If we’re honest every one of us imagine what we’d do with a few million in the bank. The yacht in Cannes, the private jet in Nice, possibly our own football team, and maybe a few other high maintenance accessories top our list of must-haves.
But of course the question is how to get there. Working till I’m too old to enjoy it is one option but of course there is an alternative; the lottery, online poker, a rich widow, stocks and shares - increasingly risky these days - or why not simply help myself to something very valuable.
After all if I’m working in IT I probably have access to the corporate crown jewels. And that could be anything; source code for the next money spinning application that will be released, credit card details for thousands of customers, even the recipes for KFC or Coca Cola. Just a few years ago, a Coca-Cola employee and two accomplices were arrested in Atlanta for allegedly stealing confidential information from Coca-Cola and trying to sell it to PepsiCo.
In fact it’s actually quite easy because if I’m working in IT I have access to systems with all kinds of privileged information. Here is my employer thinking that his Company Data is safe and I’m allowed ‘free access‘ to the servers storing the data. I can help myself to whatever I want and no one will ever know.
And of course it’s much easier now than it was when I first started this job. Then I somehow had to get out of the building with everything under my arm, but now I have dozens of ways to get it out. Just make my choice - mobile, USB stick, email attachments, VPN access from home and no one will ever know. And of course it may not even be my employer, just some company that we provide outsourcing services for - it’s never been easier.
The problem often lies in the fact that we are constantly tempted because the corporate jewels are literally just lying around where anyone can find them. The problem for today’s enterprise is that the transfer of information is increasingly time-critical and the traditional approaches such as FTP and secure email are awkward to manage, and often lack the security mechanisms that sensitive/confidential data demands, thus making the risk of leakage very possible. And where it becomes really challenging is when you need to share information with business partners. So here are a few suggestions:
1. Do not expose your internal network
The process of transferring files in and out of the enterprise must be carried out without exposing and risking the internal network. No type of direct or indirect communication should be allowed between the partner and the enterprise.
For a while now I have been using this program in a computer forensic capacity, but Photosynth made the jump from the lab to the small screen as detectives on the CBS crime drama CSI:NY called upon Microsoft Live Labs™ Photosynth™ to help solve a grisly murder at a high school dance. The TV detectives needed to reconstruct events from hundreds of images taken by student cameras and mobile phones. They turned to Photosynth to help them build and explore the scene which ultimately led police to their suspect. Producers from CSI were introduced to Photosynth during a visit to Microsoft last summer and were so impressed they asked to use the technology in the show. Members of the Live Labs team were on the set and worked with the show’s crew to fully leverage the technology’s abilities.
Producers were so happy with the experience that they decided to allow Photosynth to “do its own stunts” for this episode and have the actors interact with it live, as cameras rolled. Needless to say – there was much cheering as a very stoked Photosynth team watched the episode together. If you missed the show, you can catch it online on the CBS website or by exploring the current technology preview by going here.
Here’s a Video clip of Photosynth being used in CSI:NY
I still remember receiving my first phishing email in my Microsoft account. I had won the the lottery! As good as it sounded, I was sceptical at best. So without much thought, I opened the email and clicked on the link inside to check if I truly was a millionaire after all. Almost instantly, my computer crashed, and with each subsequent restart would crash again.
Countless computer crashes and thousands of spam emails later, I had learned the lesson that just opening spam email can bring harm to my computer. Unfortunately there are a whole host of traps and errors that catch new email users just because “they didn’t know any better”.
In this article we focus on 25 of the most common and easy to fix mistakes that people make when it comes to email security. We’ve designed this article with the new internet user in mind, so if you’re an email expert, you may want to pass this along to your novice friends.
Properly managing your email accounts
1. Using just one email account.
Individuals new to email often think about their email account like they do their home address, you only have one home address, so you should only have one email. Instead, you should think about your email address like you do your keys; while it may be OK to use the same key for your front and your back door, having a single key open everything is both impractical and unsafe.
A good rule of thumb for the average email user is to keep a minimum of three email accounts. Your work account should be used exclusively for work-related conversations. Your second email account should be used for personal conversations and contacts, and your third email account should be used as a general catch-all for all hazardous behaviour. That means that you should always sign up for newsletters and contests only through your third email account. Similarly, if you have to post your email account online, such as for your personal blog, you should only use your third email account (and post a web friendly form of it at that).
While your first and second email accounts can be paid or freebie, your third ‘catch-all’ account should always be a freebie account such as those offered by Gmail or Yahoo!. You should plan on having to dump and change out this account every six months, as the catch-all account will eventually become spammed when a newsletter manager decides to sell your name or a spammer steals your email address off a Web site.
One of the most infamous Email frauds is the so called “Nigerian” or “419 fraud”. If you have used email for a good few years or even recently, you will have had one of these emails come through. Here’s how they work. You or your company receive an Email (or in some cases a mailed letter or a fax) from someone in West Africa trying to move a large sum of money to American (and recently UK) banks, and if you’ll do him/her the simple favour of allowing them to deposit this money into your bank account, you’ll be able to keep a sizeable chunk of it.
These Emails are humble, charming (“complements of the season. Grace and peace and love from this part of the Atlantic to you…”) and hint in a roundabout way that this deal is not exactly the most legal thing in the world, which is why you have the potential to make a lot of money.
The Request
As with all hoaxes, there is always a request. Here is an opening statement from a 419 fraud email:
Dear Sir
REQUEST FOR URGENT TRANSFER OF $22,500,000,00 INTO YOUR ACCOUNT
My name is Chief Collins Ozobia. I am the deputy director of finance for the Federal Ministry of Petroleum (F.M.P). I have been assigned to seek for the assistance of reliable foreign company through which we can transfer the sum of US$22,500,000,00 …
Where did this windfall come from? Why, it’s an insurance payout after a horrible plane crash. Or (other versions goes) it’s money right from the Nigerian Government, in return for completing a contract. Or it’s a big fat Family Inheritance, a Real Estate Deal or Crude Oil at below market prices. Whatever the tale, it’s a ton of money – anywhere from 10 to 30 percent of the total haul, which usually reaches into tens of millions – that needs to be moved out of the country for safe keeping as soon as possible. How can you refuse? How can your bank account refuse?
Non-technical juries could be letting criminals go free because of the difficulty in dealing with computer-based evidence.
In England and Wales the only qualifications required of a jury member to be eligible to appear in a court of law are that they are registered on the electoral roll, aged between 18 and 70 and have lived in the UK for at least five years.
Jurors are not required to hold any professional qualifications and there are to date no technical jury qualification guidelines for cases involving complex computer data.
So what happens when complicated technical information needs to be communicated and thoroughly understood in order to fairly evaluate a case?
I believe that the majority of the legal system is still unprepared to deal with the issue of computer based evidence.
Legislation such as the Data Protection Act 1998, Criminal Justice Act 1994 and Protection of Children Act 1978, has generated a new wave of criminal offences that demand digital evidence to be evaluated in order for successful prosecution.
The theft of CDs containing the personal information of 25M UK citizens has rightly caused an outpouring of ‘Shame on you’ on HMRC and prompted questions like ‘How could you let this happen?’ The real question that the British people should be asking though is this: ‘Who else has lost my data that I haven’t been told about?‘
Companies of all sizes, including local and national government, hold huge amounts of very private information on virtually every individual in the UK, yet amazingly, there are no laws to force them to either protect that information (such as by encrypting the data), or to tell you if your unencrypted information gets lost or stolen. Make no mistake about this: Ever since the first credit card number was put on the first laptop computer or CD, companies have been losing your information and just simply not telling you.
There’s a sad fact of economic life here: It’s cheaper for a company to say nothing and do nothing if they lose Joe Public’s private information, rather than to do the right thing - ensure that all the data is encrypted, or telling consumers if there’s a risk that their private data could have got into the wrong hands.
The situation in the US today is very different: Following on from some very high-profile data thefts, many States have now enacted so-called data breach notification legislation. See http://www.ncsl.org/programs/lis/cip/priv/breach.htm
Put simply, this legislation says that if you lose customers’ personal identifiable information (social security numbers, credit card numbers, driving licence numbers and so on) and it wasn’t encrypted, then you MUST notify everyone who’s likely to be affected. Many States have also included additional consumer protection, such as one year’s free credit monitoring services to protect against possible identity theft.
The US federal government - immune from state legislation - has also mandated strict data security standards for itself. Following an incident similar to the HMRC in mid-2006, President Bush issued a mandate that all government departments must implement data encryption – no exceptions: http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
(In that breach, a laptop containing health and financial information on 26.5M veterans was stolen from an employee’s home - the cost of just mailing the notification (letters, envelopes, postage) was about £22M).
The net effect of US legislation has been to change the economic balance of data security: Now, it’s cheaper to implement a good data security solution (ie encrypt the data) than to bear the cost of a data breach notification. The figures speak for themselves. When items such as credit monitoring are added in, it’s estimated that the average cost of a breach notification following the loss of unencrypted data is in the region of $90-$140 per customer record. http://www.tech-404.com/calculator.html
So, if the loss involved 100,000 customers, this will typically cost a company on average about $11.6M. What’s the cost of a good data security solution to avoid this in the first place? Much, much less than that!
US legislation hasn’t stopped data theft, any more than burglaries have been stopped by property laws. What it has done is to provide insurance for affected consumers by forcing companies and the government to either protect consumers’ data, or come clean when they lose it so consumers can get the protection they deserve. It has also put the spotlight on companies who fail to protect consumers, as these breaches are now tracked by a number of public websites: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP
The UK government must follow the US’s lead. They must enact legislation to protect consumers against the horrors of data theft and the subsequent risk of identity theft. If nothing else comes out of the HMRC incident, then just let this be a lesson learned the hard way!
The Internet has shown that reputations are important but don’t have to be tied to specific real individuals. The entire banking system is built on top of the idea of reputation, but tries hard to tie them to real identities. The problem of identity theft is likely to break this connection. We will see a greater disconnect between individuals and their reputations.
Identity theft has been a big hit with the purveyors of fear in recent years. We all now live in terror of waking up one morning and finding that someone has stolen our identity, and we can’t even remember who we are.
Well, maybe not. But identity theft is a real problem. If someone manages to construct a copy of your identity, you don’t stop being you, you just stop being the owner of all of your money (unless you can persuade your bank it’s their fault). You might get back from vacation to find that your house has been stolen…
Identity is closely tied to the concept of reputation. We are now trying to apply ideas from villages of a few hundred people to a global scale and (not surprisingly) finding that they don’t quite work.
In a small community, everyone knows—or knows of—everyone else. Reputations are very important. If you want to borrow something from a neighbour, or ask them for a favour, then you will have some idea of how much you trust them.
When banks started, they would use this sort of model. They would be willing to lend you money based on letters of recommendation from people they trusted, or based on their prior dealings.
Now banks have grown so big that they use a much less personal system, but still deal in the idea of reputations.
The Social Security Scam
Some time ago, the UK and the U.S. governments introduced the concept of a Social Security number (SSN). This was a unique identifier assigned to every taxpaying citizen, allowing their tax records to be connected together.
Computer passwords are a way of life these days, and most of us have dozens of accounts, each with a different (or potentially different) password. There are costs in forgetting any of these passwords, ranging from the personal inconvenience of being unable to read useful news articles to the business problem of being unable to buy or sell products.
The most obvious solution to this hassle is simply to choose one password and to use it everywhere. Indeed, a survey conducted during April 2006 by Sophos reveals that 41% of respondents do just that. Additionally, 75% of the respondents to a separate part of the survey admitted to the use of weak, easy-to-guess passwords. Presumably this means that 31% of users (75% of 41%) have no accounts at all with satisfactory passwords.
Clearly, this is bad news. But is it safe to be ignorant at all? Even if you pick a long, randomized, unguessable pass-phrase, commit it to memory and then eat the paper you wrote it down on? Can you rely on the theory that if a password is good enough for your company’s most secure network, then it is obviously more than adequate for the website of the local football league?
The answer is that you most certainly cannot. Different account providers implement their password protection for a range of reasons, using a range of technologies. The very act of using a password renders it liable to being compromised - and this compromise may happen because of the account provider’s behaviour, not just your own.
The lack of sensory information on the Internet (like too many teenagers and younger kids with a Facebook or Myspace page) may have a significant impact on cyberstalkers. The absence of sensory-perceptual stimuli from a real person means that fantasy can play an even more expansive role as the genesis of behaviour in the stalker. The victim becomes an easy target for the stalker’s projections, and narcissistic fantasies, that can lead to a real world rejection, humiliation and rage.
One of the most prominent features of stalking behaviour is fixation on victims. Their obsession can drive stalkers to extremes that make this type of investigation challenging and potentially dangerous. Although stalkers who use the Internet to target victims may attempt to conceal their identities, their obsession with a victim often causes them to expose themselves. For instance, they may say things that reveal their relationship with or knowledge of the victim, or they may take risks that enable investigators to locate and identify them. However, even when stalkers have been identified, attempts to discourage them can have the opposite effect, potentially angering them and putting victims at greater risk.
In 1990, after five women were murdered by stalkers, California became the first state in the US to enact a law to deal with this specific problem. Then, in 1998, California explicitly included electronic communications in their anti-stalking law. The relevant sections of the California Penal Code have strongly influenced all subsequent anti-stalking laws in the US, clearly defining stalking and related terms.
Any person who wilfully, maliciously, and repeatedly follows or harasses another person and who makes a credible threat with the intent to place that person in reasonable fear of death or great bodily injury is guilty of the crime of stalking … “harasses” means a knowing and wilful course of conduct directed at a specific person that seriously alarms, annoys, torments, or terrorizes the person, and that serves no legitimate purpose. This course of conduct must be such as would cause a reasonable person to suffer substantial emotional distress, and must actually cause substantial emotional distress to the person.
… “course of conduct” means a pattern of conduct composed of a series of acts over a period of time, however short, evidencing a continuity of purpose … “credible threat” means a verbal or written threat, including that performed through the use of an electronic communication device, or a threat implied by a pattern of conduct or a combination of verbal, written, or electronically communicated statements and conduct made with the intent to place the person that is the target of the threat in reasonable fear for his or her safety or the safety of his or her family and made with the apparent ability to carry out the threat so as to cause the person who is the target of the threat to reasonably fear for his or her safety or the safety of his or her family. It is not necessary to prove that the defendant had the intent to actually carry out the threat… “electronic communication device” includes, but is not limited to, telephones, cellular phones, computers, video recorders, fax machines, or pagers.” [California Penal Code 646.9]
The equivalent law in the United Kingdom is the Protection from Harassment Act 1997 (Chapter 40).
Although Ransomware is not brand new, most of you haven’t heard of it. But soon you will.
Ransomware is a type of malware that uses a weak (breakable) cryptosystem to encrypt the data belonging to an individual, demanding a ransom for its restoration. A cryptovirus, cryptotrojan or cryptoworm on the other hand employs a military-grade hybrid cryptosystem to take data hostage (the field known as cryptovirology pre-dates the term “ransomware“).
This type of ransom attack can be accomplished by (for example) attaching a specially crafted file/program to an e-mail message and sending this to the victim. If the victim opens/executes the attachment, the program encrypts a number of files on the victim’s computer. A ransom note is then left behind for the victim. The victim will be unable to open the encrypted files without the correct decryption key. Once the ransom demanded in the ransom note is paid, the cracker will (supposedly) send the decryption key, enabling decryption of the “kidnapped” files. However, if the decryption key is in the file/program then it can be extracted and used without contacting the attacker. This is the case in any such malware that relies on symmetric cryptography alone.
There have been a few malware attacks in the past that have done this. The 1996 IEEE paper by Young and Yung reviews the malware that has done this, points out the fatal flaw which is the reliance on symmetric cryptography, and shows how to use public key cryptography to solve this problem (that the attacker faces).
A cryptovirus, cryptotrojan, or cryptoworm is defined as malware that contains and uses the public key of its author. In cryptoviral extortion, the public key is used to hybrid encrypt the data of the victim and only the private key (which is not in the malware) can be used to recover the data. This is one of a myriad of attacks in the field known as cryptovirology.
If we’re honest every one of us imagine what we’d do with a few million in the bank. The yacht in Cannes, the private jet in Nice, possibly our own football team, and maybe a few other high maintenance accessories top our list of must-haves.
For a while now I have been using this program in a computer forensic capacity, but Photosynth made the jump from the lab to the small screen as detectives on the CBS crime drama 
I still remember receiving my first 
One of the most infamous Email frauds is the so called “Nigerian” or “
The theft of CDs containing the personal information of 25M UK citizens has rightly caused an outpouring of ‘Shame on you’ on HMRC and prompted questions like ‘How could you let this happen?’ The real question that the British people should be asking though is this: ‘Who else has lost my data that I haven’t been told about?‘
The Internet has shown that reputations are important but don’t have to be tied to specific real individuals. The entire banking system is built on top of the idea of reputation, but tries hard to tie them to real identities. The problem of identity theft is likely to break this connection. We will see a greater disconnect between individuals and their reputations.
Computer passwords are a way of life these days, and most of us have dozens of accounts, each with a different (or potentially different) password. There are costs in forgetting any of these passwords, ranging from the personal inconvenience of being unable to read useful news articles to the business problem of being unable to buy or sell products.
Although Ransomware is not brand new, most of you haven’t heard of it. But soon you will.
