Tag: security

Greetings from the scammers

While the online scams evolve, the venal stupidity of victims doesn’t

The notorious “419 scams” have been around since the early days of the consumer internet.

419 scams are the elaborate internet frauds that try to convince people they unexpectedly come into money. Once a gullible victim takes the bait, they are duped into paying a range of ‘facilitation fees’ and costs that drains their saving.

The term 419 scam comes from the Nigerian criminal code that covers this crime, which was appropriate as most — although not all — of these emails originated from the country.

For a while in the early 2000s, internet users became used to receiving a few 419 scam emails every day but by the middle of the decade they largely dried up as the even the most gullible and greedy idiots became wise to the schemes.

That’s not to say they have completely vanished, this morning quite a distasteful one landed in my inbox.

Greetings,
I wish to seek your assistance to execute a business deal. I am Paul Williams a Contract Agent based in London. I require your consent to present you as next of kin to a client of mine, who died along with his wife and Two kids in the Asian Typhoon Haiyan in the Philippines leaving behind a large sum of money without a next of kin. With your co-operation and information available to me you can make a claim on the funds as the next of kin to my deceased client. After release of the funds to you by the financial institution where it is lodged, we can share according to a percentage we agree upon. If you may be of assistance, please reply for further co-operation.
Best Regards,

Paul Williams.

It’s unlikely that Paul Williams exists and even if he did it’s unlikely he’d have anything to do with this unsavory scam that most people would immediate bin when they receive it.

Binning the message was my reaction as well, but as I was about to, it occurred to me that there are enough venal, stupid people in the world who would agree to be involved in such a deal.

No doubt if you asked them they’d say defrauding the deceased family’s estate is a victimless crime as the money would only end up with the government anyway, these people would swear blind they are honest, honourable folk and no doubt they would think they are rather clever.

It’s worth reflecting that dishonest, venal and somewhat dim people do occasionally get their come-uppance in today’s world.

Will the internet’s insecurities damage economic growth?

Online security problems are chronic and costing our economies billions claim researchers.

“No country is cyber-ready” warns Melissa Hathaway, author the Cyber-Readiness Report.

Hathaway’s warning is that the economic benefits of the internet are being lost to the various vulnerabilities in our information infrastructure.

Dutch research company TNO claims that the Netherlands lost up to 2% of their GDP to cybercrime in 2010 and Hathaway claims similar losses are being incurred in other developed countries.

Supporting Hathaway’s views at a function in Sydney today, Cisco System’s Senior Vice President and Chief Security Officer, John Stewart, made a frightening observation about corporate networks.

“Every single customer we have checked with, and these are the Fortune 2000, has high threat malware operating in their environment – every single one of them.”

So the bad guys are in our networks and causing real economic damage. The question for businesses and governments is how do we manage this threat and mitigate any losses?

On our more intimate level, how do we manage our own systems and online behaviour to limit our personal or business losses?

Hathaway makes the point that the internet was never intended to do the job we now expect it to do and as consequence security was never built into the net’s design.

Today, we rely upon the internet regardless of its lack of inbuilt security. With everyone from governments through to organised crime and petty scammers wanting to peek at our data, we have to start taking security far more seriously.

Malware writing becomes bigtime crime.

The online bad guys are now professionals and we have to start taking them very seriously

“Fifteen years ago we saw a thousand types a malware a month, now we see a three thousand a day,” states Richard Cohen, Threat Operations Manager of Sophos Lab during a tour of the company’s head office outside Oxford in England last week.

That one statistic alone describes the scale of online security risks facing every computer user. Making matters worse is that the attackers have moved from enthusiastic amateurs to committed professionals.

A particularly notable change for home and small businesses has been the risk of ‘ransomware’ where a computer’s data is held hostage by the bad guys until an unlock code is paid for.

Like many things in the computer world, ransomware isn’t new however the latest breed uses the latest cryptographic tools.

“Now there’s money involved, there’s serious effort,” says Sophos Labs’ Vice President Simon Reed. “The quality of malware has gone up.”

The early versions of ransomware were a joke, usually just being a scary opening screen warning people of the FBI or a similar agency had detected illegal downloads on their computer. Today – according to Sophos’ researchers – the new breed of malware features high level encryption that locks away data fairly comprehensively.

While the researchers at Sophos were briefing me on the online risks they see, on the other side of the world Eugene Kasperski, founder of Russia’s most successful computer security company, was addressing an Australian National Press Club lunch on the state of the anti-virus market.

“Traditional criminals are stupid,” Kasperski told the lunch. “Computer criminals are different. They are geeks; geeks with broken minds.”

The message to homes and small business from both Kasperski and Sophos is quite clear – you have to take online security seriously. Start doing so now.

Google, Facebook and the Silicon Valley paradox

The paradox of Silicon Valley is cloud and social media companies want us to use the products they won’t use themselves.

One of the great advertising campaigns of the 1980s featured entrepreneur and Remington Shaver CEO Victor Kiam telling the world “I liked the product so much I bought the company”.

The modern equivalent of Victor Kiam’s slogan is “eating your own dogfood” where businesses use their own products in day to day operations. It’s a great way of discovering weaknesses in your offerings.

One of the paradoxes of modern tech companies is how they don’t always eat their own dogfood when it comes to their business philosphies – they expect their customers to take risks and do things they deem unacceptable in their own businesses and social lives.

The best example of this are the social media services where founders and senior executives take great pains to hide their personal information, a phenomenon well illustrated by Mark Zuckerberg buying his neighbours’ houses to guarantee his privacy.

Just as noteworthy  are the policies of Google’s IT department, for past five years most tech evangelists – including myself – have been expounding the benefits of business trends like cloud computing and Bring Your Own Device (BYOD) policies.

Now it turns out that Google doesn’t trust BYOD, Windows computers or the Cloud, as the company’s Chief Information Officer, Ben Fried tells All Things D of his reasoning of banning file storage service Dropbox;

The important thing to understand about Dropbox,” Fried said, “is that when your users use it in a corporate context, your corporate data is being held in someone else’s data center.”

This is exactly the objection made by IT departments around the world about using Google’s services. It certainly doesn’t help those Google resellers trying to sell cloud based applications.

Fried’s view of BYOD also echoes that of many conservative IT managers;

“We still want to buy you a corporate laptop, get the benefits of our corporate discounts, and so on. But even more importantly: Control,” Fried said. “We make sure we know how secure that machine is that we know and control, when it was patched, who else is using that computer, things like that that’s really important to us. I don’t believe in BYOD when it comes to the laptop yet.”

Despite these restrictions on Google’s users, Fried doesn’t see himself or his department as being controlling types.

“But the important part,” Fried said, “is that we view our role as empowerment, and not standard-setting or constraining or dictating or something like that. We define our role as an IT department in helping people get their work done better than they could without us. Empowerment means allowing people to develop the ways in which they can work best.”

Fine words indeed when you don’t let people use their own equipment or ask for a business case before you can use Microsoft Office or Apple iWork.

That Google doesn’t give its staff access to many cloud services while Facebook’s managers restrict their information on social media shows the paradox of Silicon Valley – they want us to use the products they won’t use themselves.

Back in the 1980s, Victor Kiam liked what he saw so much that he bought the company. You’d have to wonder if Victor would buy Google or Facebook today.

On the internet, the Feds know what breed of dog you are

The downfall of Silk Road’s alleged founder is a lesson on how fragile our privacy and online security are

The arrest of alleged Silk Road founder Ross Ulbricht – also known as the Dread Pirate Roberts – has attracted plenty of media attention.

What’s particularly notable is the FBI is claiming Ulbricht made a basic mistake in posting to a website under his real name that gave his identity away.

If true, Ulbricht’s trivial mistake illustrates how easy it is for any determined investigator to find someone’s identity online from the trillion points of data we all create in the connected world.

Anyone who wants to be truly anonymous on the web has to work extremely hard to protect their identity. Most of us aren’t prepared to trade convenience for security, particularly given the massive effort required.

Even if we could protect our online habits, the use of credit cards, loyalty plans and even driving our cars still it almost impossible to escape the watch of a determined investigator.

In the early days of the web, it was said “on the internet, no-one knows you’re a dog.” Today the feds can figure out not only what breed of dog you are, but what your name is and your favourite brand of dog food.

The modern panopticon we live in is a very efficient machine and it’s difficult to hide from society’s gaze. It’s why we need to rethink privacy and information security.

Image of Presidio Modelo by Friman through Wikimedia.

A trillion points of data

As shopping centres, social media services and police forces collect greater amounts of information about us, we need to understand and manage the risks involved.

Last night, current Affairs program Four Corners had a look of the risks to families in the age of Big Data.

Earlier in the day I had the opportunity to speak on ABC 702 Sydney with the program’s reporter, Geoff Thompson, to discuss some of the issues and take listeners’ calls about Big Data and security.

What stood out from the audience’s comments is how most people don’t understand the extent of how data is being shared. The frightening thing is the Four Corners program itself understated the extent of how information is being distributed around the internet.

Looking beyond social media

Social media sites like Facebook are an obvious and legitimate area of concern with most people not understanding the ramifications of the terms and conditions of these services, however Big Data is a far more that what you share on LinkedIn or Instagram.

A major point of the program was how the New South Wales police force’s Automatic Number Plate Recognition (ANPR) equipment stores photographs of car license plates.

One of the applications of ANPR shown during the program was how an officer can be warned that a vehicle has owned by someone potentially dangerous or used in a suspicious situation, allowing them to be more cautious if they decide to pull a car over. Probably the greatest application is getting unregistered, uninsured or unlicensed drivers off the road.

Those sorts of usage is the positive side of Big Data and its role in reducing the road toll, the example also illustrates how data points are coming together with the internet of machines as traffic lights, road signs and cars themselves are communicating with each other and those police databases.

When that information is put together there’s a lot valuable intelligence and that’s why people are concerned that the NSW Police are storing millions of apparently useless images of car number plates with the time and location of the photographs.

These technologies aren’t just being used in shopping centres; instore mobile phone tracking combined with the same numberplate recognition the police use watching who is entering the carparks makes it possible to predict buying patterns and target offers to shoppers.

Couple that information with store loyalty cards and add in rapidly developing facial recognition, retailers have a very powerful way of monitoring how their customers behave.

“What instore analytics does is it takes the same kind of capablities that e-commerce sites have had for more than a decade and apply them to brick and mortar stores,” says Retail Next’s Tim Callen. Using the store’s CCTV system the company applies facial recognition software to track shoppers’ behaviour.

Securing the data feeds

The immediate concern is the security of this data, we’ve covered the hackable baby monitor and the Four Corners program examined Troy Hunt’s exposure of security flaws in Westfield Shopping Centres’ Find My Car App. Similar security concerns surround government databases like the NSW Police’s numberplate store.

As we’ve seen with the repeated data breaches of 2011, the management of big and small organisations like Sony or Stratfor don’t take security seriously. It’s hard to recall any senior public servant being held accountable for a security breach by their department.

A billion points of data

On their own, each of these data points means little but for a motivated marketer, tenacious police officer or determined stalker pulling those separate information sources together can pull together an accurate picture of a person’s private information, habits and beliefs.

Almost all the collectors of this data claim this information is anonymised or isn’t personal information, unfortunately there’s mismatch between the definition of private data and reality as number plates and mobile phone MAC addresses are not considered private, however they provide enough insight for an individual to be identified.

That aspect isn’t understood by most people, the final caller to the ABC Radio spot asked why she should be bothered worrying about privacy – it doesn’t matter.

As French politician Cardinal Richelau said in the Seventeenth Century, If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him

Today we each have six million points of data that can hang us, in a decade it could easily be a billion. We need to understand and manage the risks this presents while enjoying the benefits.

Security and the hackable baby monitor

Poor internet security on a baby camera should remind us of the importance of keeping your network secure.

Imagine a baby monitor that can be hacked, that’s the story that Forbes magazine tells about the Foscam baby monitors that can be owned by anybody using the Shodan search engine to find unsecured video devices.

Like all similar stories, the Foscam monitors’ weaknesses are born out of good intentions, the idea is parents can keep an eye on their children across the internet.

The problem, as always, is convenience and ease of use trumped security with Foscam making it easy for parents to by having trivial, if any, security on their devices.

It’s a lesson that should have been learned a million times, yet manufacturers continue to disregard the risks of poor security on internet connected devices.

As these internet connected devices become critical to business and public safety, this lack of security won’t be acceptable.

Slowly, companies like Foscam are being forced to take security seriously — hopefully consumers will accelerate the process by voting with their wallets.

In the meantime, it might be a good idea to make sure your home or business router has a good firewall before setting up internet connected devices.

Whose priorities do IT departments really care about?

A survey of IT managers shows that business risk and customer security are not their greatest concerns

Earlier this week mobile security company Imation showed off their latest range of Ironkey encrypted USB sticks and portable hard drives.

Accompanying the launch was a presentation from Stollznow Research on how Australian companies are managing data with a comparison against similar surveys carried out in the UK, US, Canada and Germany.

Of the 207 senior decision makers in Australian medium to large businesses surveyed, there were some interesting results on the attitudes of the nation’s IT departments and CIOs.

In the field of confidence about the security of their networks, Australian IT managers came out a lot more paranoid than their foreign counterparts with only 38% of Aussies confident their office data is protected from loss or theft against 73% overseas.

That result is encouraging as the internet and the world of IT security has a habit of severely punishing those with a false sense of security.

What was particularly notable though with the Imation research was what IT managers considered to be the consequences of a security breach.

consequences-of-data-breach

Around the world, IT managers see the headache of cleaning up the mess and bad media coverage as being the biggest consequences of a data breach. Customers come fourth in priority and even then the only concern is losing clients rather than the effects it could have on those people’s lives.

One of the tragedies of the continued Sony data breaches in 2011 was the leaking of credit card details. Many of those customers on pre-paid cards were young or low-paid workers who quite possibly lost all the money in their compromised accounts – debit cards don’t have the same protections against fraud as credit cards.

Even more terrible are the effects on those who become victims of identity fraud as consequence of a data breach. Letting that sort of information out is a fundamental betrayal of trust by organisations with sloppy security.

Interestingly over a third of respondents feared losing their jobs as a result of data being breached, in a perfect world it would be higher although we don’t live in a period where those accountable take responsibility for their actions.

What’s more likely in many smaller businesses is that a data breach could be the entire organisation to fold, something that should worry anyone running a startup or small business.

It may be true that many CIOs and IT managers aren’t too worried about the business effects of a data breach or system outage which shows that security – both physical and digital – are the job of everyone in an organisation, not just one department or executive.

Disrupting the GPS network

Spoofing GPS signals presents a real risk to many industries and businesses.

Another day, another technology security issues – this time The Economist reports the Global Positioning System can easily be hacked to alter the courses and positions of vehicles and equipment, something proved by University of Texas researchers taking control of a super yacht by setting up a false GPS signal.

Given the importance of the GPS, this is a significant problem. There’s no end of mischief that malicious individuals could get up to by distorting the signals in their neighbourhoods.

One idea that immediately came to mind on reading the story was how a cunning restaurant owner could make all the GPS units in the neighbourhood think they are sitting outside his business. Anybody using a smartphone app would think the nearest eating place was his, it would also fool systems like Local Measure that use geotagging as part of their service.

The risks though are greater than sneaky restaurant owners, the University of Texas researchers showed how a 65m, $80 million dollar ship can be tricked into sailing off course by ‘spoofing’ the real GPS signal.

With everything from emergency services’ tracking systems to smartphone and dog collars relying on GPS, the risks are huge.

It’s another reason why we need robust systems along with the critical thinking skills to know when the computer is wrong.

Security by obscurity’s false promise

Suppressing public knowledge of security flaws is not the way to fix a software problem.

Yesterday’s post looked at how security needs to be a fundamental part of connected systems like cars and home automation, an article in The Guardian shows how auto manufacturers are struggling with the challenge of making their products secure.

In the UK, Volkswagen has obtained an injunction restraining a University of Birmingham researcher from divulging security weaknesses in Porsche, Bentley, Lamborghini and Audi cars.

A mark of desperation is when a company has to go to court to suppress the details of a software security breach, it almost guarantees the bad guys will have the virtual keys while the general public remain ignorant.

Over time it backfires on the company as customers realise their products aren’t secure or safe.

The real problem for Volkswagen is a poor implementation of their security systems. It was inevitable that a master code would leak out of repair shops and dealerships.

While the law is useful tool, it isn’t the best way to fix software security problems.

Our hackable lives – why IT security matters.

Now our cars, homes and security systems are hackable we have to start taking IT security seriously.

Two stories this week illustrate the security risks of having a connected lifestyle. Forbes magazine tells in separate pieces how modern car systems can be overriden and how smarthomes can be hacked.

Smarthome system security is a particular interest of mine, for a while I was involved in a home automation business but I found the industry’s cavalier attitude towards keeping clients’ systems secure was unacceptable.

The real concern with all of these stories is how designers and suppliers aren’t taking security seriously. In trading customer safety for convenience, they create serious safety risks for those using these system. It’s as if nothing has been learned from the Stuxnet worm.

A decade ago, a joke went around about what if General Motors made cars like Microsoft designed Windows. Like all good stories, it had a lot of truth to it. Basically, the software industry doesn’t do security particularly well; there are developers and vendors who treat security as a basic foundation for their work, but they are the exception rather than the rule.

That may well be a generational thing as today’s young developers and future managers are more aware of the risks of substandard security in the age of the internet.

Rather than seeing security as something that is bolted on to a product when problems arise, this generation of coders are having to treat security as one of the fundamental foundations of a new system.

What is clear though is that the builders of critical systems are going to have take security far more seriously as embedded computers connected to the internet of machines become commonplace in our lives.

Blocking the bad guys – listeners’ questions from ABC Nightlife

Answers to listeners questions on Tony Delroy’s ABC Nightlife tech spot.

Last night’s ABC Nightlife looked at how email is evolving but most of our callers were concerned with configuring their email, anti-virus programs and blocking adverts on the web.

The audio of the program is available through the ABC website.

As usual, it’s tough to answer all the questions on live radio so here’s the ones from listeners Tony and I said we’d get back to.

Ad blockers

Website owners are desperately trying to find ways to make money from their sites, unfortunately its proving difficult so we’re seeing increasingly intrusive ads trying to distract us while we surf the web.

A number of Tony’s callers asked about adblocking programs to get rid of these irritating ads and there’s a few paid and free solutions available for computer users.

The most popular solution is Adblock, a plug in available for Firefox, Chrome, Opera and Android. The developers have a handy video guide to installing and configuring their product.

For Internet Explorer users, Simple Adblock is a plug in that should work with their browser.

Be aware with ad blocking programs that they may change the layout of the sites you visit so be prepared for some strange looking pages.

Also keep in mind that website owners are desperately trying to find ways to pay the bills, so you won’t stop the more cunning ads or sponsored content that pretends to be real news. You might also put a few online media sites out of business.

Anti-Virus programs

One common question from Nightlife listeners are what anti virus programs should they use.

Probably the simplest for Windows users is Microsoft Security Essentials or the free AVG Anti-Virus. For OSX Users, Clam AV and Sophos’ Free Anti Virus for Mac will do the job.

If you have Norton or McAfee anti virus programs on your Windows PC, then getting rid of the software is not straightforward. After uninstalling the software, you’ll have to run their removal tools which are available from the Symantec (Norton) or McAfee websites. Read the instructions carefully.

Switching to Hotmail

A curious thing about Microsoft is how they like to irritate loyal customers with interface changes that leave everyone confused. Hotmail users are among the latest victims after the company migrated them to the Outlook.com platform.

Deborah called in to ask how she could switch back to Hotmail from Outlook.com – sadly the official line from Microsoft is “you can’t”. It appears that all of the work arounds to get Hotmail back have also been closed down and the old service is no more.

For Deborah, the choice is to either get used to Outlook.com or investigate other online mail services like Gmail or Yahoo!.

The next ABC Nightlife will be on in around five weeks. Hope you can join us then.