Lucius on Security

Six clues to check if my Job opportunity is FAKE?

noreply@blogger.com (Lucius on Security) — Sun, 05 Dec 2021 16:26:00 +0000

A source of income is a prerequisite to sustain a family or livelihood. There is no dearth of job seekers as young adults continuously enter the workforce. Bagging the first job after graduation or a downsizing is challenging. The scramble by anxious job aspirants for limited opportunities is actively exploited by fraudsters posing as company officials or job consultants. Fraudsters target unsuspecting job aspirants looking for lucrative jobs overseas or jobs which offer greater job security, such as with the Government. Job scams affect companies or sectors with large scale recruitment such as banks, Information Technologies, Call Centers, Retail and Government.

The modus operandi of the scam runs deep from first contact, to fake interviews, fake training, and finally a fake offer letter. Along the way a sum of money is taken on one or more pretexts. The fraudster gets in touch, when a prospective job seeker responds to spam emails or a fake job advertisement. Once the job seeker, makes contact the fraudsters pose as company officials or job consultants using fake ids and spoofed letter heads. The documents appear legitimate and may include a job description, salary, and benefit details. During the entire process personal data such as identity verification, certificates, past employment letters and bank statements are sought allegedly to process the job offer and obtain visas. The jobseeker finds out about the scam only when they turn up at the company premises on the joining date or they fail to receive a joining intimation. By then the fraudster is long gone. The job seekers only resort is to intimate the company and file a complaint with the cyber police to try and recover the amount. For the police, acting on several such minor complaints is a tedious task, and the prospective employer rarely can pursue any investigation on its own as the company is not party to the fraud. The net effect is that scammer makes money and the scammed job aspirant bears the loss.

The only way to stay safe is to avoid the scam in the first place, by recognizing red flags which help smell a rat in the process.

Listed below are six such flags for job recruitment scams:

1. Recognize a jobseeker’s vulnerability: A pressing need for a stable job is the precise vulnerability fraudsters exploit in job recruitment scams. The desire to not lose a good opportunity lowers the victim’s guards and is used by fraudsters to create a sense of urgency to force victims to make quick decisions without adequate research or consultation. It vital to realize that frauds are played on multiple people using a well-oiled template designed to win trust. It’s a big business and the victim is not a random target. For many, so pressing is the need for a good job, that even if warned that the job opportunity probably was a fraud, the advice would be a brushed off with the self-assurance that a response to an email would not hurt. In effect, it the step that sets the fraud rolling.

2. Verify, Verify and Verify Again: Before you respond to the email, there are vital clues in the initial correspondence to verify its authenticity.

a. Source of the email or job posting: Check if the email was from the company or a reputed job portal? To do so, match the received email domain (@thecompany.com) with the email domain from the portal or company. if it’s the same, then the mail is probably genuine, if not a misspelled email id is a sure sign that it’s a phishing site set-up for a recruitment scam. If the email comes from an unidentified source either because the consultant was not known or the client wants to keep the job confidential, a website search helps to verify the consultants background and reputation. Studying the site would probably give you an insight into how reliable the company is.
b. Check if the job exists: In some cases, it’s easy to check if the job you are applying for exists. Some companies especially the Government advertises all their vacancies on their website.
c. Check for the company’s recruitment procedure: The career pages of the company website often explains the recruitment procedure. Most companies which are targets for recruitment scams have a warning put up on their website. If the procedure you are asked to follow deviates from the one on the website, you know it’s a scam.
d. Confirm Recruiter email address: Confirm if the recruiter has a genuine company email id which would be @thecompany.com, where “the company” is the prospective employer. If not, it’s probably a scam.

3. Never pay for a job: A request for payment for training or visa processing or any other services is a sure shot red flag that the job is fictious. Many a time the ask for money is repetitive – small amounts for application, training, uniform, and the appointment letter. Most companies clearly state on their website that they do not request payment for selection. One could confirm directly with the company if they request payment for any step in their selection process before a payment is made.

4. Review what documents are requested: There are types of document that are not usually requested during the interview process. These include bank statement, tax documents, credit card details and other financial statements.

5. No job without interview: Every job selection process will have an interview whether offline or online. If the job does not have an interview, then it’s probably fake or there is something illegal in the offer process. if called for an interview, the id tags, interview location, and questions you ask may give provide a sense of the genuineness of the process.

6. Verify the offer letter: Try to check if the offer letter is genuine. Some companies offer the facility of verifying the offer letter online on their career portal, using information provided in the letter. Other clues to fake offer letters are receiving offer letters on WhatsApp or any social networking sites and poor grammar. Offer letters from large companies are normally very well written and grammatically correct and sent from official company email ids.

Picking up these Red Flags may help prevent you from losing money, time, and personal information while in search of a job. Don’t shy away from asking questions!

Stay smart, Stay Safe.

Stay Safe ! Merry Christmas and a Happy New Year

noreply@blogger.com (Lucius on Security) — Wed, 23 Dec 2020 04:08:00 +0000

How to avoid seven types of tweets and posts that can get you jailed or fired?

noreply@blogger.com (Lucius on Security) — Fri, 18 Dec 2020 04:01:00 +0000

Instances of people being fired from their job or jailed because of offensive, inappropriate or indiscreet tweets are plentiful!

Once a tweet or post is online, it is not possible to control who views it. Even without many follower’s tweets go viral. Intelligence and Police forces constantly analyze tweets and posts in the public domain to pick up information on potential suicides, terror threats and drugs.

Thinking before you post can save a lot of personal distress. Avoiding the seven types of posts and tweets illustrated below will improve your online image and prevent actions such as being fired, jailed, defamed or from lost opportunity and friends.

1. Posting personal tweets on corporate accounts

OOPs! I got fired because I sent a personal crib on my corporate account instead of my group of buddies. Quick thumbs are to blame but the damage cannot be redeemed. Once online on your company’s corporate accounts, it’s their reputation that’s at stake. What is posted on a corporate account represents the companies view and recovering from the mistake is usually a sack because that is what stakeholders expect. Even if you boss sympathized with you, your sack could not be prevented. Had you posted on your personal account representing your official position, it would have a similar outcome.

2. Posting offensive Jokes

We must keep in mind that what you post online is taken at face value, it is not interpreted in the same way as the people who know you would. Online, you reach an audience with widely differing ideologies and perspectives. Your version of the joke may be interpreted as being racist or sexist. A close analogy is to pick on a childhood memory where you did something that you thought was fun, but your parent or teachers chided you for it. They had a different perspective. Even in the adult world, there is lots to learn from the perspectives of others much like our childhood days. The net result is usually self-defamation, loss of friends and opportunity. Jokes on co-workers may results in HR warnings or action.

3. Using Threat Words - Bomb, Kill, Suicide, Rape

Words like these irrespective of intent would be interpreted as a call to action by police or anyone who viewed your post or tweet for that matter. I can assure you that even if the actions were a prank the arm of the law is not lenient. Many times, because of ideological reason we may use these words in a figurative way against a person of authority, “Kill the President” for instance which may result in severe consequences

4. Making Threats

When you make a threat online, it can be used as evidence in a court of law. Threats can be made in a fit of rage, with actual intent or even to delay a social function or plane. Once a threat is made with intent, however prankful or in a fit of emotion, it will be dealt with very severely by law.

5. Content which contains violence, porn, or is racist or sexist in nature

Companies are not tolerant of executives who post such type of content, if it does not get you fired it would hurt your job search prospects or rise in the organization. Companies expect their employees to be good corporate citizens, in the same way as we are expected to keep our political and religious views personal, and function in a neutral or secular way in the office. Obviously, pedophilic content will mean a jail sentence

6. Silly or Careless Comments

Many people generate their own version of events, spread half truth or deliberate lies. Posting these online can get you in serious harm. When these tweets or posts are made against people of authority, the law enforcement agencies quickly act on their complaints. Visits to the police station and the legal action that follows would be a harassment that would best be avoided. Most often the sentence results in a red-faced public apology. Sometimes, what we believe to be true is fake news or a narrative spread deliberately for political or business interests, we should keep this in mind when we compose online messages

7. Retweeting or Liking

Yes, retweeting or liking some types of post may be viewed as support to a campaign of hate or disinformation. In times of COVID, or civil unrest, malicious rumors are often circulated to stir the pot or for political interests. We must ensure that in these times we maintain calm and avoid spreading these rumors

Twitter, Facebook, Zoom, LinkedIn, Instagram, Microsoft Teams, Gmail, Hotmail are they safe to use?

noreply@blogger.com (Lucius on Security) — Wed, 16 Dec 2020 12:09:00 +0000

This was a question that deeply interested me for two primary reasons. The first was that even if they were unsafe, people would continue to use them because not to, meant that societal and business connections would be hampered. Afterall, most of the world’s population have signed up on these social media and collaboration platforms creating a gigantic network and data repository. The second is simpler, its hard to tell if these platforms are unsafe until there is a public news outbreak, and at that time exit possibilities are limited.

The reality hit me, when a few large security companies continued to use a collaboration platform where several vulnerabilities had been publicly identified. Ideally one would think such an act would be counterproductive to their type of business and they should have shifted to a competitor.

Let us closely examine the dilemma. We have to sign up blindly to a popular platform assuming it to be safe and to keep private personal data.

With all the news on security and privacy breaches, it is obvious that there is no platform that is 100% safe. Even platforms that spend billions are not. The big players however are committed to improving their customer trust and protecting their brand and investments, but the need for profits and the speed to bring new features may hamper their efforts to improve security and privacy. The commercial relationship between a user and a free to use platform is still evolving. Money can only be made through the analysis or sale of its content. That content has been crowdsourced without the clear specification of how it will be used or processed. Sadly, there is no fixed line between what’s right or wrong, it’s a tug of war between the platforms business interest, regulators, governments and its user community. All four must happily coexist to ensure the success of the ecosystem.

Each user of the platform has to secure their interests using means at their disposal. Written below are five tips that could help improve security and privacy:

a) Set Security and Privacy Settings Appropriately: All platforms have privacy and security settings. Reviewing these settings and tailoring them to your requirement ensures personal information is retained within an approved set of people. Security and Privacy settings are important to ensure that your account is not hijacked, personal data is not visible to the public, to set limits for its use and to avoid ad spam.

b) Keep a look out for security alerts: Simply, GOOGLE the “platform name + breach” and the results will clearly show that large platforms are not immune to severe security problems. The bigger they are the bigger the target they become. Once a breach has been detected, the platform would send out an email intimation of the breach, listing the data stolen, its potential impact and mitigation measures. Stolen data may be misused to send phishing or spam emails. Do read and implement the recommendations

c) Keep a look out for privacy alerts: Platform companies have been sued by regulators or face government hearing because of the data they collect, use and share. While, most of the information is post fact, once penalized they do put in measures to ensure better compliance in the future.

d) Think before you Post: Ensure that you assess the personal value of what you post online and the risk or consequence for its loss. Do not post anything that may have consequences that you cannot accept. Remember what goes online stays online.

e) Join platforms with a reputation to lose: Platforms with a reputation to lose will fight to preserve it by making business changes, working with regulators and investing to improve safeguards. Having been penalized or breached does not make a platform good or bad, its the post actions that tell the tale.

I trust these tips will help make your experience online safer.

Online Safety Tips to keep 3rd and 4th Grade kids safe while Online Schooling and Surfing

noreply@blogger.com (Lucius on Security) — Mon, 14 Dec 2020 04:46:00 +0000

The coronavirus pandemic has forced children to spend a large part of their working day on the computer and online. Our young kids are embracing the Internet at an accelerated pace. Today’s essentials like online schooling and virtual friends’ meetings cannot be regulated based on the screen time norms of the past. The one- or two-hour screen time limit rule has fallen apart, as children are on the Internet for almost 6-8 hours a day.

At the age of 7 to 9, logic and critical reasoning are still in the formative stages. It becomes difficult to explain to kids what Internet risks are and how to avoid them. While instructions and advice must be given, and continually reinforced, it would be unwise to believe that your child would be safe all the time, simply based on the instructions you once gave.

At this age, a child is usually not on social media or email or uses a personal mobile phone. This is a good thing because it avoids your child becoming a target for pedophiles who normally target children after viewing their online photos and videos, and trolls or surprisingly even jealous colleagues and their parents, for what they post online.

What the child is a master off is the use of collaboration technology (video and chat) like Zoom, playing online games like Minecraft and surfing the Internet. At this age an interested child has already mastered how to learn from online instructional videos on YouTube or to research the Internet for topics of Interest.

Cyber risk must be assessed based on how the child uses the Internet. The child digital assets normally are a computer and an email id. The child may not use the email id, but it is usually needed to access online portals, such as for schoolwork.

The three main risks faced by children in these grades are from:

Malware: Cyber criminals embed malware in pirated or specifically prepared copies of games or software or images that children download. The malware would exfiltrate data such as pictures or files from the computer drive, and passwords for online accounts. Compromise of online account passwords would allow a cyber criminal to send emails using your id or use other types of service accounts. If multiple family members share the computer, then there is a risk of their accounts being compromised.

Content Exposure: Surfing online would expose a child to objectionable content. Objectionable content is available easily if the right search words are entered. It may be unlikely that your child deliberates searches for such content but there is a high possibility that they may stumble on it.

Online Strangers: When children use YouTube tutorials to learn how to do things, for example to play games, they come across links and game servers for multi-player gaming. Children are adept at understanding how to click on these links which may have malicious content or to connect to game servers which may expose the child to other players with harmful intent.

Three Sets of Countermeasures to protect you child from online Harm

Prevention from Internet Risks requires a combination of security countermeasures. All these together form the basis of a secure experience. There are three main set of security controls:

1. Secure the Computer

2. Secure User Environment

3. Parental Involvement

Secure the Computer

Each computer must be protected from security risks that it is exposed to when connected to external networks and through it use

Use a supported version of Windows: Win 10, 1909 is the least version supported for Home, Pro, Pro Education, and Pro for Workstations editions until May 2021. To check the Windows Version Select the Start button > Settings > System > About

Use an Antivirus Plus Product: Installing an antivirus plus product offers different types of protection by scanning files for malware and adware, restricting (firewalling) risky network connections and avoiding risky websites. Besides these, there are other features which would be useful for older children or adults.

Use Automatic Updates to ensure that your software is always patched: When a new vulnerability has been discovered, software companies release a patch. It’s simpler to set the Auto Update feature to ensure that computer software is always patched to the latest version. By using Automatic Updates, you do not have to visit the software vendors Update Web site to scan for updates. Instead, the software automatically delivers them to your computer. You should check the patch status regularly to ensure that the auto update mechanism works perfectly. All software needs to be patched whether it is the operating system, collaboration software like ZOOM or tools provided by the school.

To check for the Window Update Setting - select the Start >Windows logo Start button, and then go to Settings (Gear-shaped Settings icon) > Update & Security > Windows Update

Secure User Environment

Computer software configuration must tailor user security controls for the child’s use.

Create an Independent Child Account on Windows: Microsoft allows the creation of a family account. The family account enables the linking and control of multiple profiles. A child profile allows a parent the following benefits:

• Set Screen time

• Require parent permission before buying stuff or downloading applications

• Filter content (applicable for only Microsoft Products)

• Get reports of online activity

• Monitor Activity on the Computer

• Parent Supervised Downloads

• Set Parental Controls

Use PIN not Password: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. A numeric PIN is easy for a child to remember without writing it down. A Hello PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without physical access to the computer. If the PIN was shared with anyone else, they would not be able to sign in to any account from anywhere. When you create your child account, you would first have to create a password. This password can be written down and stored safely. You child does not need to know or use it once a PIN has been set-up.

Create a Child Email Account: Parents should set-up an independent email id for their children rather than use their own. Children would not normally use email. However, all online applications require an email account to sign in. Parents should keep the password secret and operate the account.

Set Parental controls: Most antivirus software’s and browsers have parental controls. Parents need to research how to set age restrictions on browsers and the operating systems. It is important to note that you would need to set controls on every browser you use and the operating system. Parental controls allow restriction on screen time, buying online, surfing age appropriate sites, blocking or explicitly allowing certain applications to run on the computer, and usage reporting

Parental Involvement

The role of parents is largely to curate and keep safe the experience the child has on the Internet. It is similar to the physical world where a parent ensures that their child is not harmed or bullied on the playground. Parents provide advice on Internet safety and etiquettes and help children understand their online experiences and interactions. Children of this age seek clarifications from their parents as they learn or are excited to talk about their online discoveries. These conversations must be encouraged for the valuable insights they provide on a child’s online behavior and experience. More so because parents are often unfamiliar with the games played or applications used by their children.

Protecting Children from Strangers: To protect children from meeting strangers online, it is important to know where children can meet with and chat with strangers. Normally, the opportunity would arise on social media or multiplayer gaming. It is therefore important for a parent to evaluate the stranger meeting potential for every online interaction your child has. All children should use an anonymous profile which should not give away their age, sex, real name, and location. You child should be made aware that they should never share real life information online. Children love play acting and if you successfully convinced them to play the role of “ShootDragon60” they will easily make up a play character of their own.

Protecting you Child from Age Inappropriate Content: The parental settings on the search engine or antivirus suite or Microsoft family account will help restrict adult sites. This is a must. It will prevent your child from visiting inappropriate sites. However, despite content filtering there may be content that may be borderline and allowed. For example, if your child loved to read the Percy Jackson series based on Greek Mythology, and later proceeds to research the topic online, it is likely that the Greek God images would be depicted as nude or seminude sculptures.

At this age, we teach our children how to cover up to protect them from child abuse and the sight of these images pique their curiosity as they are contrary to their parents instructions. Another example are advertisements targeting children for lingerie and make-up products shown on channels which children watch. Parents need to explain or reason out these topics with a child, otherwise they may form their own narrative.

Following these risk mitigation tips would ensure that the Internet risks to your 7-9-year-olds would reduce and their Internet experiences are safe ones

There is a 100% chance that you will click on a Phishing Email!

noreply@blogger.com (Lucius on Security) — Sat, 12 Dec 2020 09:03:00 +0000

Astounding isn’t it! I am sure that you will question the audacity of the statistic. I can tell you with confidence that even a security expert is not immune to falling prey to phishing emails. That is why even the most mature security companies are hacked.

Any human will click on an email whose content appeals to a human emotion that is strongly felt.

There is a phishing bullet with everyone’s name on it. To illustrate the point, let us study two examples.

The first is related to the COVID pandemic. You receive a phone call from an unknown caller. The caller requests for your personal details and telephone number to register you for the immunization program. There is a fee to paid, for which a link would be sent via SMS. Now ask yourself, would you give your personal details to the caller. Most probably not, and certainly not before you asked several clarifying questions to verify the program and the identity of the caller or institution.

But, would you do the same if the information was requested via email. Most people who are eager to receive the vaccine would fill up the information and await further instruction. This would be step two, if the scamster intended to scam you for money. In some cases, the scamster would be satisfied with just your personal details.

The second example is called business email compromise. Cybercriminals earned 26 billion US$ from this type of fraud over the last four years. There are many different variations, but the first step is to identify a willing employee who would respond to an email with a specifically crafted instruction from a senior. If you are working in a company, and your CEO or CFO sent you an email, how would you react. I guess instantly. The catch here is that while the email alias was correct, the address was off another user on a public email account like Hotmail or Google. Therefore, if your CEO was Lucius Lobo, then the address would look like Lucius Lobo <jynx234@hotmail.com>. The pressure to respond quickly to the CEO or any senior executive may simply short circuit the basic validation an employee would normally make. Which in this case was to understand that the actual email id is not the company id or as the example indicates, is in no way connected to even the alias.

If human emotion compels us to drop the extra validation that we would normally do, then trying to restore this habit when it comes to responding to emails would keep us safe.

If you wish to reply to unsolicited emails then try and question the veracity of the contents of the email, as you would have done if the same request was made telephonically. Bear in mind that any unsolicited email is high risk.

Here are four quick tips, for common scams:

1. If the unsolicited email is promising a free lottery, job or anything return, it’s probably fake. There is nothing free in life

2. If the unsolicited email is promising something extraordinary like a high rate of return or payoff, then avoid it. It is fake or a scam.

3. If the unsolicited email is asking for personal information, its likely that is a scam. May not be one that causes you to lose money, but more often than not fills your inbox with junk emails.

4. If the alias of the email is of someone you know, but the email id is different, it’s a scam email specifically designed to avoid spam filters.

Keep these tips in mind as you read your next unsolicited email. In my next blog we will examine how to avoid being scammed from a genuine but hacked email id.

STOP FAKE NEWS – PAUSE, EVALUATE and FORWARD

noreply@blogger.com (Lucius on Security) — Wed, 26 Jul 2017 11:51:00 +0000

The potential for fake news to turn viral using social media is quite real. There have been several instances where rumors have incited mob violence between rival communities. The consequence got out of hand when illiterate tribals in a remote Indian district received a Whatsapp message which claimed that children could be kidnapped by a gang and their body parts sold. The message went viral in these villages and mobs of upto 500 people pounced on strangers who they suspected to the child kidnappers, in all there were two incidents where 7 people were lynched.

It is quite apparent to every cybercitizen that fake or distorted news is on the rise. Social media allows every individual a platform to disseminate such news or information. Fake news is routinely posted for vested interest such as political distortion, defamation, mischief, inciting trouble and to settle personal problems.

As aptly illustrated in the case above, when fake news goes viral the ill effects escalate to a point where they can cause physical damage, loss of life or long-term animosity between sections of society. Purposely-crafted fake/distorted news introduced over periods of time by vested interests can distort perspectives and social harmony. Such news is effectively used for ideological indoctrination.

Creation of fake news is extremely simple. Listed below are six commonly used methods

· Individuals concoct their own stories

· Marketers release competitive advertisements based on unproven data

· Groups with vested interests manipulate the volume and narrative of news.

· Photographs are morphed

· Old photographs are used to depict recent events

· Real photographs are used to defame

Obviously, it is also quite easy to catch the perpetrator. A few years back, a twitter hoax was dealt with by a strong reprimand, but not today. Fake news, hoaxes, rumours or any other type of content that results in incitement or defamation attract stronger penalties and jail terms. Police are more aware and vigilant.

Most cybercitizens unwitting help fake news go viral by recirculating it. It creates a sense of belief that it must be true because the other person must have validated the news before sending it.

Pause before forwarding, Evaluate veracity and then Forward. Do not be that link in the chain responsible for the circulation of Fake News

Cybercitizens, do take care when crafting messages on social media – a little mischief may provide you a few years in government paid accommodation – Jail. Advise your children to be responsible and do cross check news received over social media before recirculating or believing in it.

ETCISO a mobile app for Security News in India from the Economic Times

noreply@blogger.com (Lucius on Security) — Wed, 26 Jul 2017 11:46:00 +0000

Keeping updated with security news just got simpler with the new ETCISO app. There is a mix of Indian and Global news on security.

What is Data Privacy and why is it an important issue?

noreply@blogger.com (Lucius on Security) — Mon, 24 Jul 2017 00:00:00 +0000

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency	Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation	Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization	Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Accuracy	Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation	Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality	Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Accountability	Organizations are accountable for the data in their possession
Cross Border Personal information Requirements.	Personal information must be processed and stored in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.

Looking for love on Matrimonial Sites! Watch out for the Fraudsters

noreply@blogger.com (Lucius on Security) — Fri, 21 Jul 2017 02:40:00 +0000

On Oct 2014, I wrote a blog titled “Conmen use fake matrimonial profiles to scam prospective grooms seeking arranged marriages” warning cyber citizens on matrimonial scams. Unfortunately, since then it appears that these scams have become common and lucrative.

These scams earned between 4 lakhs to 1.2 crore rupees (6000 – 200000 USD). Victims were women in their 30’s who had posted their profiles on matrimonial portals. They were emotionally blinded and trusted the online relationship.

The scams used in reported cases in The Times of India, July 20, 2017, were custom harassment, gift clearance or urgent need of money due to a financial or medical emergency.

31 year old nurse	Conned to accept a parcel that apparently was to contain 15000 GBP ( approx. 12 lakhs)	Paid Rs 4.2 Lakhs ( 6000 USD) to a fake courier company
40 year woman	Conned to bail her suitor out of a sticky payment at the customs	Paid 74 lakhs (11000 USD) into several accounts
Young Woman	Conned to bail out her UK based suitor as custom officials had caught him carrying a lot of pounds	Paid Rs 4.8 Lakhs (7000 USD)
35 year old woman	Conned into supporting an allegedly US based suitor out of his financial difficulties	Paid Rs 1.2 Crore (184000 USD)
40 year old woman	Conned into bailing out her UK suitor due to a sticky payment at customs	Paid Rs 4.65 Lakhs (7000 USD)

There will be a large number of unreported scams as they involve threats of defamation using explicit photos or video’s shared during the relationship.

I would again remind cybercitizens, that conmen actively target you, use social engineering techniques to gain your trust, and know how to hide themselves on the Internet. These conmen are often difficult to trace or it is simply too expensive to do so.

My recommendation is to use common sense when in an untrusted and unverified relationship. Any request for money should sound a loud buzzer in your brain. Do not also share content of sexual nature which could later be used against you.

LuciusonSecurity ranked among the Top 100 Information Security Blogs for Data Security Professionals

noreply@blogger.com (Lucius on Security) — Thu, 20 Jul 2017 11:31:00 +0000

LuciusonSecurity is privileged to be chosen as one of the Top 100 Information Security Blogs for Data Security Professionals in 2017 by feedspot.com.

Disgruntled Driver asks Share Ride Cab Company OLA to Pay Ransom for Kidnapped Passenger

noreply@blogger.com (Lucius on Security) — Thu, 20 Jul 2017 02:00:00 +0000

A doctor called a shared ride cab to drive him to the private hospital where he worked. The shared ride arrived on time, but instead of taking the doctor to his destination, the driver threatened the doctor and kidnapped him. The OLA cab driver, in turn posted a ransom request of Rs 5 Crore (750,000 USD) to the shared ride company, even calling up the hospital were the doctor worked to pressurize the company into paying. The Delhi police, were successful after a 13 day chase to free the doctor unharmed and nab the kidnapper.

The motive for the kidnapping was to teach the shared ride company a lesson as they were miffed due to alleged nonpayment of incentives.

The incident simply highlights the damage disgruntled employees can cause, many a times due to uncontrolled emotions. While the kidnapping seems to be one of a kind, incidents caused by employees in the workplace is quite common. In the early days, it used to be sabotage of plan and machinery, but in a digital world it is the theft of IP, data or even online defamation of the company and its personnel.

Four Easy Ways that make Cybercrooks Billions ! With money you hand them!!!!

noreply@blogger.com (Lucius on Security) — Wed, 19 Jul 2017 12:06:00 +0000

Twelve Commandments that will never fail to Keep You Cyber Safe Online

noreply@blogger.com (Lucius on Security) — Mon, 17 Jul 2017 13:32:00 +0000

As the digital world explodes with a variety of new online services, cyber threats have become more ingenuous, dangerous, and spawned multiple variants and types. As each new threat makes the headline, the accompanying set of threat specific security recommendations confuses cybercitizens. Cybercitizens want a comprehensive list of recommendations that do not change frequently.

There are twelve foundational security practices that will help keep you and your family safe. Practicing them will harden your defenses against cybercrime and also reduce the negative effects of social media use.

1) Thou shalt not use a device with pirated software

Pirated software is not patched as it is unlicensed. Unpatched software have security vulnerabilities which can be easily exploited to steal data and credentials

2) Thou shalt not use a device which is not set for automatic updates of Operating System patches

Automatic patching for personal devices is the best way to ensure that the latest security patches are applied and security loopholes closed before cybercriminals can get to them

3) Thou shalt not use a device without updated antimalware (antivirus) software installed

Antimalware software reduces the probability of a malware infection (e.g. ransomware) on your device. For it to be effective to catch the latest malware variants, it has to be automatically updated with the latest updates.

4) Thou shall not download pirated movies, games and other such material

Something free may turn out to be expensive, both financially and to your reputation. Malware is usually bundled with pirated content or applications

5) Thou shall not use a site without trying to verify its authenticity

Authenticity of a site can be verified by the Lock Icon and accompanying digital certificate. While not fool proof, it reduces the possibility of spoofed lookalike sites designed to steal your credentials

6) Thou shall not ignore inappropriate content on social networks, always report or dislike it

Inappropriate content influences the minds of our children as they stumble upon it online. Hate content in particular may induce biases which take a long time to reverse.

7) Thou shalt not indulge or encourage cyber bullying online

A parent or teacher has the additional responsibility of guiding children on the right online behavior. You do not want your children to bully or be bullied

8) Thou shalt not use passwords that can be easily guessed and promise to keep the password a secret

Try to choose complex passwords, do not reuse them on multiple sites and always store them securely. The easiest way to get into your online accounts is by stealing your passwords

9) Thou shalt not fall be tempted by fraudulent emails promising financial windfalls or miracle cures or cheap medicines

Try to check the authenticity of the email. Electronic communication is easily manipulated, as it is difficult to verify the authenticity of the sender. Scams like these can cost you money and affect your health.

10) Thou shall not forsake your responsibility of helping your older parents or young kids to be safe as they use the internet

Be a guide and easily available as both old and young learn to use the internet and face cyber risks. Being available, requires that you can be reached for instant advice on problems they encounter

11) Thou shalt never trust a stranger blindly online

Always be suspicious when dealing with online strangers. At any point during the relationship never let down your guard. The identity of an online person cannot be easily verified. It can however be easily manipulated. Online friends sometimes have the vilest of intention which can lead to all forms of blackmail, particularly if they have incriminating pictures and videos. Besides adults, young children are potential victims

12) Thou shalt not set a weak password for your mobile phone or keep it unlocked

A stolen phone with an easy to guess password or if unlocked, is a sure invitation into all your signed in accounts and personal data. A large number of phones are left unattended or lost each year.

Are my password freely available on the Internet? Four actions that can minimize damage

noreply@blogger.com (Lucius on Security) — Fri, 10 Feb 2017 06:38:00 +0000

Frequently we hear of large data breaches from email, social networking, news and other types of websites which we are members off. Many of us may have been challenged by the site owner to change our password when the site suffered a breach and would even have received a breach notification email.

It would however be useful to have a service which could tell us if our passwords were available in plain text online, anytime we wished. The good news is that a security blogger Troy Hunt has set-up a site http://haveibeenpwned.com/ Here you could enter your email id (a common login credential) and find out if the corresponding password was exposed on breached sites. The bad news is that it covers only data breaches where the hacker has dumped the compromised list of passwords on paste sites such as PasteBin. This represent a small fraction of the passwords exposed and in all probability allowed a window of time for the hacker to gain access to your account before the breach was uncovered. It also allows anyone (friend, foe, bully, ex-partner, relative, competitor and colleague) who knows your email id to check for the password, and selectively target you.

My advice to all Cybercitizens in general but more specifically after you discover that your password has been exposed is to”

1. Never reuse that exposed password and to never reuse password on multiple sites. A single exposure can have a cascading effect in the compromise of your online assets. If you have used the same password on multiple sites then quickly change the password on all of them.

2. To use two factor authentication which a large majority of sites offer to limit the use of disclosed passwords

3. To change your passwords once every 3 months to limit the exposure window. In large dumps the hacker may take time to target your account and if you have changed your password by then, you would get lucky

4. To quickly change passwords once you are aware that there has been a breach

Catching IRS fraudsters proves the scale and profitability of impersonation cons

noreply@blogger.com (Lucius on Security) — Thu, 13 Oct 2016 09:33:00 +0000

Fraudsters who posed as IRS officials threatened hardworking Americans with imprisonments for the crime of tax default. Their modus operandi was simple; question victims about defaulting on their tax payments, threaten legal action, arrest, deportation or suspension of business rights, and finally offer an easy way out – a chance to close the case without prosecution for a onetime deposit in a bank account or alternatively getting the bank account details of the victim which were then wiped clean.

Incredible as it may seem, the con was so successful that the kingpin lived a life of 5 star luxury, with fancy cars and hotel stays. In a short span of two years he amassed significant wealth and employed over a 700 people in several call centers across India and the US. Most of these call centers were owned by trusted associates and employed high school graduates or drop outs who they lured with high pay and luxurious lifestyles.

Income earned in dollars was converted into India rupees using illegal money laundering channels called Hawala. All employees were paid in cash. Call center executives were offered incentives based on the income they generated from these frauds, and the ones that performed were even offered a chance to work directly with the kingpin, in his home city of Ahmedabad, Gujarat while being put up in 3 and 4 star hotels.

Fortunately, India takes these crimes seriously, and once reported, Mumbai police detectives over a period of 15 days, went incognito and surveyed these call centers before busting them and arresting over 50 people. All convicted will be tried under the Indian IT act and penal code.

There are however, several countries that do not take action on these crimes as the victims are not citizens of their countries.

Cybercitizen’s are advised to be wary about calls which ask for personal information and money in some form or the other.

Will you pay 300$ and allow scamsters remote control to your computer ! child play for this BPO

noreply@blogger.com (Lucius on Security) — Wed, 10 Feb 2016 13:56:00 +0000

Microsoft customers in Arizona were scammed by a BPO setup by fraudsters who’s executives represented themselves as Microsoft employees and managed to convince them that for a 300$ charge they would enhance the performance of their desktop computers.

Once signed up, the BPO technician logged onto using a remote access software that provided full remote control over the desktop and proceeded to delete the trash and cache file, sometimes scanning for personal information. The unsuspecting customer ended up with a marginal improvement in performance. After one year of operation, the Indian police nabbed the three men behind the operation and eleven of their employees.

There were several aspects to this case “Pune BPO which cheated Microsoft Clients in the US busted” that I found interesting:

1) The ease with which customers were convinced to part with money and to allow an unknown third party to take remote control over their computer. With remote control one can also install malicious files to act as remote backdoor or spyware making the machine vulnerable.

2) The criminals had in their possession a list of 1 million Microsoft customers with updated contact information

3) The good fortune that the Indian government is unsympathetic to cybercrime both within and outside their shores which resulted in the arrests. In certain other countries crimes like these continue unhindered.

Cybercitizens should ensure that they do not surrender remote access to their computers or install software unless they come from trusted sources.

Three Must Do’s to make a Security Awareness Champion

noreply@blogger.com (Lucius on Security) — Sat, 06 Feb 2016 07:43:00 +0000

Setting an example is the best way to institutionalize security awareness within a workplace or at home. Colleagues and children naturally follow examples set by champions as it makes it easy to mimic rather than spend time to self-learn. I found three important aspect to championing security awareness.

Be a role model

Cybercitizens champions take an active interest in being secure by keeping themselves updated and implementing security guidelines for the gadgets and services they use at home, for work and on the Internet. Knowledge on the do and don’ts of security for workplace system is normally obtained through corporate security awareness programs but for personal gadgets and services one needs to invest time to read the security guidelines provided by the service/product provider or on gadget blogs. Security guidelines provide information on the best practice to be used for secure configuration of gadgets, use of passwords, malware prevention and methods to erase data. Besides security issues like password theft or loss of privacy, there is the possibility of becoming a victim of fraud when using ecommerce. Most ecommerce sites have a fraud awareness section to educate customers on the common types of frauds and on techniques to safeguard against them. Role models take pride in what they do and this passion becomes a source of motivation to others around them. A security champion delights on possessing detailed insights on how to use the best security features in gadgets (say mobile phones) or on recent security incidents.

Be a security buddy at your home

Telling people what to do to keep themselves secure online is difficult, primarily because security controls lower the user experience; as an example most people may prefer not to have a password or keep a simple one for ease of use. People tend to accept risk because they do not fully realize the consequences of a damaged reputation or the financial impact from the fraudulent use of credit cards until they or someone close, experiences its effects firsthand. Security champions act as security buddies at home. They take time to understand how their family members both young and old, use the Internet and to themselves learn about the safety, privacy and security issues related to those sites. Buddies perform the role of coaches, engaging in regular discussions on the use of these sites from a perspective of avoiding security pitfalls and the avoidance of risky behavior that may lead to unwanted attention from elements looking to groom children for sex or terrorism. Highlighting incidents of similar nature helps raise awareness of the reality of the risk.

Display commitment to security at your workplace

Small acts go a long way in promoting useful security behavior. A small security cartoon displayed on a work bench can immensely add to the corporate security awareness effort. Champions bring attention to the importance of security in business by bringing up security in routine business discussions; for example circulating insights into recent published security incident within a discussion group (leadership, business) and popping the security question “what if a customer security or privacy is affected” during project discussions.

Swatting airports helpdesks diverts the attention of anti-terror forces on the Indian Republic Day

noreply@blogger.com (Lucius on Security) — Thu, 28 Jan 2016 06:24:00 +0000

26th January, the Indian Republic Day, was targeted by ISIS operatives to stage multiple terror strikes designed to cause terror and panic in major Indian cities. The Indian intelligence and police agencies over the last few weeks successfully nabbed ISIS operatives foiling major terror plots in the run up to the 26th.

With tensions running high, and the anti-terror squads under full alert, a mentally disturbed man swatted airport and railway helpdesks claiming that bombs would go off on Mumbai-bound flights, and cars stuffed with explosives would blow up at the airports and the Pune Railway Station. Wikipedia describes swatting as an act of deceiving an emergency service (via such means as hoaxing an emergency services dispatcher) into dispatching an emergency response based on the false report of an ongoing critical incident.

The man who was later apprehended had made four calls made over two days to airports and railway stations claiming that there was a car packed in the airport vicinity loaded with explosives or that a person onboard a flight was carrying a bomb in his hand luggage. This ensured that over 200 policemen were diverted from deterring real terrorists to comb these routes and flights. One flight was delayed and another diverted mid-air to the nearest airport for an anti-sabotage check.

While swatting is relatively new in India, it is quite common in the US. Swatting may occur for pranks, online harassment or even for revenge. Recently Skype introduced a patch which protected the privacy of a callers IP address, a flaw which could be exploited to launch swat teams on rival gamers using IP geolocation.

Such acts are akin to terrorism and punishable as a crime because of its potential to cause disruption, waste the time of emergency services, divert attention from real emergencies and possibly cause injuries and psychological harm to persons targeted. Cybercitizens are advised not to make prank calls for whatever reasons as the joke may turn into a long ugly jail term

Cybercitizens, stay away from commenting or liking posts with terror ideologies

noreply@blogger.com (Lucius on Security) — Fri, 22 Jan 2016 06:10:00 +0000

Of current global concern is the ease at which terror organizations are able to use social media to spread their ideology and coerce young people living in developed countries to leave all and fight wars in hostile lands. Their success stems from their ability to spin doctor content and communicate in a way that is alluring to young people. The outcome is brainwashed young people who willing give up their lives, blowing themselves up in crowded areas killing innocent people.

As the death toll mounts so does the pressure on social media companies or online platforms which have given a voice to these terror organization. I do not think that it is difficult to draw a line between free speech and hateful ideology, but every action to sanitize platforms with millions of uploads every minute is bound to cost. These platforms got away through regulations that did not make them liable for content, only to remove it. Which they made harder to do, as they decided to only remove content that violate something obvious like pornography but others which were more specific like defamation, sullying reputation, hate speech was subject to a court order.

Individuals suffered because they had little recourse in erasing sullied reputations online and many countries with a different cultural ideologies had to impose great Internet walls to block content that affected their beliefs.

While it remained a matter of individuals and their sufferings, it scant mattered to the social media companies but now when lives are being lost, and it is a matter of huge public interest; they are under tremendous pressure to get their act right and reduce the ability of these groups from using this platform while still maintaining the privacy of individual users.

I was surprised to see a Davos new headline which stated that Facebook's Sheryl Sandberg: 'likes' can help stop Isis recruiters, was recommending cybercitizens to spread positive messages (counter propaganda) on terror communication, thus drowning out the hate chorus. Will that work, or is it an attempt by social networking companies to resist change. Should not counter propaganda of any sort be organized!

Liking or commenting on such sites brings you in the eye of law enforcement, may sully your reputation and could also make you a target. Rather than people, a bot could do the same work, if the method is effective.

Instead social media companies should devise technical means to identify and remove harmful content, sites, messages and any other form of small social communication. Identifying patterns of indoctrination through algorithms may not be a very difficult task as the initial indoctrination, I would expect is in plain speech.

Should one fret over the leaked Ashley Madison data?

noreply@blogger.com (Lucius on Security) — Thu, 20 Aug 2015 13:03:00 +0000

Several news sites have reported that 15 GB of identity data stolen last month from AshleyMadison.com online has been made available on the darknet. Three sites have since sprung up with allows interested parties to query the site to ascertain the identity of Ashley Madison users. AshleyMadison.com allowed married people to have short extramarital affairs. While the morality of the services provided may be questionable, and is perhaps best left to judgment of individuals, there is a serious risk of reputation damage if the data is fake.

There are several reasons why it may be. Firstly this is not the first leak to appear online; there have been several in the span of the last month. Then, there is the question of the validity of the email address and other details which were never verified. There is always a probability that a prominent person or an associate’s identity was used to create a profile. From one analysis, it seems that 90% of the users were male and most of the female profiles were fake. If this is true than users subscribed but may not have been able to use the site. Many users may have subscribed due to curiosity or for fun. Some articles seem to suggest that once subscribed removing a personal profile from the site was not easy. Finally, there is a strong suspicion that some of this data may have been amalgamated from other breaches.

On the flip side there seems to be several reports of individuals claiming to verify that they were users of the site and confirming their email ids in the released data.

Whatever, may be the truth, I would like cybercitizens to know that though it seems to be a sordid affair not to disrupt your personal lives purely by data that cannot be verified put out on the net.

8 steps to prevent a stolen phone from ruining you digital life

noreply@blogger.com (Lucius on Security) — Tue, 18 Aug 2015 11:40:00 +0000

Smart phones are lost because they were accidental forgotten at public places or stolen. A phone today, is a cybercitizens gateway to their digital life. It allows use of apps for services such as for banking, social networking and taxi booking, storage for personal pictures and videos, email, instant messaging and telephony.

Most phones have an Internet finder program which helps to locate phones connected to the Internet. The service works well, if the phone is forgotten at places which are likely to have a lost and found counter like airports and restaurants where the staff is unlikely to pocket it. More often, the key risk is the loss of battery life effectively shutting down the phone. Even when a phone is lost and picked up by a person wanting to return it, a study has shown that most of the people browse private data like contact and pictures, understandably to locate the owner.

Most thieves quickly switch off the phone and remove the SIM card to effectively disable the Internet finder applications. When a phone is stolen or lost there are three risks that the owner face.

Financial Loss

Typically, you lose the value of the phone and the additional cost of calls made from the phone which obviously, one has to pay for. While there may be insurance that can be bought to recover part of the cost of the phone; to prevent fraudulent calls the cellular provider needs to be quickly alerted to deactivate the number. Ensuring that the phone is protected by a strong screen saver password will mitigate the risk of expensive calls.

Reputation Loss

Many personal applications like Facebook, twitter, email or such social media accounts are logged on and can be accessed without a password allowing personal information to be read or malicious comments to be written. Such comments may affect personal reputation or be defamatory which may results in soured relationships or legal action. Hereto a strong screen saver password can help. If the thief is unable to crack the password, the simplest action would be to format the phone, reload the operating system and sell it in the black market

Privacy Loss

Privacy can be lost in two ways. By viewing data stored directly on the phone memory or on memory cards such as personal pictures, by reading private posts, email and by looking up the browsing history. Private data such as sexting pictures of other individuals received and stored on the phone may compromise their privacy.

Four steps that cybercitizens should take to reduce the risks to themselves and the incentive a thief gets from a stolen phone:-

1. Set a strong password and short lock screen timeout. If your phone provides the option to erase data after several unsuccessful tries to enter a passcode, typically 10, activate it. New phones disallow the formatting of the operating system without a password thereby rendering the phone worthless and reducing the incentive to steal it. A strong password or passcode has at least 8 characters that include some combination of letters, numbers, and special characters

2. Try to avoid using external memory cards unless they are encrypted

3. Update the phone regularly, to ensure that vulnerabilities which can be exploited to unlock password protected phones is patched

4. Backup contacts and other data

Four steps that cybercitizens should take when the phone has been stolen or lost and returned.

1. Use the Internet finder app to locate the phone and erase data

2. Reset all passwords for apps and accounts even if the phone has been returned

3. If returned, reformat and reload the operating system to avoid any malware being surreptitiously loaded. Malware can be used to spy, steal credentials and cause an even bigger financial loss

4. Block you SIM card by calling up your cellular provider

LuciusonSecurity among the Top 50 Infosec Blogs 2015

noreply@blogger.com (Lucius on Security) — Sat, 15 Aug 2015 04:32:00 +0000

Digital Guardian a Gartner Quadrant leader in the Data Protection product market has named this blog as one of the Top 50 Infosec Blogs you should be reading.

Thanks you Digital Guardian

I lost money because my petrol pump was hacked by attendants!

noreply@blogger.com (Lucius on Security) — Fri, 14 Aug 2015 16:25:00 +0000

The neighborhood petrol pump which I occasional use, was in the news for allegedly tampering with the meter readings. Some of the staffers had hacked the circuitry to modify the pulser readings which converted the flow volume to the digital readout. As a consequence, 5% of the bill value was inflated. Hacking is typically associated with software and remote Internet connections, but all sort of meter readings can be tampered with to skim small sums of money or develop glitches that result in inflated bills.

The only way to tackle such misuse is by surprise calibration checks and stringent penalties. In the case of the above petrol pump, the ingenious system also had a switch to toggle back to normal values during a calibration inspection.

The police believes that this particular fraud may be widespread, which simply demonstrates the ease with which the perpetrator of the modified pulser is able to sell his invention without being caught.

Hacking SMART services in Cars, Homes, and Medical Devices – a cinch!

noreply@blogger.com (Lucius on Security) — Thu, 13 Aug 2015 16:35:00 +0000

Businesses are reinventing themselves by transforming traditional services and service delivery into digital services. Digital services utilize smart products to provide enhanced service quality, additional features and to collect data that can be used to improve performance. Smart products can be remotely controlled using Wi-Fi or cellular connections, software, sensors that makes smart dumb devices, cloud infrastructure and mobiles.

Examples of digital products and services are network connected cars, home appliances, surveillance systems, wearables, medical devices, rifles and so on. Very recently ethical hackers exploited a software glitch that allowed them to take control of a Jeep Cherokee while on the road and drive it into a ditch. All this with the hapless driver at the wheel!

While the car hack made headlines and led to the recall of 1.4 m vehicles, it also signaled the beginning of an era where cyber-attacks or software glitches cause physically harm to cyber citizens, blurring the lines between safety and security. Cyber-attacks in the near future will do a lot more damage than destroy reputations, steal money or spy on intimate moments people would prefer to keep private, it may maim or kill in a targeted or random fashion and that too in the privacy of one’s own home.

The severity of some of the demonstrated exploits by ethical hackers were downplayed because the attacker required physical access to the vehicle to execute the attack. I for one, do not know what happens to my vehicle while it is serviced or valet parked, both ideal opportunities to fiddle with the electronic systems and even modify the firmware.

All smart devices will be connected and updatable over wireless networks. Wireless updates are ideal opportunities for hackers to obtain access or control over these devices. However, digital products or services must have built in defenses not only for over the air hacks but equally on risks from technicians, mechanics or others that have physical access to the smart infrastructure.

Startups with limited budgets may struggle to provide adequate security to their new incubations, allowing ample opportunity for maliciously minded individuals and cyber criminals to find ways to compromise the service. Investment in smart product security will be driven by liabilities around safety regulations, compliance and strict penal provisions.