Guest blogger: Sharon Lemon OBE. Deputy Director e-Crime, Serious Organised Crime Agency (SOCA)

Years ago, when Internet dating started, it did have a reputation as being a bit seedy, but things have moved on and now there are a  number of reputable dating sites which advertise their success in putting couples together, many of whom get married. Needless to say though, there are some people who want to exploit this new form of relationship and romance fraud is a growing problem, and can leave its victims financially and emotionally devastated. Make sure you’re aware of the signs so that you don’t fall for Mr or Mrs Wrong and not Mr or Mrs Right – do not become a victim.

For example, when you sign up to a dating website be careful about giving out your private information, especially to people from a foreign country who contact you out of the blue and claim to care deeply for you after only one or two emails or conversations. Always stay on the website, and don’t take your conversations onto instant messaging or private email. Don’t trust anybody who won’t answer basic questions about where they are and what they do.

So far we have only seen this offence being committed against women. A common tactic is for a fraudster to claim that they are a soldier, maybe American, who is based in Iraq and wants to retire with their children to live with you. Once the relationship is established, you will be asked to speak to their friends in a completely different country, which is when you will be asked for money.

When a romance fraudster (actually probably a group of criminals posing as one person) manages to seduce somebody into an online relationship, often over weeks and months, eventually there will be a problem that only you can help with. Maybe they want to travel to see you, and want you to pay money towards a visa or airline tickets. Or maybe they or a family member falls ill, or even dies, and they need money for medical or funeral bills. There may be many different reasons, but with just one purpose – to get your money.

If you do pay, the fraudster will then give more reasons for you to send money, and you will never see any of the things they promise. If they say they are flying to see you, they won’t turn up but will have a problem at the airport requiring your money to sort out. If they say they have large amounts of cash or gold that only requires some customs charge or other fees before you can get a share, this is just another type of fraud designed to rip you off. You may even be asked to fly abroad, so that you can be exposed to these different types of fraud in person. If you do so there is a real risk of kidnap and extortion, meaning your life could be in danger.

To protect yourself, be wary of contact from these romance fraudsters. Never send money to anybody you don’t know or trust, particularly by a money transfer service instead of to a bank account. If something sounds too good to be true, it probably is. If you become a victim, you could end up losing a lot of money as a result – or worse.

If you think you’ve been a victim of romance fraud, or any other type of fraud, cease all contact straight away, don’t send any more money and get in touch with Action Fraud via their website, http://www.actionfraud.org.uk/  or call them on 0300 123 2040.

That’s all pretty serious, but remember – as in real life, most people in the virtual world are good, so enjoy your time in it.

Another guest blog from  Richard Hollis

Did you see the news recently that social networking site RockYou suffered a data breach exposing over 32 million user accounts?   If that wasn’t bad enough, it was also revealed that they were apparently storing all that data (user account information) in plain text in their database. This fact came to light only because when RockYou attempted to downplay and dismiss the severity of the incident, the hacker responsible published a sample of the data to prove it and demonstrate that all the user passwords accessible were stored unencrypted.
 
To make matters worse, the published dataset also contained user password and logon credentials for other social networking sites. 

 So however you do the maths, there is a possibility that this hack directly affected you if you use a social networking site. The hacker was able to access this information through a SQL injection vulnerability on the RockYou site.  This hacking technique is old, widely known and does not require a great deal of expertise to execute.  The point being that any online business even marginally concerned with security would have closed off this easily exploited security hole before even thinking of launching their site – but apparently not RockYou.
 
Their attitude towards security is further demonstrated in their published password policies as they only mandate a minimal length of 5 characters for their account passwords.  They have no requirement for mixed case, alpha-numeric characters and in fact enforce password simplicity by not allowing any punctuation at all.  This is where RockYou gets it wrong.  Passwords are the very foundation of online security.  At this time of year we should think of them like underwear- the longer the better.
    
Learn a lesson from this incident – buyer beware! Next time you sign up to a social networking site or any web service for that matter, read the fine print. What is their security policy?  Do they have one?  If they don’t publish it on the site – chances are they don’t. Sending you open text passwords in emails are another indication that their approach to security may be short of your expectations.  Read the privacy statement. Do they inform their customers about losses or breaches?  Do you want to use them if they don’t?  The choice is yours.

Richard Hollis – Orthus Ltd

Symantec reports that Macs have been infected with malware from pirated copies of Apple iWork 09 and Adobe Photoshop CS4. Victim’s computers were used to launch attacks against an unknown website. This underscores the need for all computer users to take security precautions. Nobody has automatic immunity.

(Hat tips ZDnet and Slashdot)

Do we own our identities? Do we own our biometrics? David Bradley discusses this fundamental and important question.

Written by Tony Neate, Managing Director, Get Safe Online

A few years ago you would regularly hear me say that one of the biggest risks to the internet was ‘lack of public confidence’.  If users felt they couldn’t trust a particular website, their computer or the internet as a whole, then they might decide not to use it. Yet it is now so familiar that we treat it like our mobile phone, something that is there and that we couldn’t contemplate being without.

Almost everyone now buys goods online, from groceries to cars to houses. Internet banking is now no longer an alien concept, and it is more common for people to book their holiday’s online than at a travel agent. The internet is also a vital communications tool, which people use to keep in contact with friends and colleagues, and even to chat to people they don’t know. The criminal element of society has certainly cottoned on to it, and with an estimated £30 billion spent online in the UK last year, it isn’t difficult to understand why.

Now that we seem to be in a financial recession, is internet shopping also going to be affected? With less disposable income, are people going to steer clear of shopping online, or will they turn to the internet as the place to find that elusive bargain? Either way, e-crime protection and prevention should be the first thing people think of when they go online.

But should it always be the end user who has the responsibility for security? They are certainly going to be the one affected, if not monetary then certainly in time and inconvenience. Isn’t security a joint responsibility, one that the end user, the hardware manufacturers, software vendors, ISP’s, banks, retailers, law enforcement and the Government should work in synergy to achieve?

At GetSafeOnline.org, we work hard to bring these different groups together. It’s hard work but the results are worth the effort. But there’s always more to do. And if you want to do your part, our newly-redesigned website, www.getsafeonline.org, is a good place to start.

When Get Safe Online took over the old ITsafe alerting and warning service in July, we sent existing subscribers an email and also published a message on this blog to explain the changes.

However, I’ve had a few questions by email which must be representative of wider concerns. So, I thought it would be useful to put together an FAQ.

Where has the ‘safe word’ gone?

ITsafe used a ‘safe word’ so that you knew the alerts were authentic and not sent by an imposter. In practice, this caused a great deal of confusion because many people thought that the safe word was a password and were confused when they received emails containing their ‘password’.

In addition, we are using a new email system and implementing the safe word feature would have delayed the introduction of the service unnecessarily.

We don’t store any personal information other than your email address so we can’t use anything else such as your name or address to authenticate emails.

How can I verify the authenticity of your alerts?

It’s easy. Just check the original alert at www.getsafeonline.org/go/itsafe. When you’re ready, we also recommend switching to the RSS feed instead of relying on emails.

Why don’t you use OpenPGP, GnuPG or similar for verification?

In an ideal world, this kind of encryption and authentication would be widespread, well understood and easy to use. But it’s not. For the vast majority of our readers, it would be a barrier and a distraction. The techie-minded users who would understand it and benefit from it are savvy enough to get authenticated alerts from other sources such as RSS feeds. We will continue to review this question but our ultimate goal is to encourage users to transition to the RSS feed rather than rely on email.

As an aside, similar services around the world work in the same way. For example, De Waarschuwingsdienst in Holland or US-CERT in the USA.

Why has the format changed?

Previously, ITsafe alerts were drawn from government sources and edited by human beings. Now we use an automated system to filter and repackage alerts provided to us by the Government’s Centre for the Protection of National Infrastructure (CPNI). This ensures that they are sent out as soon as possible.

How do I unsubscribe?

Use the online form or the unsubscribe link at the bottom of any alert email.

I thought I had unsubscribed but now I’m getting emails again?

This sometimes happens if emails sent by the old system were blocked by a spam filter. We’re using a new email sender so they may start coming through again without being blocked. Feel free to unsubscribe (though we’ll miss you).

The alert I received is a bit too technical for me – what do I do?

Each email alert contains a link to a more detailed source of advice, typically from the vendor or software company that first reported the problem. This will usually contain instructions for protecting yourself.

GetSafeOnline.org has lots of useful information about protecting yourself in less technical language, including advice about keeping your computer up to date.

Get Safe Online has just taken over the ITsafe alerting and warning mailing list and we’re using a new system to send out emails.

Today we discovered a technical glitch that meant we sent out the same alert three times. We’ve fixed it and it won’t happen again.  Sorry.

A recent survey of UK adults, commissioned by Lloyds TSB, found that half were “note concerned” about internet banking fraud.

This is because, in part, they are fatalistic about it.  “These things happen,” said 26 percent while 39 percent think that their bank will reimburse any losses.  It’s a bit like saying “I don’t mind being burgled because the insurance company will replace anything that was stolen.”

At the same time, only a fifth of respondents feel they fully understand how to stay safe online.

All this amounts to a “self-fulfilling prophecy,” according to Ian Larkin, MD, consumer banking at Lloyds TSB.

The reality is that banking fraud is only part of the problem. While it is easy to prevent internet problems (by following the advice on Get Safe Online), clearing up a case of identity theft is frustrating and time-consuming. 

Technorati Tags: ID theft, Lloyds TSB, banking, fraud

What your business can learn from airlines’ precautions

Nobody likes standing in line at the airport waiting to go through the security screening, but look behind the scenes at airports and there is a lot to be learned about security.

Airports are the focus of some of the most extreme security pressures faced by any business. They are high profile targets. People’s lives are at stake. They have to keep the airlines and the passengers happy. I fly light aircraft in my spare time so I’ve seen behind the scenes at many airports: from international hubs like Amsterdam Schiphol to small grass strips in the middle of nowhere.

Having just researched an article for a security magazine about aviation security I have even more respect for airport IT and security managers. It occurred to me that they might have some lessons for small businesses.

Access control

Last year I got a chance to see how a major airline gets its planes ready for a transatlantic trip. Their PR manager took me through the employees’ security check at Heathrow. Everyone, from cleaners to senior managers, has to go through the same checks that face the travelling public. At the departure gate, she needed a swipe card to open the door to the jetway and before we could go on board the aircraft there was someone there to check our documents again. It’s good to know that they take so much care.

I’m not proposing that you frisk your staff every day, but reviewing physical access to your building makes sense. Can visitors get in without identifying themselves? Do you need extra access control for your server room or the finance department? Is there a back door that’s kept open in the summer for ventilation? Would a stranger be challenged by staff? Do visitors need escorts inside your building? Do you check workmen’s identification before allowing them in? Do you vet your cleaners?

Keep your eyes open

I talked to the managing director of a CCTV company. They sell digital cameras to airports. They can plug into a regular computer network and store images on a central server. Security staff can monitor the images anywhere in the building using a wireless network and the images are stored digitally so they can be reviewed any time.

Again, I’m not suggesting 24/7 video surveillance of your staff (which in any case is subject to legal restrictions) but you could use a network-connected webcam to monitor your reception area or server room. At Microsoft’s head office, there are webcams at reception so employees can see when their visitors have arrived and what they look like.

Redundancy

At one regional airport I visited, the IT manager explained to me that they had laid multiple fibre-optic links between the server room and the control tower so that the controllers would stay connected even if one line was cut.

Are there ways you can provide greater redundancy for your IT? For example, having duplicate servers or contracts with IT equipment hire companies to replace stolen PCs within 24 hours? If your broadband internet connection stops working, can you still connect to the internet using a phone line? Will you still get email? Are there any bottlenecks in your network where a single failure could bring down the whole network?

Change control

In the control tower at my home airfield, they still use a telex machine to receive incoming flight plan confirmations. Why? Because it works, it’s secure and it does the job. At the regional airport, they have a more sophisticated computer system that is linked to the NATS air traffic control network. However, it is subject to similar regulations and change control as aircraft engines and other critical aviation systems. Upgrades are tested carefully before being installed. Checks and routine maintenance are carried on a strict schedule – they don’t just wait for it to break.

Are there critical systems in your office that should have a regular maintenance routine? Do you ever yearn to ‘upgrade’ something that is actually working fine? Do you need to institute a change control procedure on, say, your server?

By Matthew Stibbe. Originally posted on Microsoft’s bCentral website. Reproduced with permission.

There’s an interesting report out from the Pew Internet and American Life project. Here’s the summary from their site but there’s also a full PDF available.

The majority of teens actively manage their online profiles to keep the information they believe is most sensitive away from the unwanted gaze of strangers, parents and other adults. While many teens post their first name and photos on their profiles, they rarely post information on public profiles they believe would help strangers actually locate them such as their full name, home phone number or cell phone number.

At the same time, nearly two-thirds of teens with profiles (63%) believe that a motivated person could eventually identify them from the information they publicly provide on their profiles.
A new report, based on a survey and a series of focus groups conducted by the Pew Internet & American Life Project examine how teens, particularly those with profiles online, make decisions about disclosing or shielding personal information.

Some 55% of online teens have profiles and most of them restrict access to their profile in some way. Of those with profiles, 66% say their profile is not visible to all internet users. Of those whose profile can be accessed by anyone online, nearly half (46%) say they give at least some false information. Teens post fake information to protect themselves and also to be playful or silly.

Look Both Ways, by Linda Criddle, is an accessible and well-written guide for parents who want to protect their family online.

The book covers topics such as online bullying, sexual predators, mobile phone threats, spam, scams and online fraud. Once she has looked at the risks and explained the technology, the book changes into a how-to manual for parents. Some of the links and resources are US-centric (the author is American) but the internet is global and the challenges universal.

Grounded in research, which is properly sourced in the book.  If the information is alarming (e.g. “more than 90 percent of kids who meet an online predator in person end up being abused”) it is more so for being grounded in research.

It is not, however, dull. The use of short vignettes that tell the story of perpetrators and victims makes the subject matter vivid. They are anonymised but based on real cases.

There is a quick safety checklist over two pages at the beginning of the book. This is typical of the no-nonsense, down-to-business approach throughout the book. It is full of sensible advice.

By building her practical advice on solid research she avoids the shrillness and hysteria that often attends this subject, for example in British tabloid newspapers. She also avoids damning the internet out of hand.  She doesn’t tell you to shut down your blog or ban your kids from the internet; just how to protect them.

As well as being a detailed guide for concerned parents, Look Both Ways is also a useful overview of the internet child safety threat and the research that has been done on it. It may be a useful primer for carers, police and others who deal with this issue.

Disclosure: this book is published by Microsoft Press and Microsoft is a sponsor of Get Safe Online. The book was provided free of charge for review purposes.

Look Both Ways by Linda Criddle, Microsoft Press. 216 pages. ISBN 978-0-7956-2347.

We are delighted to welcome the latest batch of Get Safe Online supporters:

Gossip Junction

Network 101

iamdentity

Vibrant Light

We will be adding these links to the main site, in the Supporters section, in the next few days.

If you would like to become a supporter and get a reciprocal link on Get Safe Online, visit the Supporters section on the main site.

Technorati Tags: Supporters, security, Get Safe Online