It's Not A Con » Data loss

Roll up roll up… my personal details are for sale!

admin — Thu, 19 May 2011 07:10:20 +0000

This guest post has been written by Oliver Crofton of Vigilante Bespoke, a digital security firm.

It is alarming how often personal details are harvested by cyber-criminals looking to imitate, trick, or simply track unsuspecting internet users.

In the most unlikely places, personal information can be posted online without the person who the information is actually about even knowing.

So where are cyber-criminals finding this information?

A quick search online will provide a good starting point to get information on most of us; with the electoral role, land registry, and social networking sites all giving a powerful insight into our personal lives.

As if that’s not enough, blog sites, reviews, comments, and even pictures can provide an insight into our backgrounds, habits, and even personality.

We often get asked whether it really matters if someone can obtain an address, a photo, or date of birth, and the answer in short is yes! Whilst these snippets of information may be harmless on their own, if they are part of a larger profile on you, than it can become a very serious issue.

We were recently engaged to look after a new client who had fallen victim to online fraud:

Client X posted comments on an online forum complaining about a bad experience he had had with his mobile phone company. He used his real name and listed the town he was from. A cyber-criminal noted this information and tracked his details on the land registry and obtained his postal address and home phone number. The criminal sent Client X a very expensive phone bill posing as his mobile phone company, which looked completely legitimate. The phone bill related to calls made from America, and Client X became worried that he hadn’t been to America recently and his phone must have been used without his knowledge.

When he called the number on the letter (which he thought was his phone company), they admitted there indeed had been a mistake, and they would gladly “refund” Client X with the money. Keen to resolve the issue, Client X provided his bank details so that the “refund” could be made.

Unfortunately there was no refund, and Client X had been conned out of £3,500.

Whilst many of us may think that we wouldn’t fall for such an obvious con, legitimate looking emails or letters which contain personal information, and are from a service provider you currently use, can be very difficult to spot; so keep your eyes peeled.

Vigilante Bespoke provide digital security services to high-profile individuals in sport, entertainment and commerce. For further information visit: www.vigilantebespoke.com

Your printer knows a lot about you – think about it

con — Wed, 21 Apr 2010 15:01:22 +0000

As I walked into the office this morning, I saw a large copier/printer/fax waiting to go the other way. It was obviously on its way to the skip or the second-hand shop. For those of us working in offices, we have grown used to using these multi-function devices (MFD). In some ways, the MFD has become the new ‘water-cooler’, where, people come together for a quick chat or gossip, as they wait for their document, or scan to complete and heaven forbid, even a fax to pop out of it.

I suppose it never would really occur to us that many of these MFDs would have a hard disk in them. We all know that they have to have some sort of storage in them, don’t we? Hence, why jobs get ‘queued’ to the printer, then we all stand around waiting for my ‘job’ to complete. This story from CBS News, really made me think. They report that ‘Nearly every digital copier built since 2002 contains a hard drive – like the one on your personal computer – storing an image of every document copied, scanned, or emailed by the machine. In the process, it’s turned an office staple into a digital time-bomb packed with highly-personal or sensitive data.’

CBS News launched an investigation, where they bought second hand copiers. They bought four for circa $300. They took them away, then removed the hard drives in them and had a look at what was stored on them. There was a lot of valuable information; tens of thousands of documents. On one used by a sex crimes unit, they found information which detailed domestic violence complaints. One copier, used by a Police drugs unit, contained a list of targets in a drugs raid. One other copier was used by a health insurance company and had 300-pages of individual medical records.

It really makes you think – does it not. It is a wake call to the manufacturers of these devices and the companies who use them, to consider how to erase and remove information from them. We as consumers need to think about the printers and copiers we use at home and understand if they contain a hard drive. If they do, then you need to find out from the manufacturer, or the retailer who sold it to you, to understand how you can erase the drive when you are finished with the device.

Not backing-up Your Digital Life?

con — Wed, 27 May 2009 12:42:07 +0000

When was the last time that you did a back-up of your PC? It is a good question and an important one. We have recently conducted a survey to ascertain people’s views on back-up and you can follow this link to it. If you follow this link it will take you to a YouTube video we have also created on the results from this survey. We found that only one third of us carry-out a regular backup. Only one in five us backup all of our content.. There seems to be a consensus that the content we are gathering and creating on our PCs grows at circa 50% per year. That would suggest that backing up content is important. The reasons given for people not backing up are those of complexity and never seeming to have the time. I believe that, as with a lot in our new digital life, the internet can also be the source of a solution. The ability to backup our important content to an online backup service is now here with us. It offers the ability to access your content from wherever you have access to the internet. You are no longer tied to, nor reliant upon, standalone hardware based backup. The beauty of this approach is that the content can follow you around, not you having to go and chase it. That is why we here at Symantec have just released Norton Online Back-up, a web based backup service. It’s ambition is to make back-up convenient and simple and to provide the peace of mind that we all want and need when it comes to securing our digital life.

The $160Billion question?

con — Mon, 16 Jun 2008 14:25:42 +0000

The security focused news-wires have been busy this past week reporting on the impact of ‘ransomware’. This is in response to the discovery of a new variant of Trojan.Gpcoder. This is a particularly nasty threat that uses public key cryptography to encrypt files on a person’s computer and subsequently requests payment from the user in order to recover the files. What was newsworthy about the new variant was that it was using a 1024-bit encryption key. In lay-man’s terms, this means that it is tough to crack the code to release the encrypted data.

The latest variant of the virus, first reported on June 4, appears to not have the implementation flaws of previous versions. While 1,024-bit keys are considered weak for high-security applications, the encryption is strong enough to foil reasonable attempts to brute force the solutions. In a blog on the Symantec Security Response site, Eoin Ward, notes that by some estimates a machine that could break one 1024-bit RSA key in about a day, would cost $160 billion when adjusted for today’s prices. Wow!

Ransomware has been about for quite a while. It is a nightmare scenario for many users, However, it is relatively uncommon, simply because it is hard to ‘cash-out’. By that, I mean the ability of the bad guys to get money for it. They have to setup a payment mechanism to get the ‘ransom’ and in doing so, they make themselves vulnerable to being detected. In those cases that people have paid up, the ‘ransom’, has tended to be pretty low i.e. in the range of $50-$100. So, I don’t think there is any prospect of $160 billion being spent to solve this. So, what is to be done?

Well, what this incident brings to the fore is the need for regular backups. This will mean you have something to fall back to, if you were to fall foul of this type of attack. Now, whilst the debate rages on about how to generate a key to decrypt this variant of Trojan.Gpcoder, definitions have been created and released to identify it. Therefore, ensure your AV definitions are up-to-date.

When Malware becomes Crimeware

admin — Wed, 28 May 2008 09:56:53 +0000

Now, without wanting to necessarily start an official book club – there are enough in the world without me getting into the act. I have had the opportunity in the past few weeks to read a couple of security focused books that I thought you may well be interested in and benefit from. They both focus on the evolution of ‘malware’ into ‘crimeware’. ‘Crimeware – understanding new attacks and defences’ is by Markus Jakobsson and Zulfikar Ramzan (www.informit.com/aw). It is very comprehensive in its scope and helps the expert, and not so expert, understand and prevent specific crimeware threats. What is does well is to explain how, from a technical standpoint, malware can and is used for the purposes of crimeware. Zulfikar Ramzan is a colleague of mine here at Symantec and he has also roped in some other members of the team to help with some of the chapters.

‘Zero Day Threat’, by Byron Acohido and Jon Swartz (www.sterlingpublishing.com), provides a further insight into the developing world of crimeware. The authors are journalists with USA Today and they neatly manage to intertwine a narrative of a real-life ‘bust’ of an author of crimeware in Canada, whilst outlining the failures of Banks and Credit Bureaus to keep people save from crimeware. It provides a good and thought provoking overview of what is and potentially could happen, without descending into the realms of deep technical analysis.