Lucius on Security

Thirteen Best Practice to StaySafe Online

noreply@blogger.com (Lucius Lobo) — Sat, 10 Mar 2012 04:43:00 +0000

The art of a safer online experience is to acquire situational awareness of cyber risks and use common sense to mitigate them. The thirteen best practices to reduce your risk exposure are:

1. Be aware of cyber risks by regular reading of news reports on real life cyber incidents

2. Build situational awareness on how to recognize cyber threats

3. Use commonsense while social networking

4. Write responsibly with proper etiquette. What you post online remains online and you remain responsible

5. Have open discussions with your children on Internet safety

6. Avoid use of copyrighted or pirated goods

7. Do not get tempted by discounted offers and money making schemes

8. Call up the institution or check for scams before replying to mails from law enforcement, financial institutions and governments requesting personal information

9. Do not engage in conversation or reply to mails from scammers

10. Be careful of unsolicited mail and clicking on links within

11. Use security software on all you devices (computer, tablet, phone) and update it regularly

12. Use strong passwords with alternate authentication and verification options provided by sites

13. Report cyber crime

Best Practices for Employees who Blog

noreply@blogger.com (Lucius Lobo) — Thu, 08 Mar 2012 03:20:00 +0000

When an employee posts online, responds to comments or writes blogs, the fine line between business and personal information has to be kept in mind. Online posting should ensure that the post does not tarnish the name of the company, its policies, result in loss of intellectual property, reputation, competitive business information or make it liable for legal action. Employees have a written or unwritten responsibility to follow corporate protocol on what can or cannot be written online either in personal or business capacity. A few of the best practices which employees who blog could follow are:

Add disclaimers on personal blogs to state that this represent your personal opinion and not that of your company
Do not blog about events in your company or use the company’s logo or name
Do not blog about a competitor or use their logos or name
Respect copyright laws
Ensure your blogs do not divulge information of value to your company. This may include intellectual property, research or methods
Do not blog on topics that contravenes the reputation or is against the ethical policy of the company you work for
Do not make defamatory statements on the business, employees, customers, competitors or take work issues online
Carefully review what information is being published on your blog and remember that your reputation affects the company
Do not protest against your companies policies online.

Passwords that should never be used

noreply@blogger.com (Lucius Lobo) — Tue, 28 Feb 2012 02:10:00 +0000

Online passwords are your best friend. Listed are sample passwords you should never use; which includes the name of your best friend too. If your current password is among this list, please change it immediately

· Password, 123456, 12345678, 1234567, abc123, 'iloveyou', qwerty, abcd1234, security, admin123, Welcome1, letmein, trustno1, 111111, master, sunshine, passw0rd, shadow, 123123, 654321, superman, qazwsx, football, monkey

· Family or friend name particularly if is among the top 50 most popular names in your country which may or may not be appended by 12,123, 1234, 89

· Your favorite or one of the most popular football or sports team which may or may not be appended by 12, 123,1234, 89

· Names of fruits, sports and colors which may or may not be appended by 12,123, 1234, 89

· Password based on the site name e.g. Facebook123 which may or may not be appended by 12, 123,1234, 89

Six ways to be a model cyber citizen

noreply@blogger.com (Lucius Lobo) — Sat, 25 Feb 2012 03:19:00 +0000

Be cyber security aware, use security best practices and report cyber crime

Use an antivirus product as it helps not only to protect you but prevents your computer from hosting malware that affect others

Be a good cyber parent, educate your child on the dangers, ethics and safety measures to be used online

Stay away from using pirated products

Encourage your government to invest in raising the national standard of cyber security in curriculum, law and customer protection

Be responsible for your online habits, tweets, as what you do online affects your reputation, family, colleagues, religion, nation and company

What, Why and How of Employee Monitoring

noreply@blogger.com (Lucius Lobo) — Fri, 17 Feb 2012 10:04:00 +0000

It is common knowledge that companies monitor what employees do in the workplace and on office equipment. I put together a comprehensive view of what was monitored, why it was monitored and how it was monitored. It should be borne in mind that most companies only monitor a small subset of the list below.

National and Corporate Security Concerns due to Nortel’s Hack

noreply@blogger.com (Lucius Lobo) — Wed, 15 Feb 2012 02:37:00 +0000

Could corporate espionage be the reason why a billion dollar firm lost its competitive edge and became bankrupt? Was the lack of perception that this was a significant threat by top executives a reason for not considering a report about the spying to be a material risk, thereby resulting in limited action and disclosure?

These are the two tough questions each chief executive needs to ask of himself after the recent disclosure that hackers spied on Nortel Networks for nearly a decade, according to report Tuesday in the Wall Street Journal, and had access to Nortel's business plans, reports, emails and other documents by stealing passwords from top company executives and installing spyware they controlled remotely.

For the telecommunication industry it raises fears that hackers may have access to information that can enable them identify exploitable product vulnerabilities, leading to security weaknesses within enterprises as well as affecting national security when used by telecommunication providers.

Die hard Scenario: Rise in Exploitation of Internet Connected Devices Imminent

noreply@blogger.com (Lucius Lobo) — Sun, 12 Feb 2012 03:59:00 +0000

There have been two widely publicized news reports on the exploitation of Internet connected devices. These devices were office video conferencing equipment and home video camera’s which allowed skilled individuals to turn on and monitor video and audio feeds from the Internet. There are three primary reasons for allowing such surveillance; the first was an Internet connection without use of a firewall, the second misconfiguration or use of default passwords and thirdly product vulnerabilities.

As more and more devices get connected onto the Internet, these sorts of problems will become more acute. All new devices whether they are cars or power systems are vulnerable. Going forward we must ensure that we configure these devices properly, use strong passwords and ensure these products are patched regularly.

Some of these devices are not commonly used and hence normal methods of discovery and reporting of vulnerabilities do not work very well. There is a need to ensure that such products are securely tested by the product suppliers and carry a specific security certification stamp which enable users make a purchase decision. Solutions to this specific set of problems will require users to secure and securely operate increasingly interconnected home networks, which is not an easy task going by the many instances of badly secured wifi networks.

Two articles on real life incidents which highlight the severity and urgency of the risk are:

Trendnet security cam flaw exposes video feeds on net

Cameras May Open Up the Board Room to Hackers

Google's privacy policy strikes a freedom chord among Netizens

noreply@blogger.com (Lucius Lobo) — Thu, 09 Feb 2012 09:18:00 +0000

There is much cry over the new Privacy Policy that Google has announced in the United States. Two issues at the center of the privacy storm, are the ability to “opt out” which essentially involves deleting all traces of individual data collected on you or on your net use by Google and the use of linked data (your account/device to your net use) across Google’s product estate such as combining search data for targeted advertising.

In the physical world when you purchase a book, the book seller cannot correlate the books you purchased to determine your interests, of course this changes when you use a loyalty card. In the virtual world, this correlation is almost certain to happen as everything you do is mapped onto a database of sorts. When information across multiple products and their use is combined, Google’s ability to build a more informative personal profile raises manifold. It is the use of this ability which has most netizens up in arms. Collection of information may help user experience, such as quicker and more appropriate search results, but the use of this information for targeted advertising has raised hackles as it reduces the anonymity of an individual.

As business and government interest in the net grows we now witness initiatives and regulations that seek to maximize their interests in virtual markets. SOPA, Google’s Privacy Policy, Court rulings, cyber laws and cyber wars are indications of coming change. Cybercriminal also find the Internet to be a low risk turf with abundant opportunities for scamming and fraud. The recent World Economic Forum Global Risk Report 2012 posed a thought provoking question “Is online anonymity and integral aspect of freedom in a hyperconnected world “

In the ongoing battle against privacy, netizens are trying to emphasize that the fundamentals of the physical world such as privacy in social transactions and the ability to opt out should be followed as guiding rules of the Internet. They also believe that the underlying reason for the rapid growth of the net was its freedom, and that dominant forces that used this very freedom to grow should not impose a check on new entrants.

if you would like to know what data on you is collected online, then please read my previous post "Personal Data Websites Collects Online".

It is my opinion, that making the privacy policy simple to read and understand by Google was a good example for other online properties to follow.

Be Australia’s First Stay Smart Online Agent

noreply@blogger.com (Lucius Lobo) — Tue, 07 Feb 2012 08:12:00 +0000

In Australia ,80% of the population uses the Internet for social networking, shopping, online banking, blogging and ecommerce. As the Internet becomes a channel for financial transactions, and an easy means to perpetuate email frauds and scams, cybercrime will start to grow at a rapid rate. Most of us and our children use the Internet without a complete understanding of its risks and the knowledge to protect us. There are over 15 Categories that constitute Cybercrime which we should be aware off, and the upcoming National Cyber Security Awareness week (June 2012) is one such government initiative to bring together industry, community and consumers to raise cyber security awareness among its residents.

One of the unique proposals, this year is to find ambassadors who will help people relate to, and visualize cyber security issues as opposed to reading a boring list of security do’s or don’ts. These brand ambassadors named ‘Stay Smart Online Agents’, will be flown around Australia to attend industry events throughout Awareness Week.

I liked the trailer of the competition video with its James Bond theme. Of course in reality there is no mystic to cyber security, commonsense is the best weapon. We only need to learn to stay safe on digital highways.

To participate go to Stay Smart Online. Entry is open to all Australian residents who are 18 years or over as at 16 December 2011 and closes on 14^th Feb 2012.

Tips: Video Recording Employees in the Workplace

noreply@blogger.com (Lucius Lobo) — Mon, 06 Feb 2012 03:00:00 +0000

Employees are videotaped in the workplace by the company using CCTV cameras, or by fellow employees using their cellphones.

Companies undertake video surveillance of their workplace for various reasons which include reduction of workplace thefts by employees, recording evidence of sexual harassment, sabotage and workplace violence, to detect break-ins, for crisis control (fire evacuations), for access monitoring (at the perimeter and datacenters) and in a few cases to track employees’ on-the-job performance. In some cases both video and audio may be recorded.

The other way of being videotaped in the workplace is by other employees on their cell phones. Video surveillance by companies is only used for internal purposes but cell phone recordings may be circulated, and posted on social networking sites with embarrassing consequences.

Though laws may vary by country and state, in general it is not unlawful for a company to monitor employees on the companies premise, and companies are not mandated to inform their employees that they are under surveillance. However, over 80% of companies have a written policy and signed employee agreement which clearly communicate to employees that they are or can be monitored.

Unreasonable invasion of privacy like surveillance in changing rooms and bathrooms are unlawful and generally prohibited by law.

Unions may negotiate limitations on video recordings of unionized workers as part of their contracts.

Video cameras that also capture audio recordings may be subject to laws relating to audio recording, including wiretap and eavesdropping laws. It seems to me that such audio recording may not be legal in many countries or states. In the US, the following report provides an overview of its legality state wise Can We Tape? A Practical Guide to Taping Phone Calls and In-Person Conversation in the 50 States and D.C.

When one employee records another and posts the clip on a social media site, it may not be considered unlawful unless it has been filmed when the employee is in a state of undress or in an area like a changing room. Many companies expressly prohibit on premise filming as part of their policy and in these cases on an employee complaint may be able to take disciplinary action.

I would like to end this blog with a disclaimer. In this blog, I have indicated what some companies do currently; it is not an endorsement of the legal position of these practices. Laws vary in different countries and states and it is advisable to take legal opinion in drafting policies and undertaking any form or surveillance.

WEF Risk Report says Collective Response a Catalyst to combat cybercrime

noreply@blogger.com (Lucius Lobo) — Fri, 03 Feb 2012 11:09:00 +0000

The World Economic Forum WEF Global Risk 2012 report aptly pointed out the a key risk was the potential failure of information infrastructure resilience in a connected world. Cyber attacks were identified as a key threat agent, which for the moment the world seemed quite unprepared to face.

One of the thought provoking suggestions made in the report was the recommendation to build a collective response to improve infrastructure resilience by all the stakeholders. The report recommended a community response in terms of coordinated action, policy harmonization, neighborhood watch and mutual aid to help reduce the risk in the global supply chain. Such examples exist between firms, in disaster management and could be extended to the online world. According to the report, the objective was to arrive at a critical mass. It cited for immunizing a population, 100% immunization was not needed, but critical mass should be achieved, sufficient to isolate outbreaks and disrupt the spread of the disease.

The report stressed that the shared benefits of security protection were not understood, as firms have an incentive to invest in security systems to protect their own interest rather that the entire infrastructure. It gave online security as an example to illustrate this point. According to the report “Online security is an example of public good; cost is borne privately and benefits are shared. When a user uses antivirus software they do not take into account the benefit of protecting other users from Advanced Persistent Threats or spam if their computer is malware infected”

All my Cybersecurity Awareness Strips of 2011

noreply@blogger.com (Lucius Lobo) — Wed, 01 Feb 2012 16:55:00 +0000

Security strips are one interesting way of portraying cyber security awareness. Over the last year, I published six such security adventures and misadventures. For those who may have missed it, please do read them. Also please circulate this link to security professionals who have an interest in cybersecurity awareness.

1) Corporate Espionage
2) The Secret
3) The Lottery Scam
4) The Audit
5) Tom's First Job
6) The Access

Cyber Attacks among the top five risks identified in WEF Global Risk Report 2012

noreply@blogger.com (Lucius Lobo) — Wed, 01 Feb 2012 11:05:00 +0000

I was not at all surprised that the World Economic Forum WEF Global Risk 2012 report showed up “Cyber Attacks” among the top five risks rated by likelihood for the first time since its seven years of inception. A similar Global Economic Crime Survey report from PwC titled “Cybercrime: protecting against the growing threat” also saw cybercrime among the top four economic frauds. This was inevitable, as 2011 witnessed several visible cyber attacks on corporate, governments and utilities. Media reports and prominent disclosures by Hacktivists clearly demonstrated the lack of cyber security preparation by major companies.

The exponential rise in connected devices such as mobile phones, home networks, smart grids and smart cities raised the specter of a single vulnerability creating a catastrophic disruption in the global information infrastructure. Cyber attacks is a key threat vector which can be executed remotely and with near anonymity by a variety of state and non-state actors.

It was quite clear that while the risk appeared on the radar, there was not much being done about it, as stakeholders did not seem to view the risk as impactful, and favorably viewed the benefits of a connected world over the risk. One of the main reasons for this view was that terrorism, crime and war in the online world have so far been less deadly that physical counterparts.

One of the key conclusions of the report was the need to obtain a firm understanding of the security problem by improving the quality of risk reporting through empirical research. Current research by security vendors is viewed with skepticism because of the possibility of bias, and non vendor research in infancy because victims prefer to remain silent.

In the long-term reliable indicators of crimes, attacks and losses is key to ensure that the full impact of cyber attacks and crime is known, its economic consequences measured and investments made to reduce their impact.

Exam cheat caught using a spy pen

noreply@blogger.com (Lucius Lobo) — Tue, 31 Jan 2012 10:59:00 +0000

I found, and quite unusually so, that spy pens were heavily advertised on leading dailies and sold onboard flights in India. Spy pens can be used to make copies of documents, but with mobile phones around there is no need for an additional gadget. Today’s news “Gadget guru fails to crack it” demonstrated an innovative use of spy phones for cheating in examinations. The student in question inserted the cap of the spy phone with the camera in his shirt pocket. Each time he bent over the question paper the camera clicked an image and sent it via Bluetooth to a concealed mobile phone in his trouser, which then got relayed to a friend outside who quickly replied back with the answers via a hearing aid. Unfortunately for the student, due to an alert invigilator and a cctv monitoring system, he was caught when his apparatus failed to work and he was trying to fix it.

There are several such spy cameras available in the market inserted into innocuous objects like alarm clocks. These are cheap and used for monitoring people at work, conducting sting operations, in business discussions or filming victims in a state of undress. There are however, very few reported instances of this form of surveillance either because the victim chose to keep silent or was unaware of the incident. Unfortunately because these equipment are disguised it is difficult to detect, but it pays for women to keep their eye open when they visit changing rooms in stores and in common toilets. Airport worker fired for filming women on the toilet

15 Categories that constitute Cybercrime

noreply@blogger.com (Lucius Lobo) — Sat, 28 Jan 2012 12:39:00 +0000

It is acknowledged that there is no comprehensive definition for Cybercrime. Definitions vary, as cybercrime is a new and rapidly evolving theme. Cybercrimes are crimes that a) are targeted against a computer system such as the theft of data or service interruption or b) crimes perpetuated through the use of a computer such as asset misappropriation and cyber harassment or c) where the computer is used as an accessory such as a file sharing site.

To me cybercrime has many dimensions from economical, social, ideological, military to political. Crimes may or may not have an economic impact and may be targeted against an individual, property or government.Cybercrime can be categorized in the following 15 categories:

Piracy and Copyright Infringement

Piracy in online goods such as music, films, ebooks, games and software is a 200m$ business. Piracy occurs when individuals share these products using file sharing sites. Sites which host pirated goods may also be liable.

Pornography, Pedophilia and prohibited sexual content

Pornographic content may be legal or illegal depending on country, but the act of child pornography or pornography which depicts violence in illegal everywhere. Some laws prevent creation, viewing and storage of content (i.e. the creator and user are both equally liable) or a subset.

Corporate Espionage

Corporate espionage is the act of insiders or external hackers infiltrating an organization to steal IPR or confidential business data.

Cyber Warfare

Cyber warfare involves the act of creating cyber weapons for offense and defense by military organizations. Cyber weapons may be designed to cripple the Internet or selectively cause destruction to parts of the critical national infrastructure like power, water, and nuclear plants. When some of these weapons are used without a declaration of war, this act in my opinion constitutes cybercrime. As part of cyber warfare there is a component of military espionage which involves the theft of military plans, documents, from defense organizations and their suppliers.

Terrorism

Cyber warfare carried out by ideological group’s intent on creating damage or disruption to nations or organizations opposed to their cause or belief. Individuals or groups disseminating information with a view to cause national panic or threaten key figures also falls into this category.

Hacktivism

Hacktivism is the act of undertaking denial of service attacks or hacking in protest against governments or organizations seemingly acting against the ideological beliefs of the Hacktivist.

Online Scams, Counterfeits, Drug Trafficking

The Internet abounds with online scams which deal in the sale of counterfeit or spurious goods, drugs, advance fee frauds (lottery scams), of frauds designed to dupe victims into voluntary donations or subscriptions. Most of these frauds perpetuate through email or social networks.

Social Crime

Social crime is the act of causing emotional distress through a deliberate act of harassment, bullying, slandering, black mail, hate, stalking, defamation, impersonation online. Common avenues for propagating such crime involve social media, smses, emails, tweets and blogs. Content is usually offensive or derogatory and targeted against a specific individual.

Identity Theft and Impersonation

Stealing a person’s credentials with the objective of either defrauding the individual for monetary gain or to use the person’s identity to commit or perpetuate fraud.

Spying

All forms of spying which are not sanctioned by law which violates an individual’s privacy. This includes software’s that spy on cellphones, reading emails and so forth. Such acts may be undertaken by individuals, detectives and agencies.

Insider Theft

Using computers or computer systems to commit economic fraud by employees. Computer systems may be used to manipulate internal records such as expenses and payments for individual gains. They may also be used for the willful destruction of records or theft of information for financial gains.

Hacking for profit by external parties

The act of infiltrating or disrupting the services a company offers for monetary gain by individuals or organized crime with intent to blackmail, cyber extortion, cause economic fraud or cause reputational damage. Such acts may be caused on behest of competitors.

Development of Malware, Botnets, and Sending Spam

Malware development or the setting up botnets with the intention of using them for illegal activities. Spam or sending bulk unsolicited mail is unlawful in certain countries.

Sabotage

Launching denials of service attacks or hacking websites with a view to disrupt their functioning for fun, protest or profit.

Obscene or offensive content

Websites designed to be offensive, hurtful, slanderous, derogatory, inflammatory, and seditious with respect to sections of society. This is sensitive area which typical ends up in a court for arbitration.

Personal Data Websites Collects Online

noreply@blogger.com (Lucius Lobo) — Fri, 27 Jan 2012 14:52:00 +0000

Google recently released its new Privacy Policy which explains what information it collects and its use in simple terms. It is important for each cybercitizen to fully understand the extent of personal information that can be collected either because they voluntarily subscribed to a service or from the use of a particular service. This information could be aggregated to provide a 360 degree view of a cybercitizens online activity.

I have summarised relevant parts of Google’s privacy policy which provide a generic view of information either in part or whole, which may be available to websites that we interact with online. This information can be used by the webfirm, its partners, by law enforcement and by courts.

Information can be collected in two ways. Firstly, when we sign up for an online account, we normally provide personal information such as our name, email address, telephone number, photo or credit card number, and secondly when we visit a website and interact with ads and content.

During our online interactions with website, various types of personal information as outlined below can be collected:

Device information such as your hardware model, operating system version, unique device identifiers and mobile network information, including phone number.

Log information when services are used or content viewed information may be automatically collected and stored. This may include:

details of how you used our service, such as your search queries.

telephony log information, such as your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.

Internet protocol address

device event information, such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL.

cookies that may uniquely identify your browser or your Account.

Location information Services which may collect and process information about your actual location, such as GPS signals sent by a mobile device

Local storage where personal information may be stored locally on user devices

Cookies and anonymous identifiers are used to collect and store information when services are used or for services that websites offer partners such as advertising

Google Scores A+ with new Privacy Policy

noreply@blogger.com (Lucius Lobo) — Thu, 26 Jan 2012 17:27:00 +0000

Google has set an example by being transparent in how it manages the privacy of personal information it collects from the use of its services. There is hue and cry over some aspects of its disclosures such as the need for an opt out option and the use of personal information for targeted advertisement, but we need to appreciate that GOOGLE with 70% market share did not have to write a simple policy which all its users could read and understand, but it did. It set an example which other firms do not. Let us commend and not condemn Google for this historic act.

Google says it intent is to use information shared with it to make its services even better – to show you more relevant search results and ads, to help you connect with people or to make sharing with others quicker and easier. They do not sell this information to third parties. Let us be fair, free services need to be paid for in some manner. Advertising is a great way to keep services free.

We should also appreciate steps taken in the right direction, so that other can follow suit without governments turning to regulation or censorship.

Password sharing a culture among teenage social media users

noreply@blogger.com (Lucius Lobo) — Wed, 25 Jan 2012 02:27:00 +0000

The effect culture has on security is extremely fascinating. Adoption of security policies on use or privacy are all governed in terms of adoption and effectiveness by the culture of the company or country. I have seen a restriction on the use of social networking in the workplace go from being fully restricted to completely open due to an acquisition. On a similar key the level of monitoring may vary based on how process abiding employees are. In some countries, employees may fully revolt even if one hinted that their emails may be read using a digital leak prevention system which protect against inadvertent leakage of sensitive information.

The recent article by the New York Times equated the power of password sharing to having sex among teenagers. It’s a form of affection or the ultimate sign of trust that enables one to read the others private emails and posts. In a 2011 telephone survey, the Pew Internet and American Life Project found that 30 percent of teenagers who were regularly online had shared a password with a friend, boyfriend or girlfriend. The survey, of 770 teenagers aged 12 to 17; found that girls were almost twice as likely as boys to share.

The essence of the article is that there is so much social pressure to comply that despite the negative fallouts of violating the privacy of other people who send mail thinking only the recipient can read them, emotion impact of reading mails when the relationship sours, jealousy and ability to slander through a personal account the trend continues.

I do hope that this trend reverses itself, as password sharing as we all know is not a good practice. What teenagers do today should not carry into the workplace as a habit in the future.

State of computer related Economic Fraud in India Dec 2011

noreply@blogger.com (Lucius Lobo) — Mon, 23 Jan 2012 06:30:00 +0000

PWC recently released its India report “Safeguarding organizations in India against Cyber crime” as part of its Global Economic Crime Survey. Senior members from the executive management, finance, audit and compliance comprised 70% of the respondent’s from 106 companies. If we overlook the misleading title, which gives an impression of a report on cyber crime (which the report is partially about), the report actually provides an excellent insight into the state of economic frauds in Indian organizations, using computer (e.g. hacking, IP theft) or computer systems (fake/inflated expense reports, over invoicing/under invoicing) in India. Economic frauds as per the report are categorized as cyber crimes, accounting fraud, asset misappropriation and bribery and corruption.

The important observations, I made on reading the report were:

a) There is heightened awareness among Indian Management about cyber crimes which involve reputational damage, IP theft, financial losses, regulator risks, and service disruption. We were 30% above the global average which is a sign on our economic environment becoming cyber aware. Positive news!

b) Fraud Management seemed statistically to provide the most value in reducing economic crimes, but the demand for this services was low due to its perceived lack of value, cost or limited understanding of the service. Since fraud management requires cultural change and increase system or monitoring costs, companies may be reluctant to invest

c) Cyber security training seems to have declined with 35% of the respondents having received no training at all. Not a good sign!

d) 12% of the respondents were victims of fairly large crimes of over 5 m$. An eye opener!

e) The most common methods of dealing with cases of fraud against employees was dismissal and warnings and with outsiders, severance of business relationship and use of law enforcement

In the overall analysis, there is a rise in cyber crime risk awareness but little investment in fraud investment, fraud management and cyber security awareness. The report is a must read. It is well articulated and perhaps the only repetitive survey of economic crime in India.

Fooling supporters to DDOS the US Govt made the Internet unsafe

noreply@blogger.com (Lucius Lobo) — Sun, 22 Jan 2012 09:10:00 +0000

I was quite upset when I read that thousand of users who chose to listen to Anonymous's point of view were fooled into launching a DDOS protest against the FBI, Dept of Justice and other sites. Individuals participated unknowingly into a criminal act which made the Internet even more unsafe for cybercitizens.

I believe this trickery was uncalled for and will actually damage the credibility and popularity of Hacktivists. While thousands may have their reasons to believe that its legitmate to share pirated content, in law it is not so. In democracy we accept both the decision of the government and rule of law. We should honour both. We can protest in a non violent manner to make our view point heard to the government but no more. We should find alternate means of protest, DDOS is not the answer.

Site owners should also make an effort to curtail pirated content on their sites or links to such content. This includes search engines, torrent sites, cyber lockers and site which have linkages. These sites make money off ad revenue which indirectly is paid for by those very same netizens on the margins made on other products which they buy at the expense of money going to the business which worked hard to create online content.

Let us not degenerate into a cyber rabble.

Nice article to read

Over 9,000 Hackers Join Anonymous DDoS SOPA/Megaupload Protest

Employee Surveillance: Does your company monitor your every move?

noreply@blogger.com (Lucius Lobo) — Sat, 21 Jan 2012 03:02:00 +0000

Companies monitor their employ activities for business purposes using multiple methods such as video surveillance, listening to telephone conversations and voice mail, location tracking using GPS, monitoring use of email, Internet, and computers, facility access and movement and review of blogs and posts on social media. Almost 80% of organization use one or more forms of monitoring through tools or manual reviews. This is done for one or more of the reasons listed below:

To avoid workplace law suits
To reduce asset thefts
To prevent intellectual property theft and accidental/deliberate data leakage
To reduce exposure to cybercriminals, sabotage or insider theft
To prevent corporate espionage
As part of regulatory or legal compliance
To reduce reputation damage or public embarrassment
To prevent lost productivity or wasted resources
Crisis Management

Some forms of monitoring for example timekeeping are well accepted but others like telephone monitoring may be considered invasive. Baring restrictions on under what conditions surveillance should be conducted which varies based on country/state regulations, courts do not consider on premise monitoring as an invasion of the individual’s right to privacy as long as a clear reasonable business purpose can be demonstrated. Both the Indian Constitution and Indian IT ACT provide Indian citizens the Right to Privacy but are non specific on the right of a company to monitor for legitimate business purposes.

As a best practice in employee care and to avoid law suits, most companies publish policies on the type, extent and rational behind the monitoring which is clearly communicated to employees. They also have signed employee agreements which waive an employee’s right to privacy for such monitoring. Companies have associated disciplinary policies which clearly lay down the protocol for dealing with policy violations, which vary from issuing warning letters to employment termination.

There are some extreme forms of monitoring such as trying to obtain personal records (e.g personal call records), and using detectives to trail employees and their family members. The legality of these activities is questionable, but such conditions exist when there is discord between partners in a firm with one trying to find evidence to nail the other and under conditions where a senior employee is thought to be stealing data or undertaking fraudulent/illegal activities.

Email Scams may cost your life. There is no easy money !!!!

noreply@blogger.com (Lucius Lobo) — Thu, 19 Jan 2012 12:30:00 +0000

A Korean man and his daughter visited South Africa to collect a million dollar lottery win. At the airport they got into a hired taxi which drove them to house in Soweto. There the duo including the taxi driver was held hostage and a ransom of 10m$ to be deposited in Singapore was demanded from the Korean’s wife. Fortunately, the driver escaped, informed the police, and the pair was rescued. The Koreans were so traumatized from the incident that they left the country without giving evidence. They were lucky that they escaped death. Read the full news story South African police rescue Asian pair kidnapped in 419 scam

Email scams are a small percent of the overall spam mail sent. Normally they end up conning victims out of an advance fee, which is asked for, to complete the formalities needed to send lottery winnings to the winners (i.e. that victims). The danger increase exponentially when the victim either in an attempt to collect his winnings or recover his money actually visits another country, eventually to get held for ransom or killed.

Cybercitizens should understand that one cannot win a lottery which was never entered into. No money comes for free or by chance. Human psychology is such that even when advised that the email is a scam, many people fail to believe it to be true. I have seen this happen at close quarters because the lure of a potential winning that may change the victims entire life is so strong, and the victims understanding or comprehension of cyber risk is low. Much like the disbelief one has of the existence of a heart problem in asymptomatic situations.

I have written on this subject extensively in the posts below:

Tom and the Lottery Scam

Fighting Scam Emails through Simple Intellectual Deduction

How you get suckered in Online scams and the little one can do about it?

Keep your ATM Pin Secret and use SMS transaction alerts

noreply@blogger.com (Lucius Lobo) — Wed, 18 Jan 2012 06:51:00 +0000

Many of us may share our ATM pin with a close family membe,r but when we expand the community to include drivers, close friends, strangers who we ask for assistance at ATM kiosks, and even write the pin on the card we are inviting trouble.

Keep your ATM pin secret, ensure that no one can read your pin while you key it in at the Kiosk, and choose pin numbers which are hard to guess (not 1234 etc) are advice which banks have posted in ATM booths, screens and brochures. ICICI Bank has a security awareness screensaver with just this advice. I liked their preference for security awareness over advertisement.

So what can go wrong! Well recently in Mumbai, an ATM card was stolen and used by a trusted friend who knew the Pin number. Fortunately, the victim received an SMS informing her of the transactions and immediately complained to the Mumbai cops who with some old fashioned detective work cracked the case. Kudos to them too! Midday Mirror Reports Woman, husband held for stealing Rs. 12,000 with friend’s ATM card

I would have expected the case to be cracked by a forensic review of CCTV data from the ATM from which the transaction was withdrawn, but for some reason this was not the way it was solved. It could be there was no CCTV surveillance which is not a best practice.

Catch Crooks, using CCTV’s and Facial Recognition at Holy Places

noreply@blogger.com (Lucius Lobo) — Tue, 17 Jan 2012 13:33:00 +0000

Crooks also come to visit holy places to pray and ask for blessing, judging by the success a one million US$ CCTV camera network is having at a holy shrine in India. The system is equipped with facial recognition software which is fed with photographs of repeat offenders, bag lifters, chain snatchers and pickpockets. When the system zeroes in on a match a silent alarm goes off in the monitoring room and the culprit is apprehended. The system in the last 5 months has help nab 82 culprits.

CCTV surveillance is soon becoming more advanced with digital analytics and widespread availability using dedicated or mobile networks. Common uses vary from remote monitoring of property to child supervision by indviduals. Law enforcement uses vary from crime detection violation detection to antiterrorism.

CCTV cover helps nab repeat offenders who visit Shirdi shrine

CCTV’s ring down petty thefts in Mumbai

Clean up orders from Indian Courts may signal a new global era

noreply@blogger.com (Lucius Lobo) — Mon, 16 Jan 2012 03:48:00 +0000

The Indian judiciary has started hearing cases against leading international websites for not removing objectionable content as per Indian law.

Indian Court Issues Summons to Google, Facebook Headquarters for Objectionable Content

India has a significant chunk of the online users (100m), a user base which is set to grow dramatically (350-400m by 2015) and will eventually represent a significant portion of revenue and valuation for Internet firms.

India wants these firms to self regulate, and remove content objectionable under Indian law rather than to block this sites. Site blocking is a last option, but the China example has not been ruled out.

The initial request was made by the Indian government which was politicised as government censorship, particularly as it coincided with a nationwide anticorruption campaign. This issue has now turned into a more serious legal case in a court of law.

I believe the outcome of this case will be a trendsetter for future Internet regulation in most countries. India was also at the forefront of regulation to montor encrypted email and messenger traffic from RIM (Blackberry) to assist law enforcement prevent criminal and terrorist activity. Ironically, six months after this move the very same method was used during the London riots which British law enforcement agencies found extremely difficult to control as they could not monitor or block such instant messages. London riots: how BlackBerry Messenger played a key role