What industry leaders and cyber security experts say...

Pragmatic advice on staying safe online. A must read for all social networkers. --Anand Mahindra, Chairman & Managing Director, Mahindra & Mahindra. We are witnessing a hastened transition from the physical to the virtual (cyber) world. Unfortunately, we understand and are able to react to the risks of the cyber world only very inadequately. This poses a significant challenge to the public in general and sentinels in particular. This book is most apposite for consumers of the cyber world. Lucius has given many examples, provided an exhaustive list of dos and don’ts in a very simple language and covered comprehensively all the areas that touch common citizens. This book is a good reference point for all the stakeholders of information security to build a consumer awareness program. – Vishal Salvi, CISO & SVP, HDFC. Written for the public at large, this is an easily readable book which addresses the topic of cybersecurity threats from pranksters, hackers, and serious spies. Although I consider myself an expert in the area of cybersecurity, I have learned a lot about possible new types of attacks by reading this book. Lucius has clearly demonstrated his practical knowledge and understanding in this new science of cybersecurity using simple examples and case studies. – Prof M. Rajarajan, Head of Information Security Research, City University London, UK. Ubiquitous communication technology driven by the Internet has globalized the world and brought people nearer in unthinkable ways. Social media provide instant connectivity to communities of friends and followers, who in turn can feed or transmit the same messages to their friends and so on. Friends, followers and bloggers can add to the messages, and since the medium is interactive, it lends itself to multidimensional communications. But therein lies the devil. Nobody has taught our young friends behavioural norms, and the acts they should guard against to stay out of harm. Lucius has done a wonderful job in writing this lucid guide to fill this gap. It is easy to read, and to understand the possible ways of staying out of trouble. I recommend it to everyone – from the occasional surfer to the social media addict. -Dr. Kamlesh Bajaj, CEO, Data Security Council of India (DSCI). Lucius has simplified and unmasked a very complicated topic. In a world in which we are joined at the hip to our smart phones and iPads, anyone of us could be the victim of a cyber attack. The book is very practical. It highlights the hidden dangers we all face and gives us the tools to protect ourselves....a must read! – Aisha de Sequeira, MD & Head, Investment Banking, India at Morgan Stanley.

Stay Safe, Cybercitizen

Illustrated by Vijay Kumar Kakade

Lucius Lobo

2013

Stay Safe, Cybercitizen © 2013 Lucius Lobo lucius_lobo@yahoo.com Illustrations: Vijay Kumar Kakade vijaykumar.kakade@hotmail.com

Published in 2013 by

Goa,1556, Sonarbhat, Saligao 403511 Goa, India. http://goa1556.goa-india.org, goa1556@gmail.com +91-832-2409490 10 9 8 7 6 5 4 3 2 1

Project co-ordination: Frederick Noronha. Cover design and illustrations: Vijay Kumar Kakade. Typeset with LYX, http://www.lyx.org. Text: Palatino, 12 pt.

ISBN 978-93-80739-29-8

ii

Contents
1 Foreword 2 Introduction 3 The Cyber Security Landscape Security and privacy risks . . . Cybercrime – what is it? . . . . How hackers earn . . . . . . . . Chapter summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3 5 7 8 11 12 14 16 17 19 21 22 24 25 26 27 29 30 32 33 35 38

4 Personal Privacy and Security Advised against social networking sites? . Best practices: safe social networking . . . Twitter pranks . . . . . . . . . . . . . . . . Entrapment for theft and espionage . . . Intimate pictures gone viral . . . . . . . . Who is liable for objectionable content? . Removing objectionable material online . Celebrities at high risk from hackers . . . Spying on your mobile . . . . . . . . . . . Best practices: safe surfing at cybercafés . Chapter summary . . . . . . . . . . . . . .

5 Identity theft Webmail: threats to your online identity . . . . . . . Password, the worst security tool . . . . . . . . . . . Exam cheat caught using a spy pen . . . . . . . . . . iii

C ONTENTS 12 ways to steal from an ATM . . . Best practice: safe use of ATMs . . An cyber entrapment tale . . . . . A fake police academy . . . . . . . Password sharing and teen culture Best practices: passwords . . . . . Best practices: safe online banking Chapter summary . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 40 41 42 43 44 45 51 52 55 57 58 60 65 66 67 68 69 71 72 77 78 81 83 89 90 99 101 103 104 105 106 109 110

Email Scams Falling prey to online scams . . . . . Best practices: online trading . . . . Email scams, a multi-billion business Email scams may cost your life . . . Best practice: escaping email scams . Chapter summary . . . . . . . . . . . Corporate Espionage Corporate moles . . . . . . . . . . . . Best practices: corporate espionage . Honey traps . . . . . . . . . . . . . . Best practice: safe surfing at airports Chapter summary . . . . . . . . . . .

7

8

Security at Work and at Play Product launches and other secrets . . Best practices: employee blogging . . Employee monitoring at work . . . . . Six things a model cybercitizen can do Chapter summary . . . . . . . . . . . . Cyber Parenting and Child Safety Cyber bullying . . . . . . . . . . . . Educating children on online ethics Cyber security education . . . . . . Best practices: online child safety . Chapter summary . . . . . . . . . . . . . . . . . . .

9

Conclusion: Being Cyber Aware

iv

Dedicated to my mother Lumena, my wife Preeti and my son Raymond.

v

A BOUT T HE A UTHOR

About the author: Lucius Lobo is an experienced security professional, blogger and the head of a large security consulting practice. He was also a member on the Internet Security Council of the World Economic Forum and is a founder-director of the Cloud Security Alliance, Mumbai chapter. Lobo is a Certified Information Systems Security Professional (CISSP), with over twenty years of industry experience in the communications and security industry with publications in leading magazines, and a regular speaker at security conferences. He authors a consumer-focused security awareness blog at luciusonsecurity.blogspot.com which provides security insights to both consumers and security professionals. Opinions expressed remain his own and are not the views of the organisations he works for or represents. Based in Mumbai, Lobo traces his roots to Goa. Email lucius_lobo@yahoo.com Twitter @luciuslobo

vi

AC

KNOWLEDGEMENTS

To my family, colleagues, and wellwishers for their support, reviews and encouragement. As also to you, my reader, who has made my work meaningful and relevant to our society by taking an interest in it. The most important contributions in producing this book came from Vijay Kumar Kakade. A prolific illustrator, Vijay spent hours after his normal work shaping rough scripts into vibrant illustrations that aptly brought to light key security messages. Frederick Noronha, publisher, editor and journalist, transformed my writings into this book. I am grateful to Commodore Premchand who mentored me in the world of information security. To all who have helped this process, my sincere thanks!

Chapter 1

Foreword

It gives me immense pleasure to write the foreword for this book by Lucius Lobo. It covers a topic that is significant to all of us and is written by someone who lives and breathes Information Security. Be warned – after reading the book, browsing at the airport is never going to be the same again! We live in a fast-changing world where many aspects of our everyday lives are touched, influenced or governed by technology. The ease with which we are able to access information online, keep in touch with friends and family, and work while on the move, also comes at a price. As we adapt to a pervasive online presence, cybercriminals are coming up with increasingly sophisticated ways and means to misuse this connectivity. Little do we realise that our activities online open us to a host of security risks, some of which are relatively easy to exploit. In this book, Lucius takes us through a number of threat scenarios that we cyber-citizens would simply have never considered or thought possible. He has succinctly highlighted the risks we face regularly and has suggested simple precautions that can help us to remain secure in our online journeys. This book also has an underlying message for governments: the need to wake up to these threats and educate their citizens to remain vigilant not only in the physical world but also in their online activities. 1

F OREWORD As the head of a large Information Security practice in one of India’s leading software services firms, Lucius has a direct view into the kind of security threats and risk that individuals and corporates face on a daily basis. Some of these can be eye-openers for even seasoned internet users. Lucius lays bare the ease with which hackers and those with a malicious bent of mind are able to exploit easily available software tools to pry into your online activities. I have had my share of surprises from this book; but having adopted some of what Lucius has recommended, I feel a lot safer even as I write this on my connected laptop. My thanks to Lucius for taking us a step closer towards a secure online experience. C.P. Gurnani CEO Mahindra-Satyam and M.D. Tech Mahindra

2

Chapter 2

Introduction

. The Internet era is well entrenched in our lives. It is no longer surprising to come across inquisitive toddlers monkeying around with the icons on a smart phone, or to have teenagers turn down lucrative job offers that disallow social networking from the workplace. Most of us are accustomed to a range of online activities – shopping, banking, paying bills, stock trading and using credit cards in cyberspace. Social networking takes hours off our week. We tweet our thoughts, send out posts, maintain a blog and access webmail. Whether for business or for personal use, the ubiquitous cyberworld will only become more pervasive in the future. A small but swiftly growing portion of all global trade is transacted through ecommerce companies. Physical goods are traded through online auctions and shops, while digital 3

I NTRODUCTION products such as music, ebooks, games, films and software are readily bought online. Where there is money, criminals are bound to follow. Cyberspace is no exception. The day is not far, if not already upon us, where cybercrime will be worth more than the entire drug trade with a fraction of its risk. Cybercrime would have pinched the lives of many of us, through online scams, spam, identity theft or social crimes. Many have fallen victims for small sums. Yet, the cyber criminal is not the only danger. There are sexual perverts, espionage rings, friends turned foes, or even disgruntled employees, who hide behind the anonymity of cyberspace to cheat, defraud, slander or harass. Ensuring personal security in cyberspace is a huge challenge. We understand insufficiently the dangers lying in wait in cyberspace. In the real world, we continually scan for threats and make conscious decisions to ensure our safety. Our choice to walk down an alley rests on our assessment of its surroundings, the people loitering around, and alternative routes available. Cyber space requires similar situational reasoning. Cyberspace’s constant evolution creates innovations in crime and fraud. This makes it extremely difficult to offer prescriptive measures that can comprehensively ward of dangers. Security will always remain a moving target for security professionals and cybercitizens. Cyber-criminals will continue to reach us in the confines of homes and offices, or in crowded places. Threats cannot be wished away, left to others or simply ignored. We need to assess such threats, take prudent steps and use best practices to reduce their danger. This book aims to paint a picture of prevailing cyber threats using real incidents . In seven chapters it explains why cyber risks occur, what form they take, and how they affect cybercitizens as individuals, employees, citizens and parents. By building our awareness we know what we are up against.
Lucius Lobo lucius_lobo@yahoo.com Mumbai, October 2012

4

Chapter 3

The Cyber Security Landscape

Today, the Internet envelops us and threatens to subsume our lives. Our phone, computer and even devices such as televisions are now an integral part of it. The proliferation of online services, information and social networking ensures that we live in an “alwaysconnected, always-on” world, with few restrictions to the use of cyberspace. There is rising awareness that cyber criminals affect our own individual safety, and even that of our children. But cyber crime is only one of the many forces that cybercitizens need to be aware off. There are five other forces – social, political, ideological, economic and military – at play. These powerful forces and the interests behind them try to shape how security, privacy and individual rights in cyberspace evolve. Three macro trends drive the need to acquire control over of cyberspace. 5

T HE C YBER S ECURITY L ANDSCAPE The emerging value of cyberspace as a strategic global economic asset for any digital economy. An exponential rise in connected devices – mobile phones, home networks, smart grids and smart cities. This raises the danger of a single vulnerability creating a catastrophic disruption of the global information infrastructure. The use of the Internet as a key proponent in culture shifts by enabling the free flow of ideas between different countries and cultures, causing ideological conflicts on issues like democracy, women’s rights and the freedom of expression. The battle for retaining the right to the free use of the Internet has just begun with citizens’ groups and hacktivists protesting against restrictions on Net freedom, privacy, piracy, censorship, and Big Brother monitoring, while at the same time Government and defence forces scramble for territorial ownership. Cybercrime is an important issue for most cybercitizens, as it directly affects them. Criminals have the means, motives and opportunity to make money online. They are able to combine sophisticated technical knowhow and age-old tricks to cheat not-so tech-savvy cybercitizens. It is quite clear that while risks appear on the radar, there was not much being done about it. Stakeholders (corporates, governments, cybercitizens) view the benefits of a connected world but ignore the risks. There is a reason too: damage, death and destruction through terrorism, crime and war in the physical world are far more impactful than cyber attacks and cyber crime. But this will change soon. The growth in ecommerce, and consequently cybercrime, will have a profound impact on online safety. We can be better prepared to cope if we get familiar with the forces that shape cyberspace, the facets of cybercrime and the mindset of cybercriminals. 6

Stay Safe, Cybercitizen | Lucius Lobo

Security and privacy risks in cyberspace

Eight forces shape the risk landscape of the Internet. Each has a direct bearing on how governments regulate or legislate cyberspace and therefore affect a cybercitizens’ right to a free Internet, personal privacy and cybersecurity. Corporate and Military Espionage: Accusations are common of State-sponsored espionage to retrieve economic, military and political secrets that could be useful to propel economic growth. Espionage enables unethical companies to quickly acquire, at a fraction of the cost, designs or research created by rival firms after several years of effort and billions of dollars in investment. Political Whistle Blowing: Anonymous whistle blowing through online sites became a matter of great worry for corporates and governments in the last two years. Sites such as Wikileaks created an international furore by publishing confidential US diplomatic cables. For governments these leaks violate national security. Other disclosures threaten to expose names of international account holders and their deposits hidden from their respective governments in tax havens under banking secrecy laws. Social Networking and Privacy: People who post a large amount of personal data in cyberspace through social networks, often find their privacy violated by business and advertising interests as well as information they or their friends unwittingly post about themselves. Democracy, Westernisation, Cultural Change: Social networking and Internet content transcends borders, infusing alternate ideologies and ideas into conservative cultures. Developments like the Arab Spring of 2011 triggered social unrest, which toppled governments and signalled winds of political change. Governments are slowing starting to censor, monitor and enact stringent laws against certain types of content in online posts, tweets and blogs. Governments and Privacy: Governments seek to monitor voice and data communication in cyberspace to detect and 7

T HE C YBER S ECURITY L ANDSCAPE track criminal, anti-national and terror operations. There has been a heated debate between social groups and the government to preserve an individual’s right to privacy, by limiting the circumstances under which a government can intrusively monitor. Cyber War: A large number of countries strategically view cyberspace as the next military theatre, building cyber commands for attack and defense. Stuxnet, a malware that severely damaged the Iranian nuclear facility, demonstrated the willingness to use malware as weapons for physical damage. Some governments have allegedly employed hackers to steal rival government and military secrets as well as spy on their email and voice communications. Cybercrime: There are numerous global crime rings which specialise in non-violent cyber crime such as email scams and identity frauds. Unfortunately since the impact of these crimes is less than that of violent crime, drugs or gambling and it involves law enforcement agencies in different countries, it is yet to receive attention as a major crime. Piracy: Paid digital content such as copyrighted music and videos are frequently exchanged online by cybercitizens using file-sharing sites. These exchanges infringe copyright agreements. Content owners in the past only prosecuted file sharing sites, but recently some have initiated actions against their users too. As the value of content in cyberspace grows, legal enforcement would increasingly be used to protect an owner’s right.

Cybercrime – what is it?

There is as yet no comprehensive definition for cybercrime; the field is still nascent with new forms of frauds arising with each passing day. For the sake of a working definition, we can say that cybercrimes are crimes targeted against a computer system, such as the theft of data or service interruption; or those that are 8

Stay Safe, Cybercitizen | Lucius Lobo perpetuated through the use of a computer, involving illegalities such as asset misappropriation and cyber harassment; or where the computer is used as an accessory, such as to share individually licensed content on a file-sharing portal. Cybercrime has many dimensions – from the economic, to the social, ideological, military and political. Crimes may or may not have an economic impact and can be targeted against an individual, business or government. Every cybercitizen needs to be able to recognise the different forms of cybercrime they are likely to encounter in cyberspace. Piracy and Copyright Infringement: Piracy and copyright infringement takes place when people share individually licensed products using file-sharing sites or other means. Piracy in online goods such as music, films, ebooks, games and software is a $200m business. Pornography, Child Sex-Abuse and Prohibited Sexual Content: Pornographic content may be legal or illegal, depending on which country’s laws govern it, but child pornography is illegal everywhere. Pornography featuring violence or bestiality is also illegal in some countries. Some laws prevent the creation, viewing and storage of adult content (i.e. the creator and user are both equally liable). Corporate Espionage: Corporate espionage is the theft of intellectual property or confidential business data by rival firms or governments. Cyber Warfare: Cyber warfare is the act of cyber offense (or defence) by military organisations. Cyber weapons are designed to cripple the Internet or selectively cause public chaos by the destruction of critical national infrastructure like power, water, and nuclear plants. Military espionage is a part of cyber warfare which steals military secrets from defence organisations and their suppliers. Terrorism: Cyber terrorism is cyber warfare carried out by radical groups, targeted against citizens or the infrastructure of a nation which they see as opposed to their cause or belief. Hacktivism: Hacktivism is the act of cyber protesting (sometimes using destructive methods) against the online infras9

T HE C YBER S ECURITY L ANDSCAPE tructure of governments or enterprises seen as acting against the ideological beliefs of the hacktivist. Online Scams, Counterfeits, Drug Trafficking: Internet scams encompass a wide variety of cyber frauds via email, SMS, social networks and dubious websites, and the sale of counterfeit goods and unlicensed drugs. Social Crime: Social crime is the act of causing emotional distress through a deliberate act of harassment, bullying, slandering, blackmail, hate, stalking, defamation or impersonation online. Such crimes make extensive use of social media, SMSes, emails, tweets and blog posts. Identity Theft and Impersonation: Identity theft is the act of stealing a person’s credentials with the aim of either defrauding the individual for monetary gain or using the stolen identity to commit or perpetuate fraud. Spying: Spying is the act of monitoring an individual’s communication, movement or personal information undertaken by individuals, hackers, and detective agencies. Insider Fraud: Insider fraud involves the manipulation of IT systems and electronic records by employees to commit economic fraud for financial gain. For example, computer systems can be used to misappropriate assets through the manipulation of internal records such as expenses and payments. Hacking for Profit by External Parties: Hacking is the act of infiltrating or disrupting an organisation’s infrastructure or services. This is undertaken by individuals, competitors or organised crime with the intent to blackmail, cause economic fraud or reputation damage. Development of Malware, Botnets, and Sending Spam: Cybercriminals create an infrastructure to support cybercrime, using malicious software called bots which are surreptiously installed on computers and remotely controlled. Large numbers of bots are called a botnet. These bots are used for cybercrimes like spam generation, identity theft, spying and causing service outages on targeted websites. Sabotage: Sabotage involves the disruption of a company’s or institution’s services usually by disgruntled employees for fun, protest or profit. 10

Stay Safe, Cybercitizen | Lucius Lobo Obscene or Offensive Content: This refers to web content that is designed to be offensive, hurtful, seditious, slanderous, inflammatory, derogatory against sections of society.

How hackers earn

Till the early 1990s, hacking was all about fun and fame. Hackers liked to proclaim their technical prowess by creating viruses or defacing websites with cult logos and messages, of companies which they felt overcharged, or abused their market position. Ideologically motivated hackers defaced popular websites by splattering them with flashy messages to support a particular cause. Experienced hackers published tools on underground sites for amateurs to use to undertake similar hacks. In the early 21st century this changed. There has been an exponential growth in malware, yet there are a few claimants to fame. The pursuit of monetary renumeration is the new game; not fun and fame. With the growth of ecommerce – shopping, banking, auctions, and stock broking – hackers have found it easier to make money through cybercrime, partnering with fraudsters who are not tech-savvy but conjured a wide range of scams to defraud victims. Such mutually-beneficial partnerships resulted in the creation of specialised intermediaries in an underground market place which vastly enhanced what the hacker managed to rake in. These intermediaries supply a range of services from malware creation, to distribution, operation, hosting, call centers, sale of credit card information, and the design and execution of a variety of frauds. According to reports, in some countries, fraudsters even fuel the economy of small towns. Hackers moved on from working as solitary individuals to being part of well-funded, organised crime rings. They changed their tactics and targets in steps with the evolution of 11

T HE C YBER S ECURITY L ANDSCAPE Net use, law, and technology. For example, as governments across the globe enacted tough data breach laws for protection of personal sensitive information by organisations, a new market for blackmail was created. Hackers stole customer personal data and returned it for a ransom. Of late, paid hackers actively assist companies in corporate espionage, and to sabotage their competitors. Hackers run a business. They strive for maximum return, and low risk, focussing on wealthy individuals and high return opportunities over low return mass targets. The way to get hackers to mend their ways is not simply to catch and punish them, but to make it uneconomical for them to run their businesses. Opportunities for hackers constantly evolve. Along with this so do the regulatory and technical security mechanisms which serve to punish or limit the return of a hacker. To enhance this effort and to ensure that cybercrime receives the focus it deserves from law makers and law enforcement, accurate reporting of cyber crimes is necessary.

Chapter summary

Internet privacy and security is defined by six macro factors – the social, political, economic, ideological, military and criminal. The battle for retaining the right to a free Internet has begun with citizens’ groups and hacktivists protesting against restrictions on Net freedom, privacy, piracy, censorship, and Big Brother monitoring. Cybercrimes are a) crimes that target a computer system through the theft of data or service interruption or b) crimes, such as asset misappropriation and cyber harassment, perpetuated through the use of a computer or c) the use of the computer as an accessory for illegitimate activity. 12

Stay Safe, Cybercitizen | Lucius Lobo Cybercrime is a fast growing threat as cybercitizens are less aware of online risks, cyber law is slow to keep pace with new types of violations and law enforcement is not yet trained or equipped to address such crimes. Highly visible categories of cyber crime are corporate espionage, cyber war and piracy. Cybercrimes go largely unreported by victims and hence do not reflect meaningfully in statistics, which in turn limits the importance given to cyber crime by law makers and law enforcement. Unlike in the past, hacking is today done more for money than for fun. Hackers run a business, targeting high-return, low-risk opportunities. Their business is specialised and run by well-organised crime rings with multiple players. To combat cyber criminals, there is a need for victims to report crime, for better technological solutions and for products free from vulnerabilities. International cyber laws and enforcement can make cyber crime unremunerative and punishable, irrespective of the country from which the crime was perpetrated. But international cooperation is still many years away.

13

Chapter 4

Personal Privacy and Security

Millions of cybercitizens spend over two hours each day on social networks. They converse with friends and make new acquaintances with those having similar interests. Social networkers share personal data (sensitive information about oneself), to create account profiles (with details of one’s age, profession, likes, address, and pictures), in posts and in tweets. Individuals lose their privacy when personal information is read by a wider audience, or used in a manner other than what was intended. Such intentional or unintentional exposure of personal data is of major concern. Most cybercitizens fail to realise that information exchanges on social networks closely mirrors the real world; yet, information once made available online persists, and cannot be easily erased. 14

Stay Safe, Cybercitizen | Lucius Lobo Besides the loss of privacy, there are other risks of sharing personal information online, such as a resulting breakdown in relationships and social crimes like cyber harassment and cyber abuse. For example, a news report blamed social networks for one in five divorces in USA, as there has been a spike in the number of court cases that use tweets, posts and pictures as evidence of marital cheating. In the physical world when you purchase a book, the bookseller cannot correlate your book purchases to predict your interests; of course this changes when you use a loyalty card. In the virtual world, this correlation is almost certain to happen as everything you do is mapped onto a database of sorts. If one buys a book on pregnancy, on visiting related sites, advertisements related to maternity will be promoted. When a subscriber’s usage data across multiple products is combined, a web property is far more able to build a more informative personal profile about you. Using this profile information makes sites more usable through quicker and more refined search results. But, at the same time, it harbours the potential for targeted advertising, thereby reducing personal privacy. Consequently, there has been hue and cry over the privacy policies of search engines and social networks, which collect, aggregate and analyse usage data. Two key privacy requirements are the ability to ‘opt out’ (which essentially involves deleting all traces of individual data collected on a subscriber’s Net use) and the ability for users to set restrictions on the use of linked data (account/device to Net use) across online product estates for the purposes of advertising. Personal privacy is not absolute. Courts can subpoena, or call for a website subscriber account and usage data as evidence in cases of defamation, online criminal activity, hacktivism and promotion of abusive and offensive content. Data sought can include account payment methods, profile information, emails and connection records from ISPs, social networking sites and e-mail providers. The Internet’s economic value has brought in additional laws and regulations that have a restrictive impact on personal pri15

P ERSONAL P RIVACY

AND

S ECURITY

vacy as many online digital services are funded by advertising revenue and pay tax. New privacy policies of web properties, court rulings, and cyber laws are evidence of these changes.

TIP Remember we create our own sensitive information online and are responsible for its distribution, use and the audience that views it.

Tired of being advised not to use social networking sites?

Social networks are a wonderful place to network and socialise. Ever since I first reluctantly became a member, I was reunited with several old friends, schoolmates and lost acquaintances. Hectic schedules, time zones and physical distance faded away with tiny 140-alphabet tweets and wall posts that were read and replied to at leisure. Gadgets like cellphone cameras capture and upload intimate moments instantly, bringing warmth and togetherness. Besides sharing posts and pictures, friends invite us to join hobby groups and to play online games, and recommend their favourite links. Social networking sites automatically recommend strangers with similar interests, and many social networkers actively search for an unknown but charming member of the opposite sex to be friends with. Eventually, our virtual world meets the physical one through gettogethers and events which bring together long-lost friends, and unknown penpals. This new world runs on trust. We trust that the page or application links sent by our friends are genuine and not malicious. We trust that the links or application sent by our friends do not reveal our private data, identity or compromise our safety. 16

Stay Safe, Cybercitizen | Lucius Lobo We trust unknown “penpals” and the genuineness of their intention based on their profile and what they post. We trust social networking sites not to sell or expose personal posts or pictures, intentionally or unintentionally. We trust that our friends will not back-stab us by writing slanderous posts based on information we have trustingly shared with them. Sadly, exploiting trust is what cyber criminals and unfaithful friends live on. Criminals use fictitious profiles to slowly win trust and dupe cybercitizens into scams or stealing their identities. Friendships turn sour at times, and those we know might try to harass or embarrass us by posting slanderous comments. Those we do not know, like trolls, may post nasty remarks if allowed access to our social network. Using social networks requires us to trust. Trusting should not be blind; it comes with the ability to perceive risks. A great asset that aids us in this journey is commonsense and the knowledge and use of simple best practices.

Best practices: Safe social networking

Safety tips to keep in mind while on social networks: Familiarise yourself with the privacy and security settings on your social networking site and set your desired level of privacy protection.

17

P ERSONAL P RIVACY

AND

S ECURITY

Protect your online reputation by being careful about what you post. What you post online stays online. Besides possibly causing reputation damage, the more information you post, the easier it is for someone else to use that information to steal your identity, track movements, or commit other crimes, such as stalking. Be prudent, say no, and select only people you would like to invite onto your social network. Once you invite friends, their posts on your page can be viewed by your entire friends’ circle and vice versa. What they post could have an impact on your reputation. Do not invite unknown strangers merely because they display an attractive photograph. This is a common technique used by spammers and those with malevolent intentions to gain access to you and your friend circle. If someone is harassing or threatening you, remove them from your friends’ list and report them immediately. Be cautious about posts which have embedded links, even if sent by your close friend, who may himself or herself be a victim. Spam or malicious links are couched in attractive posts to ensure they go viral. Do not circulate objectionable content. Report such content if you come across it. Do background profile checks and be wary of suspicious behavior of unknown people or friends of friends you invite on social networks. Withdraw from suspicious groups or block people you begin not to trust.

18

Stay Safe, Cybercitizen | Lucius Lobo

Do not go unescorted to meet a stranger. This applies to you whether you are an adolescent, teenager or adult. There have been cases of men who went to meet a "pretty girl" from Facebook ending up being brutally beaten and robbed. Any request for money from unknown persons you befriended online should be met with the greatest of scepticism. Any request for money from a friend or a friend’s friend should be verified first by a phone call or through other means. Avoid revealing or sexually-attractive photographs in your profile, as it will draw the wrong kind of attention. But do put a recent photograph of yourself so that others can verify who you are. Limit the dissemination of sensitive personal information, as technical flaws and advertising may reveal it to an unintended audience.

TIP Read the privacy policies of the sites you frequent to find out how they could use your personal data. Use and frequently review privacy settings as sites may change their privacy policies or roll out new privacy features without specifically intimating you.

Twitter pranks can have significant impacts

On the stifling hot afternoon of March 23, 2011 in Mumbai, tweets and SMSes announced that the supporting cables on the Mumbai sealink – a landmark construction and major 19

P ERSONAL P RIVACY

AND

S ECURITY

route in the metropolis – had broken. This news quickly travelled across the city and far beyond. Multiple forwards ensured the message soon went viral. Frantic calls by citizens overloaded traffic police call centers, as people attempted to verify the message. Traffic diverted to alternate routes, causing congestion on arterial roads. Beside the larger economic consequence and impact to daily life, these online rumours sullied the reputation of the company that built the sealink and caused a fall in the days toll collection. The tweet read:
ÈÐ × ÚÓ Ø Ò Ö ¹ÏÓÖÐ × Ð Ò ¸ Ø Ö ×ÙÔÔÓÖØ Ò Ð × Ú Ù×Ø ÓÐÐ Ô× º ÏÓÖÐ × ÑÑ º ÈÐ × Ê̺

Mumbai cyber police traced the origins of this message to a Twitter account of a film producer, who claimed to have sent the message as a prank intended for a few friends. The film producer had only 2000 odd Twitter followers. Yet, the ’prank’ apparently spun out of control and snowballed into a major scare. This event lays out the impact a rumour on Twitter can have in today’s real-time world. It doesn’t really matter whether it is spread intentionally or unintentionally, especially when it comes from a well-known individual. More importantly it exemplified how a hacked account of a celebrity, prominent person or government organisation can be used to send spurious messages with harmful consequences. As this incident shows, the power is in the hands of individuals who tweet. Simply put, there has to be a responsibility towards what one tweets and re-tweets, as it is clearly a new form of public broadcast. On a smaller scale, compromised twitter accounts can be misused to send malicious tweets to your friends publicly or post ‘self-derogatory’ messages. Every cybercitizen should take precautions to ensure that their Twitter "ids" (identities) are not compromised. 20

Stay Safe, Cybercitizen | Lucius Lobo

Entrapment for theft and espionage

How many people would report a case of being robbed of all their cash, watches and jewellery, when trying to meet a woman they contacted for sex? Two boys in Mumbai used to post ads and use social networking to lure such men. Once hooked, the "women" instructed these men to meet the two boys, who then drugged and robbed them. Fraudsters use fake profiles of handsome men and attractive women to entice unsuspecting victims. First contact and subsequent interactions are via emails, dating sites or social networks. A sample email sent by a scamster is given below.

À ÐÐÓ¸ ÑÝ Ò Ñ × Â ÒÒ Öº × ÝÓÙÖ Ñ Ð Û Ð ÖÓÛ× Ù× Ñ ÐÓÓ Ò ÓÖ Ò ÓÒ ×Ø Ô ÖØÒ Ö ÓÖ Ö Ò × Ôº ÓÔ ÝÓÙ ÓÒ³Ø Ñ Ò ¸ ÝÓÙ ÓÒ³Ø Ñ Ò ÔÐ × ÛÖ Ø Ñ º Ò Ø ÐÐ ÝÓÙ ÑÓÖ ÓÙØ ÑÝ× Ð Ò ÑÝ Ô

Once a person responds to this mail, “Jennifer” will soon request money for air tickets or appeal for some other monetary assistance. Such dating scams are similar to lottery and job scams, where the fraudster is normally anonymous and usually in a different country. These are fairly simple to detect because a request for money will eventually be made. The second and most dangerous form of entrapment is when the victim, normally rich and senior professionals with a reputation to lose, are specifically targeted to extract favours, money and corporate secrets. First contact is made online, but the relationship progresses into real life. Later a threat of sexual harassment or rape is made which causes the victim to submit to blackmail. It works well when the target is cheating on a relationship. 21

P ERSONAL P RIVACY

AND

S ECURITY

Intimate pictures gone viral

When a cellphone camera, mobile social networking applications and the Internet are brought together, cybercitizens possess an explosive mix of technology which makes it easy to capture and post snapshots of our life experiences. While most of the images are innocuous, there are a few of a dubious kind, or at best intended for intimate private exchanges, such as nude or semi-nude images or videos designed to titillate a partner or woo another into a relationship. A survey by the Washington-based National Campaign in September 2008 found that some 21% of teen girls and 18% of teen boys have sent or posted their own nude or seminude images via cyberspace. Sending such personal images or videos can be against the law, with both the sender and receiver liable for prosecution in several countries. In many cases the act of recording these images is voluntary. It seemed fun, and perhaps was the "in thing" to do. A significant portion of these images are circulated on the basis of trust between the sender and receiver, without considering that the trust could break down or be unfounded in the first place. Long term consequences remain as pictures that can be instantly replicated and stored in a vast number of places online, making it difficult to retrieve and erase once put out there. Such images can be widely circulated, posted online or even go viral in multiple ways: You or your partner loses a cell phone where these images are stored. Tens of thousands of cell phones are lost or stolen each month. Your partner or ex-partner circulates such images to friends (via MMS or Multimedia Messaging Service, email, and social networks). 22

Stay Safe, Cybercitizen | Lucius Lobo Your email account with emails containing private pictures is hacked, and the hacker resorts to blackmail or makes them public. Sex criminals or perverts find your picture and circulate them among themselves or on adult sites. There are a large number of “self taken” photographs of children and teens in circulation, according to groups which monitor online paedophile rings. You post images on a social networking site which changes its privacy setting during a site update, or the privacy settings were not set properly in the first place, thus exposing your personal pictures outside your chosen friends circle You have been secretly filmed by a spy camera in a public toilet, changing room in a garment store or by a landlord. The recording could later be posted online or circulated as an MMS. Your picture has been morphed and posted on a website in an attempt to intimidate, harass or sully your reputation. You sent a picture to somone unknown online, believing you were anonymous and could not be traced, who later sold your pictures to an online porn site. You are a victim of a sting operation, meant to obtain such a recording, which was later circulated by the media.

TIP Mobile security softwares have a remote “wipe” feature which can be used to erase data, if the phone is lost.

23

P ERSONAL P RIVACY

AND

S ECURITY

Who is liable for uploading objectionable content online?

No one, it seems. We still lack a crisp globally-accepted definition for what one may consider “objectionable" – either offensive, abusive or obscene – due to vastly differing interpretations. In most countries, the Internet service providers (ISPs), content sites or social networking sites are not liable if they have adequate mechanisms to educate users on what content can be uploaded, and they filter objectionable material. It is not an easy task for global sites, as the definition of "objectionable" content like pornography differs from country to country. So, even if the pornographer is distributing pornography legally, the person at the other end might not be receiving it legally. User generated content, typically posts, videos and music, has grown so significantly that a large social networking site could upload over ten billion items of content in a year. Of this, typically five percent is offensive material, comprising of pornographic content, hate posts, morphed pictures and derogatory remarks about individuals, religious figures and politicians. The larger social challenge is dealing with abusive or hate content targeting individuals or small sections of society. Recently, near my residence there was a mob of 500 protestors blocking roads and pelting stones on vehicles as an unknown miscreant had created a defamatory page on a social network. It’s quite common to find abusive posts, using spoofed profiles being created to settle grudges. Besides this, there are other forms of objectionable content, unintentionally put out, which violate an individual’s data protection rights. For example, the video of a child being cyber-bullied in school. Prosecution is initially hampered by the anonymity that social media sites provide, as profile-creation does not require identity verification. Then, there is the limitations of interna24

Stay Safe, Cybercitizen | Lucius Lobo tional cooperation in cyber law, even in blatant cases such as the use and distribution of child pornography. One of the vital requirements is the quick removal of such content, particularly when it causes distress to individuals or groups. In the incident where riots took place outside my residence, this was in no way speedy. A court order had to be obtained and faxed to the social networking site to get it to shut down the page.

Removing fake profiles or objectionable material on social networking sites

Most online sites which accept user-generated content have a ‘reporting’ mechanism. Sites allow subscribers to report others who violate their Statement of Rights and Responsibilities by clicking the ‘Report’ or ‘Block this Person’ type tick boxes. Users can report profiles that impersonate them, use their photograph, list a fake name, that do not represent a real person or carry abusive posts. They can also report improper images, nudity, illegal drug use, the advocacy of terrorism or cyber-harassment. There are no statistics on the effectiveness of these measures and the steps followed once a report is made. None of these sites offer telephonic helplines. Some countries, which have specific laws relating to objectionable content, block sites to prevent users within the country from browsing objectionable content. In future, social networking sites would be compelled to institute mechanisms to verify users prior to registration. It may not be a welcome idea as it adds extra costs and slows down the rate of subscriber enrollment. In the long run however the online world will cease to be as anonymous as it is now. Secondly, if objectionable content is quickly removed it will reduce the motivation of individuals to perpetuate such acts. This process should be simple, quick and region-specific. 25

P ERSONAL P RIVACY

AND

S ECURITY

Celebrities at high risk from hackers

While chatting about Sarah Palin’s email hack, a friend inquired how vulnerable celebrities were to cyber threats. It was quite coincidental that just a few hours later the Facebook account of the former French President Nicolas Sarkozy had been hacked into. On it, a message was posted, which read: "Dear compatriots, given the exceptional circumstances our country is experiencing, I have decided in spirit and conscience not to run for office again at the end of my mandate in 2012." Celebrities are specifically targeted due to their status and riches. The key cyber threats facing celebrities are a loss of personal information, theft of work such as unreleased music, compromised accounts (email, Twitter, Facebook) and cybersquatting (where a domain name which reflects the identity of one person or corporate is taken over by another unconnected individual). When a celebrity account is hacked, the typical reward demanded for returning the site to the original owner sometimes includes the payment of money, and, in rare cases, a request for sex or nude pictures. Celebrity lives are open books, with significant details on their personal life and sexual preferences publicly known. This makes it easier for a hacker to guess their passwords or answers to secret questions. Fan mail is a simple route to send disguised attachments containing hidden malicious software, which surreptiously self-installs. Hackers remotely control this software and use it to steal usernames and passwords, as online accounts are accessed from the infected computer. Most celebrities who use social media like Twitter and Facebook to interact with their fans hire media firms to manage these accounts. Several celebrity accounts have been hacked because these firms did not adequately safeguard the client’s account or keep celebrity data private. Celebrities who manage their own social media have to create strong passwords, follow safe surfing practices and exercise caution while opening attachments in fan email. Use of 26

Stay Safe, Cybercitizen | Lucius Lobo a dedicated computer solely for updating social networking sites, and another for Internet browsing, reduces the risk of account compromise. In times of a major celebrity event – such as the death of Michael Jackson – security experts observe a surge in malicious sites with celebrity news and content. Fake celebrity sites, which are artificially pushed high on search rankings, are used to lure fans to download crafted attachment which infect desktops with malicious software. Using this software, hackers remotely steal usernames and passwords or use infected computers to send spam.

TIP It is preferable to read celebrity news on reputed sites and not open attachments such as wallpapers from chain mails or unknown websites.

Spying on your mobile

Smart phones are a handy tool to access mail, store contacts and documents and take personal pictures. Hacking the phone can reveal sensitive pictures, owners movement, emails, credentials and personal information which may affect the owner’s reputation and cause a financial loss. Today, the major threat is from spyware and viruses; but mobile malware is set to predominate as cybercitizens increasingly use mobile applications for social networking, sports, health, business, news, games, travel and education. In October 2010, Google announced that a controversial application called the Secret SMS Replicator had been pulled off the Android market. The application secretly forwarded a copy of SMSes to another phone. The company which developed the application blatantly marketed it as a spying tool and even offered an example of how it could be used to spy on a boyfriend or girlfriend suspected of cheating. 27

P ERSONAL P RIVACY

AND

S ECURITY

A quick Internet search will show that spying applications are freely available. A typical advertisement reads: Intercept SMS (text) messages Read incoming and outgoing SMS messages sent and received from the target’s iPhone. This gives you the secret ability to spy on the iPhone user’s entire SMS activity. Secretly read call logs Spy on the Android phone’s call history. You’ll know the name (linked to the phone’s address book) and number of all incoming and outgoing calls. Location tracking This will enable you to spy on the Android phone’s location by tracking the cell phone’s ID location. This is definitely not as accurate as GPS tracking, but it will give you an approximate location. Cybercitizens need to be cautious and carefully select mobile applications from genuine publishers and apps’ stores. Malicious applications are Trojans. They do to mobile data and reputation something like what the Trojan horse did to Troy – snuggle their way in and destroy one’s defences.

TIP Safe use of mobiles A strong passcode with the auto erase feature set, helps prevent unauthorised access to phone data. Download legitimate mobile applications from the official app stores. Malicious applications bypass security defences and can result in spying, stealing data, making illicit calls and sending unauthorised premium SMSes or spam.

28

Stay Safe, Cybercitizen | Lucius Lobo
Use a mobile antivirus which includes both anti-virus and web safety features to protect against malware and phishing sites.

Best practices: Safe surfing at cybercafés

In cybercafés, where computers are shared by many users, there is a high probability of the presence of malware. Malware can be used to steal user credentials and later takeover your account. Safety tips to keep in mind for a safer browsing experience from the convenience of a cybercafé are: Avoid carrying out online financial transactions and using websites that may reveal your personal details and financial status. Restrict the use of cybercafés to internet surfing. Cybercafés are primarily used for chatting and emails. Consider alternatives like the use of smartphones for this purpose. For emails, consider setting up a dummy account to which emails from your primary accounts can be forwarded. In case of a compromise, your primary email accounts will remain unaffected. Have different passwords for all your online accounts. This can prevent the compromise of one account from affecting your other accounts. Change all passwords regularly after use in cybercafés from a trusted personal computer.

29

P ERSONAL P RIVACY

AND

S ECURITY

Logout of each account manually and ensure that your passwords are not automatically stored on the computer. Ensure privacy of your surroundings when entering your password; people may watch you type your password in. A cybercafé which allows you to download software onto the desktop is probably unsafe. Other users could potentially download malware too onto it. Where necessary, use only those cybercafés that restrict users from having administrative access to their computers.

Chapter summary

Personal privacy refers to the protection of online personal data from intentional or unintentional disclosure. Aware cybercitizens want to control their ability to “opt out”. This essentially involves being able to delete all traces of individual data collected about a subscriber’s Net usage. It also involves setting restrictions on the use of linked data (account/device to Net use) across online product estates, which could be used for advertising. Profiles on social networks could be anonymous. We should use situational awareness and commonsense when we click on a link, open attachments and accept friends on social networks. Tweeting is a form of broadcast, which could go viral and have unintended economic and personal consequences. We should tweet with diligence as well as protect our Twitter accounts from being hacked. 30

Stay Safe, Cybercitizen | Lucius Lobo Sexting involves the sharing of sexually explicit pictures. Once posted online, pictures cannot be erased easily. Celebrities are targeted by hackers due to their status, riches and fan following. A compromised social network account will allow a hacker to circulate a malicious message among millions of trusting fans. During major celebrity or other events there usually is a spurt in malicious celebrity news sites, which are used by criminals to download malicious software onto unprotected home computers. Products are available which allow others to spy on your SMSes, calls and personal information on cell phones.

31

Chapter 5

Identity theft

Identity theft ranks among the biggest cyber security threats faced by cybercitizens. It involves stealing a person’s identity to access online accounts or resources in that person’s name. Common forms of identity theft involve financial fraud by using a victim’s online banking account, broking account or credit card. The victim suffers adverse consequences if the account gets used in committing a crime. ‘Money mules’ are a classic example of a victim’s hacked account being used in money laundering, by international crime rings. It is often not possible to determine if one has been a victim of identity theft until it is too late. Masked behind fictitious online profiles, they use a combination of technology and psychology to seek a victim’s personal information, and account credentials, in order to impersonate them. From exploiting human psychology through a process (“social engineering”) of convincing victims to part with information through bogus 32

offers, to the use of technical methods such as malware, bogus sites, and ATM skimmers. Bits of information is also aggregated from what is posted online in experience summaries, and social networks. Most of these methods are usually successful as an anonymous profile is easily created, and has many unverified attributes such as age, sex, criminal record or location. For an ordinary cybercitizen, it is difficult if not impossible to verify the identity of a profile on a social network or who is behind an email id. Many simply trust what is put out there. Use of stolen identities is a low-risk, high-return crime. Fraudsters feel secure behind their anonymous online identities. These, when coupled with the geographical reach of the Internet and its jurisdictional limitations, makes it extremely difficult for law enforcement agencies to trace and prosecute the guilty. There is an adequate degree of protection in the form of insurance and use of best practices, but the best way around identity theft is to be aware of what information is normally sought by cyber criminals. Legitimate institutions do not ask for bank account numbers and online credentials, nor do they ask to monitor financial statements. Being aware of such facts can help to prevent and uncover early signs of identity fraud.

Webmail: threats to your online identity

Not long back, Yahoo sent me an email thanking me for being a loyal user of their webmail service for the last eleven years. It was a moment of introspection on the manner in which my email usage changed over the years. What was once a replacement to personal snail mail has grown into an account through which I now receive job offers, financial statements, password resets, spam, promotions, and information from my social media and other web accounts. Over the years, I grew so accustomed to using webmail that I barely realised that a compromise of my email account would 33

3. I DENTITY

THEFT

severely inconvenience me. Not just that, it would throw life quite out of gear. The same is also true for the over 1000 million webmail users, some of whom also use these accounts to store and circulate intimate messages, snaps and videos. When I first created my footprint on the Internet through my Yahoo account, I did so to segregate my personal correspondence from my corporate one. I knew that anyone could snoop on my emails both on the Internet and in office. Yet, given the choice of facing a known person versus an impersonal analytic software reading my personal correspondence, and the miniscule probability that an anonymous nobody like me on the Internet would interest anyone, a Yahoo email account seemed a better option. It still is, though the chances are that my emails could be analysed for marketing purposes using sophisticated programs. Yet, the filtering would remain impersonal. In these eleven years, the number of Internet users has grown vastly, due to a consumer-driven spurt in online e-commerce, social networking, the proliferation of Internet broadband, cheaper home computers, affordable smart phones and cybercafés. Poor and rich alike could become members of the Internet fraternity with free webmail. These changes made certain that personal webmail accounts became the centre of our Internet identity. They also gave utmost importance to hackers, governments and scamsters. Using webmail poses three key cyber threats: Hackers seize email accounts by stealing passwords to gain access to our online financial accounts, or they use stored information like intimate photographs for blackmail, or even offer to restore access for a fee. The theft of email accounts is the first step to seize our online identity. Once in control of the email account, a hacker can request a password reset on other online accounts linked to this email account and thereby gain control over those accounts too. Governments, by law, can seize content or monitor your mail through service providers. Mail travels in an unen34

crypted store-and-forward manner, and email between people from two countries may pass through a third country whose government could spy on it. Scamsters flood mailboxes with carefully crafted email scams to entice cybercitizens into their fraudulent schemes. Once hooked, a cybercitizen loses money by voluntarily parting with it or by giving away identity information such as creditcard details, which could be later used by the fraudster to buy goods.

TIP Set up two email accounts, one personal and another anonymous for mailing to unknown parties, posting to newsgroups, mailing lists, and chat rooms

Passwords, the worst security tool we need to eliminate, but can’t

A username and password identifies, authenticates and authorises a user to applications – from stock trading, to enterprise-remote access and social networking. A typical cybercitizen owns over half a dozen passwords. Passwords are sought by hackers as they are the keys to hijack the use of these applications. Hackers use a combination of four methods to steal passwords. Tools and techniques to guess passwords: Passwords can be hacked using password cracking software or guessed by trial and error. Sites which store unencrypted or poorly encrypted passwords, or with weak password construction policies, are easy targets. Another method to guess a password or an answer to a secret question is by scavenging a victims personal information from social networks. Most people construct passwords based on personal information, as it makes it easy for them to recall. 35

3. I DENTITY

THEFT

Social engineering techniques: This uses behavioural methods such as ‘phishing’ to deceive an individual into voluntarily giving away passwords in response to a perceived ‘genuine’ request from an organisation. Spear-phishing, another variant of this, targets select people such as professionals and businessmen. Phishing is used to acquire usernames, passwords and creditcard details by masquerading as a trustworthy entity in cyberspace. For instance, an ‘official’ email may turn up, claiming to be from Gmail, and asking for you to urgently send across your username and password details. The request is couched in an officially-looking email with a link to a spoofed website. Another variant is vishing ("voice phishing") using a phone call such as an urgent telephone request from an IT staffer, seeking your password to load the latest software on your laptop! Use of malware or key loggers: Cybercriminals steal credentials from your home desktop or at cybercafés using a technique called ‘key logging’. Key logging involves recording the keys struck on a keyboard using a software installed on the computer itself. This software sends the recorded keystrokes to the hacker who extracts the username and password. Such software gets installed while surfing malicious websites or downloading application such as games, audio, movies or tools. In cybercafés, it may be preloaded. Over a wi-fi or wired network such as the Internet: Some applications do not use a secure encrypted channel (Hypertext Transfer Protocol Secure, or HTTPS) for logging on. This, when combined with an unencrypted home wireless network, ensures that passwords travel in clear text. It make it easy to sniff network traffic and use free tools to recover passwords from within that traffic. Wired networks can also be compromised, if the hacker gains access to network nodes such as the internet router in the wifi café, or within the telecom networks. Chances of a “compromise” are reduced if 36

the websites or applications use HTTPS to create secure channels. A strong password and the best password policies may not be wholly sufficient to prevent password theft. So what really can protect us? Anonymity? Technology? Security awareness? A combination of all of the above? Or just luck? Being security-smart helps to reduce – not completely eliminate – the risks. None of us can simply afford to turn off the cyber-tap. Being 100% safe means having to go back to pen and paper. Technology helps to reduce the frame of exposure. Banks and large enterprises use one-time passwords or tokens to enhance the level of difficulty for effecting a password compromise to protect access to high value commercial applications such as internet banking. But this too is not foolproof and its widespread use is hampered by high cost and usability issues. Hackers have already started to find their way around these security measures by using applications that intercept and control your transactions. These can be via imitation websites or malware on a victim’s phone or computer. So sadly, we are not in the safe zone yet and will be dependent on the simple password for a few years more. Till then, take care, get lucky and be smart.

TIP: Strengthen your password by using some of the additional ways that account providers now offer to verify or authenticate you to the site. Google provides a two-step authentication with a passcode sent via SMS in addition to a password.

TIP: Use strong passwords, by making sure that your password is longer that six characters and composed as a mix of letters, numerals, and symbols.

37

3. I DENTITY

THEFT

Exam cheat caught using a spy pen

These days, strangely enough, spy pens are openly and heavily advertised in leading dailies and sold onboard flights. Spy pens take copies of documents but, when combined with a mobile phone, their use can be more innovative, such as to facilitate cheating in examinations. The student in question inserted the cap of the spy pen into his shirt pocket. Each time he bent over the question paper, the camera clicked an image and sent it via Bluetooth to a concealed mobile phone in his trouser, which then got relayed to a friend outside who quickly replied back with the answers via a ear-aid. Unfortunately for the student, due to an alert invigilator and a CCTV monitoring system, he was caught when his apparatus failed to work and he was trying to fix it. There are several such cheap spy cameras available in the market, some of which are even inserted into innocuous objects like alarm clocks. These are used for monitoring people at work, conducting sting operations, in business discussions or for filming victims in a state of undress. There are however, very few reported instances of this form of surveillance either because the victims choose to keep silent or were themselves unaware of the incident. Unfortunately, since such equipment is well disguised it is difficult to detect, but it pays for women to keep their eyes open when they visit changing rooms in stores or public toilets.

12 ways to steal money from an ATM

To many, the ATM looks like a tamperproof device plugged into a wall without any visible openings through which cash could be stolen. Would you be surprised to know that very ingenious fraudsters have invented over a dozen ways to steal from an ATM? Needless to say some of the tools used can be 38

purchased on the Internet, with prices ranging from a paltry US$1500 to $5000 (Rs 80,000 to 260,000). Here’s a list of their innovative ways: Rob the staff while they are topping money into an ATM or the customer visiting an ATM – an old movie favourite. Steal the entire ATM: dig it out of it slot, hoist on a pickup truck and take it away. Use explosives: seal the ATM opening, fill it up with an explosive gas, blast it apart and make away with the cash. Install fake ATMs with real cash: collect customer card data and pin numbers, forge new cards and withdraw money from genuine ATMs. Steal the ATM card: you will be surprised how many people actually write their PIN (personal identification number) on the reverse of their card. Befriend the driver: in countries like India, rich people actually send their driver to withdraw money from the ATM. Install card skimmers: These are devices with a built-in pinhole camera which is inserted over the card insertion slot. As customers use the ATM, the device copies card magnetic data while the pinhole camera records the PIN. This information is later extracted and used to create cloned cards to withdraw cash. Steal the card data through a lookalike bank website: send offical looking fake bank emails which direct a customer to lookalike bank website which prompts the customer to fill in his or her card details such as name, CVR (cardholder verification result) and PIN (personal identification number). This information is then used to make online purchases or duplicate cards 39

3. I DENTITY

THEFT

Install programs to force the ATM to dish out cash: customised programs can be written on ATMs which allow a trigger card to activate a small program to withdraw cash. Read an ATM manual downloaded from the Internet: a badly configured ATM with default passwords allows administrative access from the customer screen. By modifying privileges, cash can be withdrawn. Force the ATM into an error condition while dispersing cash: by forcing an error condition, an ATM provides cash while reversing the transaction. Use a cash trap: this is a special device inserted into the cash dispensing slot which eats up a portion of the money withdrawn. The fraudster later collects the money by removing the cash trap.

Best practice: Safe use of ATMs

Cybercriminals want money. Stealing from ATMs offers a direct means to this end. Simple precautions will prevent you from becoming a victim. Safety tips to keep in mind while using ATMs: Try and use ATMs in banks which are under surveillance. Avoid writing your PIN on the back of your card, sharing PINs or keying in PIN numbers on websites. 40

Ensure that you react quickly by contacting your financial institution if you receive an SMS for a withdrawal that you did not make. Call the bank if the machine did not dispense all the money you withdrew. It is difficult for a layman to detect card skimmers, fake overlaid PIN pads or ATM shells.

An amazing but true cyber entrapment tale

A New Jersey judge sentenced a hacker for launching a revengeful distributed ‘denial of service’ (or, DoS) attack on media sites which hosted a news story that humiliated him. A denial of service attack is an attempt to make a website unavailable. The hacker worked for an organisation whose members posed as children to trap paedophiles on the Internet. Shortly afterwards, the hacker fell out with the founder of the organisation, whom he accused of using his son’s photograph as bait. Their relationship became bitter. The founder then posed as a fictitious online woman and started courting the hacker. Soon, the hacker was in love and entrapped. During the course of the ‘relationship’, he shared incriminating pictures of himself. Later, the hacker flew down to meet the online ‘woman’ in real life. Standing in wait at the airport with flowers in hand for the ‘woman’ who did not appear, the hacker was secretly photographed. These photographs along with transcript of his email exchanges were made public, to humiliate him. His wife divorced him and he lost contact with his son. The hacker acted in revenge, infecting home computers with remotely controlled software (bots) to launch a denial of ser41

3. I DENTITY

THEFT

vice attack on websites that carried the story. He was caught and sentenced to imprisonment for two years. The story only serves to demonstrate how a fictitious identity created on the Internet can be effectively used to entrap and ensnare.

Believe it or not: a fake police academy

In the city of Mumbai, India, there have been several reports of crooks impersonating policemen and committing petty crime. An elderly couple from my neighbourhood were recently stopped on the way to a night party and relieved of their jewellery by fake cops. Few would have suspected that these impersonations were actually an organised crime ring complete with its own academy to train fake cops. When the ring was eventually busted and the racket exposed, one was truly amazed at the quality of management practices used to prepare for these crimes. For starters, each recruit was carefully selected, based on their ‘credentials’ relating to their height, build, basic education sufficient to pick up legal terms, their command over the local language and confidence to pull off the role. Each fake cop was trained and equipped with police uniforms, identity cards and handcuffs. Trainees were briefed about how cops spoke, dressed, walked and where they ate. Before entry into the gang, trained recruits were sent on test runs to con women of their jewellery or extort money from hoteliers. Only if successful were they drafted into the gang. Those who did not make it were employed for common crimes such as robberies, extortion and kidnapping. Similar methods of impersonation are used by criminals, who indulge in cybercrime posing as law enforcement officers, when they send out mails which claim to come from law enforcement agencies. For example, a fraudulent email that appears to be from the Australian Federal Police (AFP) claims 42

that the agency was investigating you because your creditcard had been used in purchases linked to known criminal organisations and that you should not contact your bank or the local police. The intent is to scare victims into submitting personal information to prove their innocence.

Password sharing, a culture among teenage social media users

Culture plays a major role in the adoption and effectiveness of security policies, such as the use of password best practices. For example, an organisation culture imposes different restrictions on the use of social networking in the workplace ranging from the fully restricted to the completely open. Likewise, in some countries, employees would resort to a strike if they even got a hint that their emails were being read – even if only by technological means – to protect against inadvertent leakage of sensitive information. An article by the New York Times equated the impact of password sharing with sex among teenagers. It is regarded as a form of affection or the ultimate sign of trust that enables one to read the other’s private emails and posts. In a 2011 telephone survey, the Pew Internet and American Life Project found that 30 percent of teenagers who were regularly online had shared a password with a friend, boyfriend or girlfriend. The survey of 770 teenagers aged 12 to 17 found that girls were almost twice as likely to share passwords as boys. The trend continues unabated because there is so much social pressure to comply. This despite the negative fallout of privacy being violated, specially of those who sent mails thinking only the recipient could read them. In addition, there is also the emotional impact of reading a partner’s mails after a relationship goes sour, and the threat of an ex-partner using shared accounts to slander. 43

3. I DENTITY

THEFT

Best practices: Passwords one should not use

Passwords control access to computer operating systems, mobile phones, cable TV decorders, ATMs, and more. Online passwords are your best friends. But some can prove to be enemies, when wrongly chosen. Passwords need not be actual words; a password formed from multiple words (“passphrase”) is harder to guess. Secret information which is purely numeric is sometimes called a “passcode”. Listed below are examples of passwords you should never use. If your current password is among this list, or even something close to it, please change it immediately Password, 123456, 12345678, 1234567, abc123, iloveyou, qwerty, abcd1234, security, admin123, Welcome1, letmein, trustno1, 111111, master, sunshine, passw0rd, shadow, 123123, 654321, superman, qazwsx, football, monkey Family or a friend’s name particularly if is among the top 50 most popular names in your country which may or may not be appended with 12, 123, 1234, 89, etc. Your favourite or the popular football or sports team which may or may not be appended by 12, 123,1234, 89 etc. Names of fruits, sports and colours which may or may not be appended by 12, 123, 1234, 89, etc. Password based on the site name e.g. Facebook123 which may or may not be appended by 12, 123, 1234, 89, etc.

44

Best practices: Safe online banking

Online banking (Internet banking or e-banking) allows financial transactions via a secure website. To access a bank’s online banking facility, a customer first registers with the bank for the service, and a password is set up for customer verification. To access online banking, the customer has to go to the bank’s website, and enter the online banking facility using a customer number and password. Cybercriminals can steal online banking credentials (Internet banking user IDs or passwords) or card details (debit or credit card numbers, PIN or CVV) and use them to transfer funds out of your bank account or to make online purchases. There are three main ways to obtain such information. 1. Schemes where a victim gives away his credentials willingly in reply to an unsolicited email or a ‘verification call’ from the ‘bank’. Never reply to requests or act on instructions received via emails and phone calls to share your Internet banking credentials (user IDs or passwords) or card details (credit or debit card numbers, PIN or CVV). Banks do not ask for this information. In case a bank employee is requesting this information, it should be reported back to the bank as an official complaint. Do not share you credentials with friends, family or employees whom you may request to undertake transactions on your behalf. They may misuse or may not responsibly protect the information.

45

3. I DENTITY

THEFT

2. Schemes where a victim is directed to a bogus lookalike banking site that captures credentials entered by the victim, while misleading him to believe a genuine transaction is in progress. Genuine sites of good financial organisations usually use a verification or trust seal. This is usually found at the right end of the URL pane in the web browser. Clicking on this seal will provide independently verified registration details of the site-owner, confirming whether or not the site is genuine. Always type the address of the website yourself or store it in your list of favorites. Cybercriminals embed similar looking URLs in emails to direct victims to fake websites or take advantage of mis-typed addresses. Look for a padlock symbol in the browser, either in the bottom status bar or in the URL pane. This is important as it indicates that your credential are encrypted during transmission. However it is not a foolproof indicator that the site is genuine. 3. Schemes where malware is used to steal credentials, or your password is cracked: Use endpoint security software which includes an antivirus, personal firewall and anti-phishing software. Keep your security software current through regular updates. Use virtual keyboards where ever possible, as these thwart malware which may capture keystrokes. Do not use the same passwords for all online accounts. Websites from different organisations have varying levels of security protection based on their business and finances. Compromise of a poorly secured website may result in easy indirect access to other accounts such as Internet banking.

46

Use security features such as a one-time password to be sent to your mobile for authorising financial transactions and for all transactions against your bank account and cards to be reported via SMS to your mobile phone. This will alert you immediately to fraudulent transactions carried out against your account, which can be quickly intimated to the financial institution. Simple passwords can be guessed easily. Chose strong passwords with a combination of upper and lower case alphabetic, numeric and special characters. Shred all sensitive paper statements to ensure that information needed for online verification by customers of banks and credit card firms is not accessed through a search of your trash. Such information can be used to change home addresses, telephone numbers, reset your password and steal your identity. Logout of your session manually on all computers. Do not wait for your session to timeout automatically. Do not use cybercafés for financial transactions, as computers in such places may be infected with credential-stealing malware. If you suspect that your online credentials have been compromised, or you find unaccounted transactions against your account, report the matter to the concerned financial institution immediately. You can do so via their customer care or other appropriate channels.

47

3. I DENTITY

THEFT

THE SECRET: Passwords are the only line of defence one has against intrusions into our email, social networks or corporate systems. Hackers try to guess our passwords through a combination of intuitive and technical methods. Creating strong passwords is a must for the safety of any cybercitizen. Tom shows us how it should, and should not, be done.

...

48

49

3. I DENTITY

THEFT

50

Chapter summary

Identity theft is one of the biggest security issues facing cyber-users today. It involves stealing a person’s identity to access resources in that person’s name. Common forms of identity theft involve financial fraud by using a victim’s online banking account, a broking account or a credit card. The victim can suffer serious adverse consequence if the account has been used to commit the crime. Anonymous profiles make it more difficult for law enforcement to trace and prosecute criminals. Webmail accounts are the subject of attack by hackers as these can be used to gain access to linked financial accounts through activation of password resets linked to the email account. Choosing a strong password is the best safety mechanism. Hackers use a combination of malware, password guessing tools, and social engineering, to steal passwords. Cloned ATM cards and credit cards are used to withdraw money from bank accounts and purchase goods online.

51

Chapter 6

Email Scams

Ninety percent of Internet traffic is junk mail. A small portion of this is fraud-related. Email scams are sure to have reached the mailbox of every cybercitizen and account for a large portion of the cyber criminal’s revenue. This crime is low-tech, low-risk and low-cost. It provides such good returns that entire communities now engage in it. Online scams are con schemes to dupe cybercitizens by preying on their desires for quick money, companionship, weight loss and what not. They come in various formats – from email and SMS scams, to phone, fax, postal, and online scams (which often arise from trading or social networking websites). The most popular scams relate to travel and vacation, bogus jobs, fictional sales, lotteries, advance fees, dating, health, auctions and investments. Some common examples are: Health and diet scams promising quick fixes and amazing results, on subjects ranging from sexual enhancements to 52

Stay Safe, Cybercitizen | Lucius Lobo weight reduction. These products, if they arrive, may be counterfeit and sometime even dangerous to use. Lottery scams promising a prize, which is later followed up by a request for the ‘winner’ to send in an ‘administration fee’. After this is paid, the prize may never appear or, if it does, it is a cheap item worth less than the fee itself. Online dating scams where victims, who were befriended online, end up paying the airfares and other expenses of the fraudster posing as their online sweetheart. Stock manipulation scams where fraudsters acting on behalf of promoters use the services of hackers, email spammers and botnet1 operators to raise the price of select stocks and sell for a profit. The process begins with the dissemination of misleading stock performance information to create a market buzz, while simultaneously enhancing traded volume through hacked third-party brokerage accounts. Existing shares in hacked accounts are liquidated to fund trade of the shares of the stock being pumped, resulting in a rise in market volume and stock prices. Advance fee frauds also catch a surprising large number of victims. Fraudsters entice the victim into a bogus plot to supposedly acquire a large sum of unclaimed cash in banks. The plot usually involves sharing the money in lieu of acting as an agent to transfer the sum from the bank to an international destination. During the process, the victim is normally asked to pay a processing charge. Once paid, the fraudster pockets the money and disappears. An advance fee email reads as below:
ÊÇÅ ÌÀ ÍÊÃÁÆ Ò µ ËÃ Ç ÅʺÅÇÀ Å ÁË˺ ÆÇ ¾ ËǸ ÇÍ ÇÍ Ç͸ Ï ËÌ ÊÁ º À ÂÁ à ÊÁÍ Ê Ë Ñ Ðº´ÜÜ º ÓÑ Æ̸

Á Ñ ÅÖº ÅÓ Ñ ÁË˸ Ò Ù ØÓÖ Û Ø Ö Ò Ú ÐÓÔÑ ÒØ Ò ´ µº Ì Ö Û × Ò ÓÙÒØ ÓÔ Ò Ò Ø × Ò Ò ½ Ò × Ò ¾¼¼¼ ÒÓ Ó Ý × ÓÔ Ö Ø ÓÒ Ø × ÓÙÒØ Òº Ø Ö Ó Ò Ø ÖÓÙ ×ÓÑ ÓÐ Ð × Ò Ø Ö ÓÖ ×¸ Á × ÓÚ Ö Ø Ø Á Ó ÒÓØ Ö Ñ Ø Ø × ÑÓÒ Ý ÓÙØ ÙÖ ÒØÐݸ Ø × ÙÒ ×
1 Botnet: a collection of compromised computers linked to the Internet, and used for malicious purposes.

53

E MAIL S CAMS
Û ÐÐ Ó ÓÛÒ Ø Ö Ò׸ ÒØÓ Ø Ò × Ó Ø Ö Ø Ó Ö ØÓÖ× Ó Ø × Ò ÓÖ Ø ÙÒ × Ñ Ý Ú ÒØÙ ÐÐÝ × ÓÚ Ö Ý Ø ÓÚ ÖÒÑ ÒØ × ÓÖÑ ÒØ ÙÒ Ò Ø ÓÑ Ò Ù Ø Ý Ø Æ Ø ÓÒ× Ù ØÓÖ׺ Ó Ö ÓÖØ

Ì Ý Û ÐÐ ÓÒ × Ø ÓÖ × Ò Ø ÒØÓ Ø ÓÚ ÖÒÑ ÒØ³× ØÖ ×ÙÖÝ ÓÙÒغ Ì ÕÙ ×Ø ÓÒ ÒÓÛ × Û Ó × Ø ÓÚ ÖÒÑ ÒØ Ò Û Ö × Ø ØÖ ×ÙÖÝ Ì Ý Ö ÙÑ Ò Ò × Ð ÝÓÙ Ò Áº Ì ÓÛÒ Ö Ó Ø × ÓÙÒØ × ÅÖ ÅÓÖÖ × Ì ÓÑÔ×ÓÒ¸ ÓÖ Ò Ö¸ Ò Ñ Ò Ö Ø ÃÖÙ Ö ÓÐ Ó¸ ÓÐÓ ×Ø Ý ÔÖÓ ×× ÓÒ Ò Ò ¾¼¼¼º ÆÓ ÓØ Ö Ô Ö×ÓÒ ÒÓÛ× ÓÙØ Ø × ÓÙÒØ ÓÖ ÒÝØ Ò ÓÒ ÖÒ Ò Ø¸ Ø ÓÙÒØ × ÒÓ ÓØ Ö Ò ÖÝ Ò ÑÝ ÒÚ ×Ø Ø ÓÒ ÔÖÓÚ ØÓ Ñ × Û ÐÐ Ø Ø × ÓÑÔ ÒÝ Ó × ÒÓØ ÒÓÛ ÒÝØ Ò ÓÙØ Ø × ÓÙÒغ Ì ÑÓÙÒØ ÒÚÓÐÚ × Ì Ò Å ÐÐ ÓÒ¸ Ú ÀÙÒ Ö Ò Ø ÖØÝ Ì ÓÙ× Ò ÍÒ Ø ËØ Ø × ÓÐÐ Ö׺½¼¸ ¿¼º¼¼¼º¼¼º Á Ñ ÓÒÐÝ ÓÒØ Ø Ò ÝÓÙ × ÓÖ Ò Ö Ù× Ø × ÑÓÒ Ý ÒÒÓØ ÔÔÖÓÚ ØÓ ÐÓ Ð Ò ÓÙÒØ Ö ¸ ÙØ Ò ÓÒÐÝ ÔÔÖÓÚ ØÓ ÒÝ ÓÖ Ò ÓÙÒØ Ò ÓÖ Ò Ò ÖÝ Ù× Ø ÑÓÒ Ý × Ò ÍË ÓÐÐ Ö× Ò Ø Ö Ð ÓÛÒ Ö Ó Ø ÓÙÒØ × ÅÖ ÅÓÖÖ × Ì ÓÑÔ×ÓÒ¸ × ÓÖ Ò Ö ØÓÓº Á ÓÒÐÝ ÓØ ÝÓÙÖ ÓÒØ Ø Ö ×× ÖÓÑ ÑÝ × Ö Ø ÖÝ Û Ó ÓÔ Ö Ø × ÓÑÔÙØ Ö¸ Û Ø Ð Ú Ò Ó Ø Ø ÝÓÙ Û ÐÐ Ò Ú Ö Ð Ø Ñ ÓÛÒ Ò Ø × Ù× Ò ×× ×Ó Ø Ø Á Û ÐÐ Ò ÓÖÑ ÝÓÙ Ø Ò ÜØ ×Ø Ô ØÓ Ø ÑÑ Ø Ðݺ Á Ò ÝÓÙÖ ÙÐÐ Ó¹ÓÔ Ö Ø ÓÒ ØÓ Ñ Ø × ÛÓÖ Ò Ù× Ø Ñ Ò Ñ ÒØ × Ö Ý ØÓ ÔÔÖÓÚ Ø × Ô ÝÑ ÒØ ØÓ ÒÝ ÓÖ Ò Ö¸ Û Ó × ÓÖÖ Ø Ò ÓÖÑ Ø ÓÒ Ó Ø × ÓÙÒظ Û Á Û ÐÐ Ú ØÓ ÝÓÙ Ð Ø Ö¸ ÝÓÙ Û ÐÐ Ð ØÓ Ò Ð ×Ù ÑÓÙÒØ Ò ×ØÖ Ø ×Ø ÓÒ Ò Ò ØÖÙ×Ø ÓÖ Ò ØÓ ÑÝ Ò×ØÖÙ Ø ÓÒ× Ò Ú ÓÖ ÓÙÖ ÑÙØÙ Ð Ò Ø Ù× Ø × ÓÔÔÓÖØÙÒ ØÝ Û ÐÐ Ò Ú Ö ÓÑ Ò Ò ÓÙÖ Ð º Ï Ø ÑÝ ÔÓ× Ø ÓÒ ÒÓÛ Ò Ø Ó ¸ Á Ò ØÖ Ò× Ö Ø × ÑÓÒ Ý ØÓ ÒÝ ÓÖ Ò Ö³× Ö Ð Ð ÓÙÒظ Û ÝÓÙ Ò ÔÖÓÚ Û Ø ××ÙÖ Ò Ø Ø Ø × ÑÓÒ Ý Û ÐÐ ÒØ Ø Ô Ò Ò ÑÝ Ô Ý× Ð ÖÖ Ú Ð Ò ÝÓÙÖ ÓÙÒØÖÝ ÓÖ × Ö Ò Ò ÒÚ ×ØÑ Òغ Á Û ÐÐ Ð×Ó Ù× ÑÝ ÔÓ× Ø ÓÒ Ò Ò ÐÙ Ò ØÓ Ø Ð Ð ÔÔÖÓÚ Ð× ÓÖ ÓÒÛ Ö ØÖ Ò× Ö Ó Ø × ÑÓÒ Ý ØÓ ÝÓÙÖ ÓÙÒØ Û Ø ÔÔÖÓÔÖ Ø Ð Ö Ò Ó ÙÑ ÒØ× ÖÓÑ Ø Ñ Ò ×ØÖ × Ò ÓÖ Ò Ü Ò Ô ÖØÑ Òغ Ùظ Ø Û ÐÐ ÓÒÐÝ Ó×Ø Ù× ×Ñ ÐÐ ÑÓÒ Ý × ØÓ ÔÖÓ ÙÖ ×Ù ÙÔ Ó ÙÑ ÒØ× ÖÓÑ Ø Ñ Ò ×ØÖ × Ò¹ ÓÒ ÖÒº ÓÙÖ ÖÐ ×Ø Ö ×ÔÓÒ× ØÓ Ø × Ð ØØ Ö Û ÐÐ ÔÔÖ Ø º Ê ÔÐÝ Ú ÑÝ ÔÖ Ú Ø × ×ÓÓÒ ØÓ ÝÓÙÖ Ñ Ð ´ÜÜ º Óѵº × ÝÓÙ Ö µ Á×× Ø × Ñ Ð ÓÒ ÑÝ ÔÖ Ú Ø ÈÐ × ÐÐ Ñ Ø Ð Ô ÓÒ ´·¾¾ Á ÐÓÓ ÓÙÖ× Ö ÓÖÛ Ö

ÖÐ ×Ø Ö ÔÐݺ º

Ò Ðݸ ÅÖº

ÅÓ Ñ

54

Stay Safe, Cybercitizen | Lucius Lobo Cybercitizens cannot turn to technology alone – such as spam filters -– to eliminate frauds such as these. The human brains behind such operations constantly experiment with new ways to evade the automated filters. Cybercitizens have to use prudence and judgment to avoid falling for such schemes contained in fradulent emails which reach their inbox.

TIP: Turn your computer off and do not leave it connected to the Internet when not in use. If infected, it may be used by cyber criminals as a tool for their crimes.

Falling prey to online scams

In some cities online scamming is a local industry. Here, illiterate millionaire kingpins actively exploit leniency and illiteracy among the local police forces towards non-violent crimes, especially those against citizens of affluent Western countries. A Wired news report by Yudhijit Bhattacharjee titled ‘How a town in Romania has become CyberCrime Central’ explains how this small city of 120,000 has a nickname: Hackerville. The town has a thriving industry of online crooks who specialise in ecommerce scams and malware attacks on business. Such is the scale of these frauds, that they raked in tens of millions of dollars which has fuelled the development of new apartment buildings, nightclubs and shopping centres. Another article written in Fortune about the scam industry in Lagos in 2006 is titled ‘Online Scams create ‘Yahoo! millionaires”. It writes about "teenagers like Akin working for a ‘chairman’ who buys their computer time and hires them to extract e-mail addresses and credit card information from the thin air of cyberspace. Akin’s chairman, who is computer 55

E MAIL S CAMS illiterate, gets a 60 percent cut and reserves another 20 percent to pay-off law enforcement officials who come around or teachers who complain when the boys cut school." Cybercriminals use variants of four generic methods to sucker cybercitizens: When confidence is won through a clever scam story, and the victim is either defrauded or made an active participant in the cyber crime by acts such as money laundering. These stories prey on the victim’s greed and emotions, and are so believable and well tested that the same stereotyped themes are used over and over again with minor variations. When the victim pays for items from valid auction sites to a compromised account of a legitimate account holder or fake account. In either case, once the money is collected the goods are not delivered as promised. When a cyber-victim of phishing attacks unknowingly provides information about a valid bank or credit card account. This information is then used by the scammer to withdraw funds. Phishing attacks have become more sophisticated and harder to detect of late due to the improved quality of imitation sites. When a victim’s desktop is compromised by technical means such as key-loggers which capture and send usernames and passwords to the hacker. Cybercitizens are unaware that their accounts has been compromised until they fall victim to financial fraud, receive complaints from friends who receive fraud mails from their email id or through law enforcement. Cybercitizen awareness has been growing, but tricksters are also innovative. The best protection is prevention. It’s often not possible to get any refund of the money stolen by scamsters who run an illegitimate business far away in another country. Often, it is a needless hassle to try to recover a few hundred dollars. 56

Stay Safe, Cybercitizen | Lucius Lobo

TIP: Ensure that you have a current and updated version of software (security software, operating system and browsers) on your computer. Updates can be done in an automated way too.

Best practices: Online trading

Safety tips while trading online: Before you buy, check out the store’s and the seller’s reputation through website reviews or physical address verification to ascertain the legitimacy of the party you are going to deal with. Keep in mind however that online reviews can be manipulated to credit or discredit reputation. Keep computers updated with the latest antimalware (antivirus) solution as this reduces the risk of malicious software remaining undetected and prevents further downloads of known malware. If malware previously existed on your computer, it is advisable to change your passwords. In any case, a frequent change of passwords reduces the window of exposure, should you have been compromised and were unaware about it. Review financial and credit card statements for unknown expenses. Incorrect entries or suspicious transactions serve as a warning bell that online financial accounts are compromised. If so, contact the financial institution immediately, consider reporting the attack to the police, reset online passwords, ATM PINs and check for malware on your home computer.

57

E MAIL S CAMS

Be aware of what details legitimate sites ask for before entering into a transaction. Acquaint yourself with the site’s procedure and compare this with similar sites. This will help decide whether the site or the communication from it is genuine. Be wary of unsolicited mail, especially those with email attachments and embedded links. Learn to distinguish bogus communications that claims to be from banks, auction sites, and other financial institutions, specifically those asking for personal or account information as these are never requested electronically by institutions. Keep paper evidence of online transaction such as receipts and copies of email which can be used in investigations Before entering into a transaction on ecommerce sites, verify its legitimacy, read the transaction instructions, security guidelines and FAQs. This helps to avoid fraudulent sites and responding to bogus emails with personal data, which are not part of the buyer and seller process. Use sites which encrypt financial transactions. You can verify the transaction is encrypted by the closed padlock on your Web browser’s address bar or a URL address that begins with shttp or https.

Email scams, a multi-billion dollar business

Every day spammers belch out an estimated 200 billion unsolicited emails from across the world. Typical spam promotes offers for sexual enhancers, pharmacy deals, loans, replicas, pornography, software, jobs or academic offers, degrees58

Stay Safe, Cybercitizen | Lucius Lobo without-studying, stock deals, casino options and other such advertisements. Ten percent (or 20 billion) of such emails are are mutated versions of outright frauds or scams of some sort. They promise cheaper drugs (of unknown quality) or lottery wins, seek an advance fee for some services like money transfers (or actually money laundering in some cases), fake degrees, and fake jobs. Scamsters also request personal details to help them steal identities. They try to use personal banking data, passports, driver’s licenses, or credit card information to open accounts, buy things, take loans in the victim’s name and not pay for them. These crimes leave the victim facing creditors and law enforcement agencies. Scamsters earn well enough to sustain such large global operations. These operations are often run by criminal gangs and not by individuals. Their incomes helps fund further scam operations, amusement activities, openings and maintain drug routes, or possibly even terrorism. They rarely get caught. It is usually the victim who ends up having to deal with the law enforcement agencies. Scamsters prey on gullible people and their desires for quick riches and easy pleasure. They win trust through convincing tales, pretending to be lawyers, claims agents, bankers, law enforcement agents, or using any title to convince people they are legit. Once a person starts communicating with the scammer, a call agent at their back office operation marks the person. Each call centre agent does this by marking the victim’s name, his assumed identity (banker, lawyer or whatever, based on the role used in the scam) on the back of the cellphone. In this way, multiple victims are managed by a single back office operator. It is difficult to trace such scamsters as they operate predominantly from Third World countries. If individuals who get conned actually attempt to travel to these countries to find the scamster, they could end up being held for ransom, or facing the risk of death. 59

E MAIL S CAMS

Email scams may cost your life

A Korean man and his daughter visited South Africa to collect their earnings from a million dollar lottery win. At the airport they got into a hired taxi which drove them to a house in Soweto. There the duo, including the taxi driver, was held hostage and a ransom of ten million dollars was demanded from the man’s wife, which was to be deposited in Singapore. Fortunately, the driver escaped, informed the police, and the pair was rescued. The Koreans were so traumatised by the incident that they hastily left the country without giving evidence. They were lucky that they escaped death. Email scams are only a small percent of the overall spam mail sent. Normally they end up conning victims out of an advance fee, which is asked to “complete the formalities” needed to send the lottery winnings to the ‘winners’ (i.e. the victim). The danger increase manifold when the victim actually visits another country, to collect the ‘winnings’ or recover money, and can himself get held for ransom or even get killed. Cybercitizens should understand that one cannot win a lottery which was never entered. No money comes for free or by chance. Human psychology is such that even when advised that the email is a scam, many people believe it to be true. This is because the lure of a chance that may change the victim’s entire life is very appealing, and the comprehension of cyber risk, relatively low.

60

Stay Safe, Cybercitizen | Lucius Lobo

THE LOTTERY: Cybercriminals specialise in creating believable schemes to dupe trusting individuals into parting with their money. Tom unfortunately was duped in one such scheme in ‘The Lottery’.

61

E MAIL S CAMS

62

Stay Safe, Cybercitizen | Lucius Lobo

63

E MAIL S CAMS

64

Stay Safe, Cybercitizen | Lucius Lobo

Best practice: Escaping email scams

One can identify scam emails using commonsense and some knowledge of scam formats. Safety tips to keep in mind to avoid email scams are: Ask yourself why did you receive an email promising a win or money when you did not enter a contest. Do not reply to emails on schemes which seem illegal. Such as helping individuals transfer money out of bank accounts or countries. Insert the subject of the suspected email into Google’s search frame. The response will point you to similar scams reported by other people. Do not click on any links within the email. Do not reply to the email even with incorrect information to find out if you can trace the scamsters. It is a futile pursuit. Be suspicious if personal details are asked for. Do not visit any websites provided as links on these emails, they may result in malware being installed on your computer. Also remember that websites – including lookalikes of legitimate websites – can be hosted by just about anyone. Remember that webmail IDs do not require identity verifications and a single individual can set up many accounts in different names.

65

E MAIL S CAMS

Chapter Summary

Online scams are schemes to defraud cybercitizens. They come in various formats – from email and SMS scams, to phone, fax, postal, and online scams (via trading or social networking websites). The most popular scam types are those related to travel and vacations, bogus jobs, bogus sales, lotteries, advance fees, dating, health, auctions and investments. Emails scams are low-tech, low-risk and low-return business, undertaken at scale. Scam mails have a global volume of 20 billion emails a day. Scamsters develop elaborate schemes to prey on gullible people and their desires of riches and pleasures. They manage to win trust through convincing tales and pretending to be lawyers, claim agents, bankers, law enforcement officials, using any title to convince people that they are legit. Once scammed there is no refund as the scamsters runs an illegitimate business far away in another country, and it is a futile task to try and recover the few hundred dollars one was conned for. Use common sense, best practices and the knowledge of scam formats to identify and evade email scams

66

Chapter 7

Corporate Espionage

Espionage occupies media attention due to several discoveries of high profile spy rings stealing government, military and corporate secrets. Corporate espionage involves theft of a company’s intellectual property, business plans and proposals by the competition. Corporate espionage is serious business and has turned into a new stream of revenue for hackers. A large, billion dollar equipment provider that filed for bankruptcy discovered that hackers spied on the company for nearly a decade, and had access to business plans, reports, emails and other documents. They managed this by stealing passwords from top company executives and installing spyware they controlled remotely. Could this be the reason why the billion dollar firm lost its competitive edge and became bankrupt? Such events affect several thousand employee jobs and leave customers worried 67

C ORPORATE E SPIONAGE about the potential exploitation of security defects in products they have purchased. This form of espionage is in no way less thrilling than the movies, as it combines stealth, technology, high investment, entrapment, attractive remuneration and takes place over a period of time. A key espionage technique involves social engineering or honey-trapping employees to obtain privileged access and information.

Corporate moles

Employees are turned into moles through blackmail, by preying on their disgruntlement, or by luring them using money or sex. Moles have a damaging impact on business. They leak out sensitive information such as business plans and product designs to competitors. Once a mole is embedded, it would not be unusual to find that a tender was lost due to a miniscule price difference, a competitor launched a similar-looking product a few weeks earlier or the organisation lost money because crucial records were deleted. Employees who become moles have typically been in service for several years and built strong personal equations and trust within the organisation. They have unfettered access to information of value. A small fraction of employees belong to this category, though they differ in rank from the CEO to the office boy who prints and binds business proposals. Corporate espionage also takes place through the use of professional agencies which install spying devices such as micro cameras or microphones, through bribed house-cleaning staff and professional hackers. Detecting corporate espionage is a complex and an employeesensitive issue as people do not like their trustworthiness to be in doubt. 68

Stay Safe, Cybercitizen | Lucius Lobo

Best practices: Detecting corporate espionage

Detecting early signs of corporate espionage requires companies to be alert and institute anti espionage processes and systems. Anti-espionage tips to keep in mind are: Top management should pick up early signs: Instances such as bids lost by thin margins or leaked product designs are early-warning signals of corporate espionage that top management should be attuned to be able to immediately pick-up. Establish a policy and a corporate anti-espionage team: Establish a formal corporate anti-espionage policy, process and team, to develop controls, implement and monitor potential espionage activities. Know what information is valuable: Identify valuable information and employees that have access to it. Use this information to devise a need-to-know and need-to access policy. Regular background checks and peer surveillance: Peers are best able to detect early signs of corporate espionage, such as an individual’s change in emotional behaviour, a sudden interest in matters which do not concern the employee, unusual browsing of files or even outof-workplace signals such as gambling habits, excessive debt or spending beyond one’s means. Most organisations conduct a background check during the joining process and do not repeat the process periodically. Such checks cannot be fully be relied upon as employees are converted into moles only once they have become trusted and have stayed in service for several years.

69

C ORPORATE E SPIONAGE

Technology may not be the only solution: Corporate espionage results Detecting in the exposure of what is termed early signs of as unstructured information – such corporate as proposals, business plans, prodespionage uct designs and product prices. Thes requires files created by individual employcompanies to ees using word processing software be alert and is difficult to monitor electronically institute anti as it stored without any structure espionage on desktops, fileservers, and moprocesses and biles and even in email attachments. systems. Checks like monitoring emails, restricting access to portable media and technologies like DLP (data loss prevention) helps reduce risk by acting as deterents. People remain our best defence: Employees should be trained on the role they need to play in the prevention and detection of corporate espionage. Money could be a key factor in motivating moles. Building loyalty and paying key employees well can reduce the susceptibility of their conversion. Set up a confidential reporting channel: Set up a rewardbased system for employees to report if they are propositioned, or an attempt is made to coerce them. They should also have a chance to report suspicious behaviour of fellow employees, akin to a whistle-blower policy. The process must give employees confidence that their report will be treated confidentially and in the proper manner. Industry feedback: What the marketplace grapevine has to say about an employee provides an indication of loyalty. Rumours on an employee’s integrity or a complaint raised by a vendor due to a demand for bribe, are common examples. Institute a system to receive, examine and act on such feedback.

70

Stay Safe, Cybercitizen | Lucius Lobo

Honey traps

Search engines can be used to honey trap businessmen, politicians, bureaucrats, military officials or others in influential position. Honey traps are the oldest form of extracting military secrets or political favours, and indulging in corporate espionage, by ensnaring individuals into sexual relationships, followed by blackmail, which ensures their continuing cooperation. There are several reports of high-ranking officials who have been honey trapped into revealing sensitive and secret information on policy, negotiations and weakness of other officials. An intelligence report claims that certain countries are training agents to use as honey traps for corporate espionage. A naval officer negotiating the retrofitting of an aircraft carrier was allegedly honey trapped by an agent of the seller, compromising the ongoing negotiation which resulted in a price escalation of several billion dollars. In order to set a honey-trap, a fundamental requirement is to study a victim’s behaviour, identify weaknesses and create opportunities for exploitation. For instance, once a senior government official surfs for pornography, monitoring the sites visited and images viewed by him would reveal his sexual preferences. Social networking sites connect related individuals using prompts such as "People you may know". This feature can be manipulated to introduce “honeys” that meet the target’s sexual preference. Once the bait is sprung in the online world, it translates into physical contact, blackmail and information extraction. Online honey traps make it easier to gain access to individuals who might otherwise be difficult to reach. 71

C ORPORATE E SPIONAGE

Best practice: Keep confidential information secret at airports

Confidential information is made public in airports or on board flights when people overhear a loud conversation or oversee work on an open computer. Safety tips to keep in mind while at airports are: Do not converse loudly at airports as these are crowded areas frequented by competitors, and the media. Information displayed on computer screens can be viewed by the passenger in the adjoining seats and those that walk the aisle. Avoid working on business presentations onboard. Don’t conduct financial transactions or use applications like e-mail and instant messaging on an open airport wifi, as they usually are unecrypted and a hacker can easily capture wireless traffic (your transaction information) with the help of software tools. Hackers set up dummy open access networks in airports which, if you connect to, may be able to record you communications such as email and instant messaging. Ensure that you select a genuine wifi network from a telecom service provider or airport authority.

72

Stay Safe, Cybercitizen | Lucius Lobo

CORPORATE ESPIONAGE: In 2011, there were many alleged large cyber-espionage attacks, some with names like Operation Aurora and Operation Shady Rat. Corporate espionage occurs by entrapment (honey trapping) or technical interception of emails and data. Tom was a hardworking salesman who became a victim of corporate espionage.

73

C ORPORATE E SPIONAGE

74

Stay Safe, Cybercitizen | Lucius Lobo

75

C ORPORATE E SPIONAGE

76

Stay Safe, Cybercitizen | Lucius Lobo

Chapter summary

Corporate espionage is a new source of revenue for hackers which involves the theft of a company’s intellectual property, business plans and proposals by competition. Corporate espionage combines stealth, technology, and high remuneration. Espionage targets key employees in the company through blackmail, enticement, and social engineering, thus seeking to convert them into moles. Moles are recruited from among trusted employees who typically have been in service for several years and have access to privileged information. Sexual entrapment or honey trapping are common methods to blackmail employees into becoming moles. In the government and military world there are several cases of high ranking officials who have been honey trapped into revealing stances on policy, negotiations and the weaknesses of colleagues. Detection of corporate espionage requires institutional policies, systems, and peer surveillance Top management should keep their eyes open for instances where their company bids are lost by thin margins or competitors launched copy cat products earlier.

77

Chapter 8

Security at Work and at Play

The recent spate of high profile attacks by cyber criminals, hacktivists, government and company-sponsored spies shows how vulnerable organisations are. Some have paid up several hundred million dollars in penalties and law suits, not counting lost sales. Organisations, just like individuals, have their own set of confidential and personal customer data to safeguard against loss, or theft by competitors and criminals. Employees have a responsibility to protect such data using security best practices. Employees, their actions and particularly their attitude towards corporate security play a vital role in the defence against cyber attacks. Employees bring personal computing devices such as tablets into the workplace, work from home and increasingly use the corporate network for personal tasks such as social networking, surfing and online shopping. These actions open up new 78

Stay Safe, Cybercitizen | Lucius Lobo vistas for cyber criminals to gain access to corporate environments. Most companies have social networking policies in place which allow full or partial access or simply deny access to social networks from the workplace. The extent of access allowed depends upon an organisation’s fear of lost productivity, the cost of higher bandwidth usage, security threats due to factors like malware, violation of corporate policy (viewing adult content, encountering legal issues) and fear of employees posting uncensored content (against other employees or revealing corporate information). Organisations usually conduct company-wide security awareness programs. But these are not effective if they do not result in a change in the attitude of employees to appreciate the seriousness of, and act on, security risks. For example when an employee posts online, responds to comments or authors a blog, the fine line between business and personal information has to be upheld. Such posts must not tarnish the reputation of the company, its policies, result in a loss of intellectual property, adversely affect competitive business information or make it liable for legal action. Employees have a written or unwritten responsibility to follow corporate protocol on what can or cannot be written online about their company either in their personal or professional capacity. Many employees freely discuss confidential matters in public areas like airports, bars, golf courses and even in the gym. One can routinely pick up confidential chatter from employees conversing in such places or view sensitive business presentations on open laptops while being worked on aboard flights. Besides lost business, these conversations could be life threatening. Conversations between groups of builders and jewellers in a Mumbai gym were reportedly picked up by the underworld through a network of gym trainers who listened in. The underworld then issued extortion demands, which when not met, resulting in physical threats, intimidation through ran79

S ECURITY

AT

W ORK

AND AT

P LAY

dom firing outside builders’ offices and even an assassination. Companies sometimes monitor actions of their employees – not to intentionally violate personal privacy but to avoid law suits and prevent data loss arising out of mistakes, corporate espionage, theft, and actions by disgruntled employees. Progressive organisations are transparent about what they monitor. As citizens we play a vital role in minimising cybercrime by not participating in unlawful acts such as piracy, keeping ourselves and our children aware of cyber security, reporting cyber crime to law enforcement and working with government and schools to build a cyber-aware nation. Protecting ourselves offers a collective benefit. For example when we install and keep updated our home computer antivirus, we prevent it from being used as a staging point by hackers to commit crimes on fellow cybercitizens. As cybercitizens it is a civic responsibility to encourage our respective governments to invest in four areas for a safer future:

Creation of an ecosystem for safe business transactions by establishing standards for online business, crime control and reporting. Creation of an ecosystem for lawful use of the Internet, by investing in a cyber legal framework, cyber law enforcement and cyber judiciary. Development of effective international policies to deal with cross-border issues such as fighting cybercrime, piracy and regulation of online content. Promotion of cyber security awareness in industry, media, the curriculum and the declaration of a national cybersecurity day. 80

Stay Safe, Cybercitizen | Lucius Lobo

Product launches and other secrets that companies need to keep

When Apple releases a new product, the event is shrouded in absolute secrecy, keeping customers guessing as to the product’s new looks and features. Customers love a mystery, and deliberate suspense augurs well for the brand causing long lines at product stores. Ironclad security around Apple prototypes involves the use of private jets, windowless rooms, storage cases padlocked to tables whose wood grain signatures are photographed and much more. The launch of a new consumer product is just one of the five reasons why companies need to maintain secrets. These are: Safeguard New Product Development: One of the biggest business threatening situations companies face is the launch of copycat products before their own new products hit the market. This usually happens when competitors gets wind early of the new product features through common suppliers, former employees who crossed over, or just loose talk by current employees. Some companies employ spies to surreptitiously monitor new product development of competitors. The problem becomes acute in highly competitive industries like telecommunications, where new product plans are frequently launched to churn customers from the competition or in the investment-intensive pharmaceutical business. Safeguarding product development from concept to market requires adoption of information security processes that prevents information leakage at each step of the product lifecycle. Customer Data Privacy: Keeping customer data confidential is a compliance requirement mandated by law and industry regulations. Companies have to ensure the confidentiality of customer personal data such as medical history, banking transaction, credit card information, mobile call details, addresses, telephone numbers and social security numbers. Most recent breaches exposed credit card and email addresses which hackers use to earn revenue through email scams and 81

S ECURITY

AT

W ORK

AND AT

P LAY

credit card misuse. Companies build systems and processes to ensure data privacy by implementing security management systems such as ISO27001 as well as compliance to specific control frameworks such as the payment card industry standard. Keep Design Secrets under Wraps: Companies invest a lot of money in product designs and proof of concepts for future products or technologies. Accesses to such designs by competitors helps them to shorten their own design cycles or to even patent stolen ideas first. Some ideas and designs are protected through patents, but a vast majority need to be kept secret as they may not be cost effective to patent or be patentable. Safeguarding these designs require a secure product vault where access and modification to digitally stored designs are carefully controlled and monitored. Companies restrict the movement of data and images out of product development centers by preventing access to email, banning the use of mobile phones with cameras and removable data media. In addition, care has to be taken to protect these secrets when shared with suppliers, using contractual clauses and mandates to ensure the supplier’s adherence to security best practices. To Defraud the Company: The Sarbanes Oxley Act of the United States was enacted specifically to tackle the deliberate manipulation of key revenue and profit figures to paint an unrealistic image of a company’s performance. Quarter on quarter growth and incentives tied to an executive’s performance led to the manipulation of key statistics, thus misleading investors and financial institutions. Frauds where executives profiteer through decisions favouring their incentivebased targets are not uncommon. Audit firms bear the brunt of the responsibility to ensure that financial statements prepared are accurate and the firm has policies to minimiseinternal corruption. To Protect Business Interests: Many a time, business decisions have an impact on suppliers, customers or employees if known widely in advance. Layoffs and product end-of-life decisions are some examples. Securing key business information relating to strategy, bids, and costs is also of prime 82

Stay Safe, Cybercitizen | Lucius Lobo importance to ensure that competitors do not gain the upper hand. Besides these, there are confidentiality requirements mandated by regulations or law such as on data which may affect the share prices. It is important for employees to appreciate a company’s need for keeping secrets and their role in the process. Their actions and attitude determine the level of secrecy. Commonsense in enforcing a need-to-know attitude can neither be taught nor prescribed by a security policy. Simple actions such as sending or forwarding confidential emails on a need-to-know basis, keeping curiosity under check, conversing in closed rooms, or not leaving documents unattended on desks are basic precautions, though these too are often not easy to come by.

TIP: Learnings from corporate security awareness programmes can be used to safeguard ourselves online.

TIP: We must value and recognise intellectual property before we protect it

Best practices: Employee blogging

When an employee posts online, responds to comments or writes a blog, it is important for him or her to understand the fine line between business and personal information. 83

S ECURITY

AT

W ORK

AND AT

P LAY

Posts should not tarnish the name of the company, its policies, or result in the loss of intellectual property and competitive business information or make it liable for legal action. Customers see employee blogs and posts as offical company statements, or one which is suggestive of its view. Tips to keep in mind while blogging are: Add disclaimers on personal blogs to state that these represent only your personal opinion and not that of your company Do not blog about events such as upcoming product launches or about new products in your company Do not use the company’s logo or name. Do not blog about a competitor or use their logos or name. Respect copyright laws. Ensure your blogs do not divulge information of business value such as the companies intellectual property, on-going research or proprietory production methods. Do not blog on topics that sully the reputation of the company you work for, or is against its ethical policy. Do not make defamatory statements on the business, other employees, or customers of competitors Do not take work issues online. Carefully review what information is being published on your blog and remember that your own reputation affects the company you work for

84

Stay Safe, Cybercitizen | Lucius Lobo

THE FIRST JOB: We are all very energetic and motivated in our first job. Our main aim is to achieve our targets, to make the boss happy and win business for the firm. Along with tasks needed to achieve key goals there are other mundane tasks which one needs to do. While these tasks seem not so important, they play a vital role in the continuity of the firm. Tom was the young, star performer who ignored these mundane tasks until catastrophe stuck.

85

S ECURITY

AT

W ORK

AND AT

P LAY

86

Stay Safe, Cybercitizen | Lucius Lobo

87

S ECURITY

AT

W ORK

AND AT

P LAY

88

Stay Safe, Cybercitizen | Lucius Lobo

What, why and how of employee monitoring by companies

Companies monitor employee actions to protect their virtual and physical assets from theft and abuse. Employee-friendly companies are usually transparent about what, why and how they monitor. Most companies monitor a subset of the services listed below: Email Use: Companies monitor email content to protect against loss of confidential data, intellectual property, data breaches through exposure of personal customer data, use of inappropriate language, and violations of company policy. Monitoring may be automated or manual. Normally companies monitor to prevent the loss of personal data and intellectual property using an automated technology called ‘data loss protection’. A data loss protection system restricts information from leaving the organisation based on set templates or tags embedded in documents. A copy of the blocked email is sent to the security officer for review and further action. Internet and Social Media: Internet and social media use are mainly monitored to ensure compliance to company policy and to ensure that employees do not post or blog on topics that directly affect a company’s legal status, customers relations or business. Company policy typically governs viewing, downloading or uploading inappropriate content, excessive personal use, employee blogs and employee comments on external sites. Companies use content filters to block access to blacklisted websites from within company premises or from company owned devices. Monitoring of blogs and posts is usually outsourced to specialist third party firms. Computer Usage: Computers are monitored using spyware and forensic tools when an employee is under suspicion or in a sensitive position. Monitored services typically include email, files accessed, computer logs, chat conversations and log in-log out times. Phone and Voice Mail: Phone calls, conversations and voice mail are normally monitored to prevent excessive personal 89

S ECURITY

AT

W ORK

AND AT

P LAY

use such as in expensive long distance calls or when the employee is under suspicion for acting against the firms interests. Call duration and the numbers called are cross checked to determine whether they are for personal or business use and related to the employee’s role. Video Surveillance: Video surveillance is used to monitor exit and entry points and sensitive areas like datacenters to prevent unauthorised access or the theft of physical assets. Normal work areas may also be monitored to prevent instances of sexual harassment and workplace violence. GPS: Company vehicles may be electronically tracked to ensure that they do not deviate from planned routes. In some cases employee movement may be monitored by detective agencies if there is a suspicion that the employee is divulging key information to competitors Physical Movement: Companies monitor the movement of employees within designated areas for timekeeping and to ensure that employees not authorised to access sensitive areas do not do so.

Six things a model cybercitizen can do

It pays to be a good citizen, as what you do helps others. Six useful things to do are: Be cyber security aware, use security best practices and report cyber crime. Use an antivirus product. It not only helps to protect you but prevents your computer from hosting malware that affect others. Be a good cyber parent, educate your child on the dangers, ethics and safety measures to be used online. Stay away from pirated products. 90

Stay Safe, Cybercitizen | Lucius Lobo Encourage your government to invest in raising the national standard of cyber security. Be responsible for your online habits, including your tweets, as what you do online affects your reputation, family, colleagues, religion, nation and and your company.

TIP: Never underestimate the importance of being a good cybercitizen. Your every action counts.

91

S ECURITY

AT

W ORK

AND AT

P LAY

THE AUDIT: Keeping an organization safe is the task of all employees. Unfortunately in most organizations the task is looked on as the responsibility of either the IT or Information Security department, defeating the very purpose of information security.... Tom’s pub conversation highlights the low importance cyber citizens pay to cyber security in their corporate and individual roles.

92

Stay Safe, Cybercitizen | Lucius Lobo

93

S ECURITY

AT

W ORK

AND AT

P LAY

94

Stay Safe, Cybercitizen | Lucius Lobo

THE ACCESS: Many individuals are tricked into letting an unauthorized person access a restricted area. The method is called tail-gating or piggybacking and the technique used social engineering. Allowing individuals to access restricted areas can have adverse consequences such as theft, terrorism and physical destruction. The Access is a security strip on tail-gating and its consequences in the company that Tom works for.

95

S ECURITY

AT

W ORK

AND AT

P LAY

96

Stay Safe, Cybercitizen | Lucius Lobo

97

S ECURITY

AT

W ORK

AND AT

P LAY

98

Stay Safe, Cybercitizen | Lucius Lobo

Chapter summary

Employees share an equal, or greater, responsibility to protect corporate and customer personal data. It requires a change in attitude towards cyber security and a proper understanding of the cyber risks faced by the company. Cyber risks at home and at work are fairly similar though the extent to which they directly affect cybercitizens differs. Most employees want to bring in their own devices and access the internet from the workplace, opening up new vistas for cyber criminals to target corporate environments. The recent spate of high level attacks by cyber criminals, hacktivists, government and company sponsored spies demonstrates how vulnerable organisations are to cyber attack. Some have paid up several hundred million dollars in penalties and law suits, not counting lost sales. Organisations, like individuals, have their own set of confidential and personal customer data to safeguard against loss, or theft by competitors and criminals. Companies need to keep secrets to protect business interests, keep certain decisions confidential, safeguard new product development, ensure customer data privacy and to keep design secrets under wraps as long as needed. When an employee post online, responds to comments or writes a blog, the fine line between business and personal information has to be borne in mind. Online posting should not tarnish the reputation of the company, result in a loss of intellectual property or make the firm liable for legal action. Companies monitor the action of their employees, not to violate the privacy of an employee but to ensure data 99

S ECURITY

AT

W ORK

AND AT

P LAY

protection from mistakes, corporate espionage, theft, and actions by disgruntled employees. As citizens we play a vital role in minimising cybercrime by not participating in unlawful activities such as piracy, by keeping ourselves and our children cyber security aware, by reporting cybercrime to law enforcement and working with the government and schools to build a cyber-aware nation. We need to realise the collective benefit of what we do to protect ourselves. For example when we install and keep update an antivirus on our desktop, we are not merely protecting ourselves but other too.

100

Chapter 9

Cyber Parenting and Child Safety

Today’s parents are digital immigrants while their children digital natives. Digital natives are those born in the information technology age. They are able to explore the Internet’s alleys and by-lanes with enthusiasm and knowledge that most parents cannot match. Restricting a child’s use of the Internet is passé, as there are genuine requirements for Net use – such as study, work, research and even social pressure. The cyber world is however similar to the real world – with dangers and rules. Therefore cyber ethics should form a necessary part of a child’s cyber education at home and at school. Normal safeguards are insufficient as children are naïve, trusting, curious and have a natural desire for independence and a fear of parental punishment. When children use the Internet, they are susceptible to five types of risks: 101

C YBER PARENTING

AND

C HILD S AFETY

Loss of privacy. Information children post about themselves and their family such as wealth, travel plans, and relationships can be used by thieves, predators, and others with bad intentions. Children need to be educated on what information could and should not be posted online. Unknowing introduction of malware on home computers when children surf, exchange files and download attachments. These attachments contain unseen malicious software which hackers can then use for cybercrimes. Exposure to adult sites such as pornography and adult chats. Falling victim to online predators who entice children. The Internet provides anonymity, which allows such individuals – on social networking sites, chat rooms, or elsewhere – to assume multiple personalities, and pretend to be of a different gender and a wrong age. The absence of physical interaction brings in a false sense of security. Cyber bullying, in which a bully posts offensive, derogatory and hurtful comments which affects the victims self-image, esteem and relationship with other children. Information posted in blogs, posts, photos or comments, however thoughtless or baseless, do take an emotional toll of their victims. Your child could be a victim or bully. Without effective cyber-parenting and cyberschooling, the risk of social crimes such as cyber bullying and cyber harassment affects many children emotionally.

TIP: Children find ways around technical controls such as parental filters. Open discussions and offering guidance to children can be far more effective. 102

Stay Safe, Cybercitizen | Lucius Lobo

Cyber bullying

Sophie came home one day looking depressed and went to bed much earlier than normal. When she awoke she was reluctant to go back to school. On her social network page someone had scrawled: "You are a slut" with a morphed nude picture of the girl. Many others "liked" the post. Sophie was a target of petty jealously, but the result was public humiliation in front of her friends circle. According to StopCyberbulling.org1 , ‘cyberbullying’ happens when a child, preteen or teen is tormented, threatened, harassed, humiliated, embarrassed or otherwise targeted by another child, preteen or teen using the Internet, interactive and digital technologies or mobile phones. Cyberbullying has become a serious concern. Children do not think about the consequences of what they write online as they would if they wrote a letter on paper. British police say they will start giving perceived cyber bullies a digital tap on the shoulder if their online behaviour starts crossing the line of civility. One of the Star Trek episodes depicts an alternate universe, with the same characters but different roles and temperaments. Today’s online world is very similar to this “alternate” reality. The timid lad bullied on the playground becomes a fearsome online cyberbully. Girls who once quietly gossiped in school alleyways could spread wild rumours once they shift to social networking sites. As the school and neighbourhood circle expands into the online world with the additions of friends of friends and unknown strangers, the impact of cyber bullying becomes all the more severe. Spoken words live for a few minutes, and their impact is limited to the few who heard these words; but the online written word persists and leaves a lasting digital impression.
1 http://www.stopcyberbullying.org/

103

C YBER PARENTING

AND

C HILD S AFETY

On the school ground, such matters would probably have been firmly resolved by teachers and parents; but the same does not hold true online. Lack of jurisdiction, limited parental awareness and growing parental intolerance put the focus on fixing the perpetrator, usually another child, rather than on child correction and resolution. To improve the system, raising child awareness through counselling and education is a must. The online world is a reality by now. Parents cannot cut their child off or protect them from its consequences. Parents should invest time in preparing themselves and their children and to make them aware of the risks and ethics in cyberspace.

Educating children on the ethical use of social networks

Our daily newspaper, not long ago, reported a 13-year-old, Class VII student posting "abusive language" on the school principal’s Facebook wall. When the principal read the obscene comments and complained to the boy’s parents, the parents claimed that a classmate of their son who was studying with him had mischievously posted the messages. In turn, the principal herself, when asked why she had accepted the boy’s friend request, said that her (the principal’s) daughter had accepted it on her behalf by mistake. This incident highlights the lack of guidance parents offer their children on web use, and lax supervision on what a child does while on social networks. Most apparent is the absence of online courtesy, and the lack of use of security best practices. In this instance, the parents shared their password with their child and the child with his friends. Unsupervised, some children unknowingly download games with hidden malware and make the wrong type of online friends. They could enter adult chat groups, post information that a stalker could use, or play mischief with another friend’s account. 104

Stay Safe, Cybercitizen | Lucius Lobo Cyber kids should be taught cyber skills and ethics at an early age. Parents should have open discussions on the pitfalls of Internet use and supervise a child’s online surfing and emailing. It is important to be aware of who a child’s online friends are in real life and to meet their parents. If a child is more adept at using the Internet than the parents are, the parents must make a conscious effort to learn to use the Internet and social networks along with the child.

TIP: Children should be advised not to reveal personal details to strangers or new friends they meet online

Cyber security education

Grooming our children in computer-use is a well recognised essential. Today’s generation is a technology-savvy one. It is quite common for young children to surf and play games online. But, sorely missing from the educational curriculum is any serious impetus on cyber education to ensure the use of the Internet in a responsible, safe and secure manner. Children by nature love to play pranks. Knowingly or unknowingly they indulge in a variety of pranks from bullying and obscenity, to hoaxes and hacking. Some fall victim to online criminals and paedophiles. Other pranks economically affect the nation and its institutions. In a recent case, a prankster phoned a Mumbai college to say that a bomb had been planted on campus, forcing 300 girl students to evacuate minutes after they started their exam. The onus of offering a cyber education is largely placed on the parent who may not be familiar with computers or the Internet. This generation gap does not make them good teachers. Technology-unaware parents allow their children liberties with simple restrictions on Internet time, or strictly forbid 105

C YBER PARENTING

AND

C HILD S AFETY

their children from using it altogether. It is not practical to shield this generation from the use of the Internet. Children find ways to surf via a cybercafé, mobile phones or a friend’s computer. At the same time, it is not advisable to allow children the use of the Internet without instruction and guidance. The middle path lies in a system of cyber education to prepare children in cyber ethics and the safe and responsible use of the Internet. Cyber education should be taught by schools, as many parents are yet unfamiliar with the ways of the Internet. Such a programme should be endorsed by the education ministry, be a part of the curriculum, and also include comprehensive training of school teachers across the country. A national cyber safety day in schools would help increase awareness.

Best practices: Online child safety

Online security is about making the child situationally aware, and frequent discussions with your child on Internet use and Net etiquette will prepare them to perceive risks and discern inappropriate behavior. Topics for such discussions are: Your child’s online experience, hobbies and interests Net etiquette and cyber bullying How to deal with unsolicited emails The importance of letting parents know if the child has come across foul language or improper suggestions online 106

Stay Safe, Cybercitizen | Lucius Lobo

What sites are off limits and why How to use, create and protect passwords Information that should not be posted online such as travel plans, assets owned, who the family knows, family pictures, parental squabbles, and so on. Ensure that your computer has security software installed, updated and set to the appropriate level of protection. Regular checks to ensure that the settings have not been changed are important as children find ways to bypass them. Measure for technical protections are: Use a PC without a webcam. Ensure that a child cannot delete logs and history. Use filters for email, internet, privacy setting on the browser, and child protection software. Keep the PC in an open area where the child’s activity can be observed. Use an antivirus and personal firewall. Ensure regular updates of security software. Ensure that you are supportive if a child is a victim and encourage the child to report such behaviour to the ISP (Internet Service Provider) or the cyber police. Monitor your child’s use of social networks Ensure that that the child’s online profile information does not convey personal details about the child. To the extent possible keep gender neutral profiles, and ensure the privacy settings on the social networks are appropriately set. Parents can also create a different profile and become a friend on the child page to observe unwanted activity.

107

C YBER PARENTING

AND

C HILD S AFETY

Verify the friends of your children to ensure that there are no unknown or anonymous friends. Try and meet with their friends in person at parties or other functions. Parents should understand how children communicate on the Internet, the language and acronyms. Monitor surfing activity for early signs of inappropriate use. Review browsing history, chat logs. Search for pornographic and other material on the computer. Monitor and teach your child how to deal with unsolicited email. Specific precautions are: Not to click on links in unsolicited email. Not to open unsolicited email. Not to open email attachments. Not to respond to emails of uncertain origin, instant messages or accept gifts from strangers. Monitor phone bills as these provide clues when an online relationship has progressed into the real world, as it may if be a paedophile has been trying to trap your child.

108

Chapter summary

Cyber-parenting is the education of children on the dangers, ethics and best security practices of cyberspace. Parents have to spend time in preparing themselves and their children to understand the cyber world. Cybersecurity awareness by parents and at schools is a critical part of imparting such education. When children use the Internet, they are susceptible to five types of risks; loss of privacy, unknowingly introduce malware on computers, exposure to adult sites, online predators, and cyber bullying. Cyber-bullying, is one of the biggest risk facing school children and involves a bully posting offensive comments online. Information posted in blogs, posts, photos or comments, however thoughtless or baseless, do take an emotional toll on their victims. Parents should first be aware of cyber risks and safety precautions to raise their child’s awareness in a realistic and practical way.

109

Being Cyber Aware

R

EADING this book should have offered you a better appreciation of your role – as an individual, employee, parent and citizen – in building a safe Internet. This book is the first step in a journey of cyber security awareness and towards a safer online experience.

To conclude this book, I leave you with thirteen practices that could help you attain a safer online experience. Be aware of cyber risks by following news reports of real life incidents. Become situational aware on how to recognise cyber threats. Use commonsense while social networking and write responsibly and with proper etiquette while online. Keep in mind that what you post online remains online, and you are responsible for it. Have open discussions with your children on Internet safety and their online experiences Avoid illegally copied copyrighted or pirated goods. Do not get tempted by discounted offers and moneymaking schemes. More often than not, these are scams. 110

Stay Safe, Cybercitizen | Lucius Lobo Call up the institution or check for scams before replying to mails claiming to come from law enforcement, financial institutions and governments specially when these request personal information online. Do not engage in conversations with or respond to mails from scammers. Be careful about unsolicited mail and avoid clicking links within these. Use security software on all you devices (computer, tablet, phone) and update it regularly. Use strong passwords with alternate authentication and verification options provided by sites. Report cyber crime. Friends who reviewed this book came up with a few technical recommendations which I was unable to address as it went beyond the scope of the book. Nevertheless, they were quite correct to point out that without these answers there would still remain gaps in what a cybercitizen must know to stay secure. I have listed these as questions, and the answers can be found through a careful Internet search, as security FAQs on most sites, or in the product manuals of security software. How do children avoid parental controls? How can we use enhanced authentication and privacy features on sites? How should one select security software? How should we configure and update security software? How does one securely configure home wifi networks? How do you assess whether your security settings are appropriate? How should you decide which privacy settings are appropriate? 111

B EING C YBER AWARE How can you tell if a link is malicious? One word in conclusion: thank you for spending time to read my book. If you have liked it, please recommend it. I plan to revise this book every year and would welcome suggestions to make it more useful. Please send in your feedback on the book and on what topics future revisions could additionally have to me at lucius_lobo@yahoo.com.

112

Sign up to vote on this title
UsefulNot useful