and passwords for online accounts. Compromise of online account passwords would allow a cyber criminal to send emails using your id or use other types of service accounts. If multiple family members share the computer, then there is a risk of their accounts being compromised.
Content Exposure: Surfing online would expose a child to objectionable content. Objectionable content is available easily if the right search words are entered. It may be unlikely that your child deliberates searches for such content but there is a high possibility that they may stumble on it.
Online Strangers: When children use YouTube tutorials to learn how to do things, for example to play games, they come across links and game servers for multi-player gaming. Children are adept at understanding how to click on these links which may have malicious content or to connect to game servers which may expose the child to other players with harmful intent.
Three Sets of Countermeasures to protect you child from online Harm
Prevention from Internet Risks requires a combination of security countermeasures. All these together form the basis of a secure experience. There are three main set of security controls:
1. Secure the Computer
2. Secure User Environment
3. Parental Involvement
Secure the Computer
Each computer must be protected from security risks that it is exposed to when connected to external networks and through it use
Use a supported version of Windows: Win 10, 1909 is the least version supported for Home, Pro, Pro Education, and Pro for Workstations editions until May 2021. To check the Windows Version Select the Start button > Settings > System > About
Use an Antivirus Plus Product: Installing an antivirus plus product offers different types of protection by scanning files for malware and adware, restricting (firewalling) risky network connections and avoiding risky websites. Besides these, there are other features which would be useful for older children or adults.
Use Automatic Updates to ensure that your software is always patched: When a new vulnerability has been discovered, software companies release a patch. It’s simpler to set the Auto Update feature to ensure that computer software is always patched to the latest version. By using Automatic Updates, you do not have to visit the software vendors Update Web site to scan for updates. Instead, the software automatically delivers them to your computer. You should check the patch status regularly to ensure that the auto update mechanism works perfectly. All software needs to be patched whether it is the operating system, collaboration software like ZOOM or tools provided by the school.
To check for the Window Update Setting - select the Start >Windows logo Start button, and then go to Settings (Gear-shaped Settings icon) > Update & Security > Windows Update
Secure User Environment
Computer software configuration must tailor user security controls for the child’s use.
Create an Independent Child Account on Windows: Microsoft allows the creation of a family account. The family account enables the linking and control of multiple profiles. A child profile allows a parent the following benefits:
• Set Screen time
• Require parent permission before buying stuff or downloading applications
• Filter content (applicable for only Microsoft Products)
• Get reports of online activity
• Monitor Activity on the Computer
• Parent Supervised Downloads
• Set Parental Controls
Use PIN not Password: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. A numeric PIN is easy for a child to remember without writing it down. A Hello PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without physical access to the computer. If the PIN was shared with anyone else, they would not be able to sign in to any account from anywhere. When you create your child account, you would first have to create a password. This password can be written down and stored safely. You child does not need to know or use it once a PIN has been set-up.
Create a Child Email Account: Parents should set-up an independent email id for their children rather than use their own. Children would not normally use email. However, all online applications require an email account to sign in. Parents should keep the password secret and operate the account.
Set Parental controls: Most antivirus software’s and browsers have parental controls. Parents need to research how to set age restrictions on browsers and the operating systems. It is important to note that you would need to set controls on every browser you use and the operating system. Parental controls allow restriction on screen time, buying online, surfing age appropriate sites, blocking or explicitly allowing certain applications to run on the computer, and usage reporting
Parental Involvement
The role of parents is largely to curate and keep safe the experience the child has on the Internet. It is similar to the physical world where a parent ensures that their child is not harmed or bullied on the playground. Parents provide advice on Internet safety and etiquettes and help children understand their online experiences and interactions. Children of this age seek clarifications from their parents as they learn or are excited to talk about their online discoveries. These conversations must be encouraged for the valuable insights they provide on a child’s online behavior and experience. More so because parents are often unfamiliar with the games played or applications used by their children.
Protecting Children from Strangers: To protect children from meeting strangers online, it is important to know where children can meet with and chat with strangers. Normally, the opportunity would arise on social media or multiplayer gaming. It is therefore important for a parent to evaluate the stranger meeting potential for every online interaction your child has. All children should use an anonymous profile which should not give away their age, sex, real name, and location. You child should be made aware that they should never share real life information online. Children love play acting and if you successfully convinced them to play the role of “ShootDragon60” they will easily make up a play character of their own.
Protecting you Child from Age Inappropriate Content: The parental settings on the search engine or antivirus suite or Microsoft family account will help restrict adult sites. This is a must. It will prevent your child from visiting inappropriate sites. However, despite content filtering there may be content that may be borderline and allowed. For example, if your child loved to read the Percy Jackson series based on Greek Mythology, and later proceeds to research the topic online, it is likely that the Greek God images would be depicted as nude or seminude sculptures.
At this age, we teach our children how to cover up to protect them from child abuse and the sight of these images pique their curiosity as they are contrary to their parents instructions. Another example are advertisements targeting children for lingerie and make-up products shown on channels which children watch. Parents need to explain or reason out these topics with a child, otherwise they may form their own narrative.
Following these risk mitigation tips would ensure that the Internet risks to your 7-9-year-olds would reduce and their Internet experiences are safe ones
Saturday, December 12, 2020
There is a 100% chance that you will click on a Phishing Email!
Astounding isn’t it! I am sure that you will question the audacity of the statistic. I can tell you with confidence that even a security expert is not immune to falling prey to phishing emails. That is why even the most mature security companies are hacked.
Any human will click on an email whose content appeals to a human emotion that is strongly felt.
There is a phishing bullet with everyone’s name on it. To illustrate the point, let us study two examples.
The first is related to the COVID pandemic. You receive a phone call from an unknown caller. The caller requests for your personal details and telephone number to register you for the immunization program. There is a fee to paid, for which a link would be sent via SMS. Now ask yourself, would you give your personal details to the caller. Most probably not, and certainly not before you asked several clarifying questions to verify the program and the identity of the caller or institution.
But, would you do the same if the information was requested via email. Most people who are eager to receive the vaccine would fill up the information and await further instruction. This would be step two, if the scamster intended to scam you for money. In some cases, the scamster would be satisfied with just your personal details.
The second example is called business email compromise. Cybercriminals earned 26 billion US$ from this type of fraud over the last four years. There are many different variations, but the first step is to identify a willing employee who would respond to an email with a specifically crafted instruction from a senior. If you are working in a company, and your CEO or CFO sent you an email, how would you react. I guess instantly. The catch here is that while the email alias was correct, the address was off another user on a public email account like Hotmail or Google. Therefore, if your CEO was Lucius Lobo, then the address would look like Lucius Lobo <jynx234@hotmail.com>. The pressure to respond quickly to the CEO or any senior executive may simply short circuit the basic validation an employee would normally make. Which in this case was to understand that the actual email id is not the company id or as the example indicates, is in no way connected to even the alias.
If human emotion compels us to drop the extra validation that we would normally do, then trying to restore this habit when it comes to responding to emails would keep us safe.
If you wish to reply to unsolicited emails then try and question the veracity of the contents of the email, as you would have done if the same request was made telephonically. Bear in mind that any unsolicited email is high risk.
Here are four quick tips, for common scams:
1. If the unsolicited email is promising a free lottery, job or anything return, it’s probably fake. There is nothing free in life
2. If the unsolicited email is promising something extraordinary like a high rate of return or payoff, then avoid it. It is fake or a scam.
3. If the unsolicited email is asking for personal information, its likely that is a scam. May not be one that causes you to lose money, but more often than not fills your inbox with junk emails.
4. If the alias of the email is of someone you know, but the email id is different, it’s a scam email specifically designed to avoid spam filters.
Keep these tips in mind as you read your next unsolicited email. In my next blog we will examine how to avoid being scammed from a genuine but hacked email id.