by Tony Neate on April 28, 2010
All that is new and shiny in the world of information security and cyber crime was on show at InfoSec Europe this week. One of the many education sessions on offer dealt exclusively with the current value of fraudulently acquired data traded on ‘dark market’ websites. Facilitated by Marcus Alldrick of Lloyds, a panel of experts including Martyn Croft (Salvation Army), Geoff Harris (ISSA) and Michael Paisley (Santander) gave their views on how much criminals can expect to sell stolen personal data for on the black market.
Financial details and medical records were accorded the highest values by the audience in a mock auction between ‘victims’ and villains’, with the average quoted price currently at £2.50 per record. However other types of personal information such as family photographs, commercially sensitive information and school application forms were given values of up to £400,000 due to the willingness of criminals to employ extortion and blackmail tactics to make money. The market in personal data is growing and many criminal gangs are earning millions from the trade, facts that underline the importance of protecting information online and keeping yourself safe.
We all want to use and enjoy the internet but this education session reinforces the fact that what we value as sensitive and personal is valued very differently by criminals looking to exploit your information for material gain.
by Tony Neate on March 30, 2010
Smartphones have experienced a huge boom in recent years – analyst numbers show that last year the market grew by 24%. Our own research shows that around 1 in 4 UK web users access the internet via a mobile web browser, and of these, 20% synchronise their handsets with a home PC, 56% use social networking sites, around 1 in 5 shop, and a further 16% have begun to manage their finances from their phones.
So, clearly, using the internet in this way is becoming common place for many of us.
Over the last few years, we’ve become more risk-aware when it comes to using the web – most of us know now to protect our PCs with the right security software, keep it updated, and are generally more aware of the dangers of sharing too much personal information online. (Find out more about the key trends in our Report.)
In an ideal world, this conscious effort would automatically transfer itself when we start using the web from our mobiles. However, it seems this may not be the case. Research we’ve released today shows that over two-thirds of smartphone users don’t secure their handset with a PIN or password – the most basic security measure and the first line of defence against fraud if your phone falls into the wrong hands. Around 1 in 5 of us have lost our phones or had them stolen, so the risk is very real.
Part of the challenge is that we still think of our phones as phones – in reality, having a smartphone is no different to carrying around a laptop. But, the way the consumer market is structured – low priced handsets offset by long term network contracts, and a regular cycle of relatively affordable upgrades – means that we just don’t place the same value on a lost phone as we would on a lost laptop or stolen PC. Indeed, most people who lose their phone bemoan the loss of all their contact numbers – which is not great, but potentially only the tip of the iceberg when combined with all the other personal information our phones contain.
Today, Get Safe Online is running a campaign to highlight the risks to smartphone users. As always, it’s not about deterring people, but about getting them to think about their phones in the same way they do their PCs so that they can recognise and navigate the risks. We’ve now updated the website with fresh and comprehensive advice, which you can check out here.
If you’re a parent, it’s also worth thinking about how your children use their phones – see comments from Dr Tanya Byron yesterday.
by Tony Neate on March 28, 2010
Get Safe Online has now linked up with the National Fraud Authority and Action Fraud.
With Action Fraud UK citizens can now report fraud far easier than ever before. By reporting fraud, anti-fraud agencies are provided with the vital information they need to protect us all from fraudsters. At the same time helping to bring the offenders to justice.
Action Fraud refers all cases of fraud to the National Fraud Intelligence Bureau which is run by the police service. Although each report cannot be investigated individually, the information you provide will aid the police to build up a national picture of fraud. This will help make the UK a more hostile place for fraudsters to operate in and keep other potential victims safe.
To learn more about protecting yourself from online fraud visit the Get Safe Online website
To report a fraud visit Action Fraud click: ACTION FRAUD
by Tony Neate on March 26, 2010
“I update my computer whenever I am told to do so by some message that appears on the screen, so I’m safe”
Unfortunately more and more security professionasl I speak to tell me updating the software on a machine is now more important than updating the operating system. Yes it is important to update your applications, but not more important. I believe you are as secure as the weakest link in your system, so updating both the operating system and all applications are critical, for both the user and the general security of the web.
However the new important update is now the computer user, we all need to protect ourselves from the threats that appear on a daily basis by updating our knowledge of what new and existing threats are out there. It’s only with this additional education and knowledge that the end user will not become the weakest part of the security link……!
by Tony Neate on February 10, 2010
As Valentine’s Day approaches, those that are single may be thinking about looking for love online.
Online dating is big business these days. Recent research shows the number of Britons paying to use online dating agencies is set to grow from 2.6m in 2006 to 6m by 2012, and set to be worth around £368m in revenues. In terms of content that people buy online, it’s surpassed only by music and video games.
However, as you will know from me by now, there are some avoidable risks involved. Overall, our approach should be no different to doing anything else online – shopping, social networking, banking: Be aware of the risks, keep your wits about you, and if it sounds too good to be true…
…well, check out Get Safe Online’s top tips here.
Do this, and there’s little reason not to enjoy the benefits of meeting people this way. Indeed, according to independent research for one of the popular dating sites, users find a compatible match once every ten minutes.
Good luck and Happy Valentine’s Day!
by Tony Neate on January 20, 2010
As the discussions regarding the Internet Explorer vulnerability continues in the media, academia, and business and even in my daughter school where she is a teacher. The Government via the Cabinet Office has just released this statement.
“We take internet security very seriously. Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them. There is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure. Regular software patching and updating will help defend against the latest threats.”
The issue of keeping your operating system and all your application software up to date (patched as some of us will know it as) cannot be emphasised to strongly. It is as critical as anti-virus and anti-spyware both of which should also be set to automatic update, firewalls and secure wireless connections.
by Tony Neate on January 19, 2010
So what is the problem? Well there is a bug in versions 6, 7 and 8 of the Microsoft Internet Explorer web browser, which could result in your computer being attacked by criminals. Microsoft is still investigating the bug, so as yet a fix is not available. However there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.
The following options are available to help protect users until Microsoft releases an update. Follow the instructions in the Microsoft bulletin to increase the security level of Internet Explorer and only allow known trusted sites to be unrestricted. You may have to undo these changes once an update is available.
Install the Microsoft FixIt to enable data execution prevention, which will help stop criminals from using this vulnerability. Again you may have to uninstall the FixIt once an update is available.
If home users and small businesses do not wish to install the temporary fixes, you could consider using an alternate web browser until an update becomes available. If you choose to install a different web browser remember to click “yes” when it asks to be set as the default.
Get Safe Online operates the ITsafe Warning Service. Get Safe Online’s Alerts and Warnings Feed provides timely updates about security issues from HM Government sources.
by Tony Neate on December 17, 2009
Guest bloger Richard Hollis
Last week, the United States Congress, House of 
Representatives, passed the Data Accountability and Trust Act – H.R. 2221. The bill is now on its way to becoming Federal law. This is long awaited and very good news for consumers. It’s similar to the breach notification laws enacted by over 30 over the 50 states sparked by California mandating public disclosure of breaches back in 2003. Federal public disclosure laws were previously blocked under the Bush Administration. In essence it mandates that businesses publically disclose breaches of personal information in their possession.
The new law will formally define personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
• Social Security number, driver’s license number or other identification number
• Financial account number, or credit or debit card number and any required security code, access code, or password necessary to permit access to an individual’s financial account.
It formally establishes the Federal Trade Commission (FTC) as the oversight body and requires organisations holding data to implement a data protection policy and identify an information security officer. More importantly, the new law will direct that businesses in possession of personal data establish procedures for identifying security vulnerabilities in the networks that process this data and monitor for breaches. The FTC would also be tasked with posting breaches on their website.
The bill has some more stringent requirements for “data brokers”, including audits in the event of a breach. It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are also required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers. It doesn’t get any better than that.
The law will naturally result in a higher level of protection for personal data held by both public and private sector entities and establish the legal framework for consumer legal actions resulting from breaches. It will also add some degree of consistency for organizations establishing programs to protect personal data and simplify compliance.
Good news for consumers everywhere as US law has a way of affecting legislation worldwide.
by Richard Hollis December 16, 2009 – Orthus Ltd
by Tony Neate on December 8, 2009
Yesterday at the QEII Conference Centre in London saw opening of The UK Council for Child Internet Safety Summit. The Council was a recommendation in Professor Tanya Byron’s report ‘Safer Children in a Digital World’
The primary purpose of the summit was to launch the Child Internet Safety Strategy. The summit provided an opportunity to discuss the strategy, showcase recent research findings and highlight the good progress made so far in delivering on the child online safety agenda.
The event also had a public facing element with the launch of the internet safety code and three cartoon characters that will help remind children of some of do’s and don’ts to safe use of the internet, I think these character are great and can be used by anyone on the internet to highlight the internet safety message to children. More information can be found on the UKCCIS website. http://www.dcsf.gov.uk/ukccis
by tcallington on November 26, 2009
Tackling internet crime is a complicated job, to say the least. Which is why Get Safe Online is all about collaboration. So today, we’re pleased to announce that we have another valuable string added to our bow with Gumtree.com joining us as a sponsor. You can read more about our partnership here.
You can also keep up to date with Gumtree activity on its blog. And if you’re a Gumtree-user, we also recommend checking out the Gummies Guide – a series of videos on how to use the site and stay safe while doing so.
by Tony Neate on November 20, 2009
On Monday (16th November 2009) I chaired the Get Safe Online Summit which took place in central London. The Summit is one of the cornerstones of Get Safe Online Week, and this year attracted over 120 key partners and stakeholders from across the public, private and voluntary sectors.
The keynote was given by the Rt. Hon. Angela Smith, Minister of State for the Cabinet Office. The Minister commented: “The internet can be a great tool to help people find work during the global economic downturn, but with criminals using increasingly sophisticated methods to take advantage of jobseekers, we need to maintain vigilance. Scams such as the recruitment of Money Mules can end up landing you in trouble with the law, which is why we’re asking all internet users to take some time out of their week to visit the Get Safe Online website and make sure they are up-to-date with the latest threats and advice.”
The agenda continued with Paul Evans, director intervention at SOCA, discussing strategies for reducing harm in the virtual world and the role that consumer education plays in law enforcement efforts.
Nancy Johnston, technology development manager at Age Concern and Help the Aged, discussed the broader challenges within the context of digital inclusion issues for silver surfers – highlighting the importance of simple interfaces, avoiding jargon, accessibility and lifelong learning.
Andy Auld, intelligence manager for SOCA’s e-Crime unit, highlighted a number of key threats including money mule scams, which have proliferated in line with growth in online banking fraud (recently published figures from Financial Fraud Action UK show that, in the first six months of this year, UK online banking fraud losses amounted to £39 million, an increase of 55% on the previous year).
The Summit also marked the launch and publication of the 2009 Get Safe Online Report, UK Internet Security: State of the Nation, which examines consumer trends and experience of online crime. Presented by Garreth Griffith, head of UK risk management at PayPal and a director of GetSafeOnline.org, the key findings of the Report can be found on the Get Safe Online Website
Have you been Rocked.
by Tony Neate on December 18, 2009
Another guest blog from Richard Hollis
Did you see the news recently that social networking site RockYou suffered a data breach exposing over 32 million user accounts? If that wasn’t bad enough, it was also revealed that they were apparently storing all that data (user account information) in plain text in their database. This fact came to light only because when RockYou attempted to downplay and dismiss the severity of the incident, the hacker responsible published a sample of the data to prove it and demonstrate that all the user passwords accessible were stored unencrypted.
To make matters worse, the published dataset also contained user password and logon credentials for other social networking sites.
So however you do the maths, there is a possibility that this hack directly affected you if you use a social networking site. The hacker was able to access this information through a SQL injection vulnerability on the RockYou site. This hacking technique is old, widely known and does not require a great deal of expertise to execute. The point being that any online business even marginally concerned with security would have closed off this easily exploited security hole before even thinking of launching their site – but apparently not RockYou.
Their attitude towards security is further demonstrated in their published password policies as they only mandate a minimal length of 5 characters for their account passwords. They have no requirement for mixed case, alpha-numeric characters and in fact enforce password simplicity by not allowing any punctuation at all. This is where RockYou gets it wrong. Passwords are the very foundation of online security. At this time of year we should think of them like underwear- the longer the better.
Learn a lesson from this incident – buyer beware! Next time you sign up to a social networking site or any web service for that matter, read the fine print. What is their security policy? Do they have one? If they don’t publish it on the site – chances are they don’t. Sending you open text passwords in emails are another indication that their approach to security may be short of your expectations. Read the privacy statement. Do they inform their customers about losses or breaches? Do you want to use them if they don’t? The choice is yours.
Richard Hollis – Orthus Ltd
{ 0 comments }