Cybersecurity Monthly Round Up

Novmber has seen both ups and downs in the world of cyberscurity. The video gaming service Steam fell victim to a devastating hack, potentially exposing personal information and credit card details of 35 million users. In a similar attck, Norway’s oil, gas, and defence firms was attacked by hackers. Norway’s National Security Agency confirmed that the details of contract negotiations along with industrial secrets had been stolen. The NSM said it was the biggest attack of its kind Norway had experienced with 10 or more businesses affected.

A report published found the UK consumer protection system to be failing to keep up with the digital revolution, leaving people at risk of scams. The result of this is online shoppers being at risk of email scams and fraud, says the Commons Public Accounts Committee. Online security experts also warned that a growing number of malwares are being disguised as seemingly innocent smartphone apps. The malware can send costly messages on the devices without the owner being aware, warn experts.

Facebook hit the headlines more than once, firstly as researchers from the University of British Columbia managed to steal information from the social netwroking site using social bots. The researchers were able to befriend genuine Facebook users, and then steal personal details. The second piece of news from camp Facebook was more positive; the site announced that it is changing the way it amends users’ privacy settings. Facebook will ask users to opt into any changes in the way it uses their personal information has been welcomed by privacy campaigners.

Continuing with more upbeat news, EU and US cybersecurity experts came together to stress-test their response to an online attack. Following a global rise in cybercrime and hacking attacks, Brussels played host to the European and US online security exercise this month. The event was the first time both had come together to role-play an emergency scenario. The beginning of November saw London play host to the London Conference on Cyberspace. The international conference gatherd representatives from 60 nations to discuss how to tackle the increasing levels of cybercrime. The attendees included foreign secretary William Hague, EU Commissioner Neelie Kroes, a variety of leading cybersecurity experts and technology entrepreneurs such as Wikipedia founder Jimmy Wales, Cisco vice-president Brad Boston and Joanna Shields, a senior executive at Facebook.

Norwegian Industrial Secrets Exposed in Hack

Norway’s oil, gas, and defence firms have been attacked by hackers. Norway’s National Security Agency
(Nasjonal sikkerhetsmyndighet or NSM) confirmed that the details of contract negotiations along with industrial secrets had been stolen. The NSM said it was the biggest attack of its kind Norway had experienced with 10 or more businesses affected.
With an ever increasing number of cybercrimes committed, Norway is the latest victim. Several countries have lost secrets and intellectual property to cyber thieves. “It is critical that businesses have up to date security systems in place, and also clear protocol of what to do if an attack occurs. It is also key to train staff for what to look out for ” online security and cybercrime expert Tero Pollanen advised.
The attack gained access to the firms’ networks by customising emails that wouldn’t trigger anti-malware detection systems with viruses attached. According to the NSM, the emails had not only been sent to named targets at the businesses, but also designed to look like they had come from trustworthy sources.
The attack took place at a crucial time for the firms: mid negotiations for large contracts. Details stolen include passwords, user names, contracts, industrial designs, and documents. It is believed that all the information is now overseas.
Due to the similar nature of the targets, the techniques used in the attacks, the virus coding, and the way in which data was lifted, the NSM is confident that one group is responsible for all of the attacks. Furthermore, the NSM believes that there are other victims yet to come forward, and is appealing for them to come forward. In a statement the NSM said “This is the first time Norway has revealed extensive and wide computer espionage attacks”. Whilst vigilant users had picked up on the hacking and informed internal IT security staff, the NSM says it’s likely many are unaware of the attack, or that information has been stolen.

Facebook to Seek Consent

Facebook has announced that it is changing the way it amends users’ privacy settings. The news that the social network site will ask users to opt into any changes in the way it uses their personal information has been welcomed by privacy campaigners. Facebook is yet to comment.

Whereas previously Facebook merely announced changes to a users’ settings without requesting permission, this change puts the user back in control. The change comes after an investigation by the US Federal Trade Commission, according to a report by the Wall Street Journal. It is also suggested in the report that the social networking site has agreed to privacy audits for the next 20 years by an independent organisation.

One point that has not been clarified by the FTC is exactly how a users consent will be obtained. Privacy International, a UK based advocacy group commented “Facebook has historically been extremely resistant to transparency in its own operations, so we welcome measures that would force the company to obtain express consent of its users.

“However, it seems likely that the FTC’s demands will only present a temporary obstacle in the path of Facebook’s ambitions to collect its users’ information. “Faced with reams of small print, most users are likely to automatically agree to policy changes, with each change bringing us one step closer to Zuckerberg’s vision of a privacy-free future.”

Facebook founder, Mark Zuckerberg, was questioned on US show Charlie Rose about the firm’s privacy policies earlier this week: “You have control over every single thing you’ve shared on Facebook,” he said, “You can take it down.” Mr Zuckerberg also claimed that other search engines and advertisers gathered a “huge amount of information” about internet users through cookies, which is  “less transparent than what is happening at Facebook”.

Online security and cybercrime expert, Tero Pollanen, commented “Privacy policies and security settings are a hot topic at the moment. Statistics have shown a rise in the amount of personal information found on the internet, and a rise in online scams and identity theft. People need to be more aware of online risks and know how to protect themselves. My blog, www.tero-pollanen.blogspot.com has tips for staying safe online, news about current scams and security essentials”.

As to the reason for the FTC’s intervention, it is reportedly being linked to the campaign group Electronic Privacy Information Center (EPIC). The group filed a complaint 2 years ago with the commission, claiming that the changes in privacy settings “violate user expectations, diminish user privacy and contradict Facebook’s own representations”. EPIC also noted that Facebook users, security experts, and others had raised concerns about the change. A year later, EPIC filed a follow-up complaint claiming the social network had violated consumer protection law.

Facebook’s performance is staggering: according to the site it has over 800 million members who have used the site at least once in the past 30 days. In addition to this, the Reuters news agency reported that the site’s revenues for the first six months of this year alone totalled £1bn, thanks to advertising. Andrew Charlesworth, director of the centre for IT and law at the University of Bristol, points out “Users are not social networking sites’ primary customers, advertisers and marketers are,” said.

“While the FTC settlement indicates sites must be more open about the ways they make personal data available, and provide users with greater control, Facebook and others will already be rethinking the techniques they use to persuade users to keep their personal data publicly accessible.”

Malware Disguised as Smartphone Apps

Online security experts this week warned that a growing number of malwares are being disguised as seemingly innocent smartphone apps. The malware can send costly messages on the devices without the owner being aware, warn experts. The scams work away in the back-end of smartphones, sending expensive messages and making calls to premium-rate numbers. No evidence shows in the messages folder or call history, so the user is unable to tell what is going on.

GetSafeOnline.org, an internet security initiative, tells that the messages can be sent as regularly as once a minute, costing as much as £6 each. As the user is unaware of the rogue app, for most victims the first instance they realise what’s been going on is when they receive an astronomical bill. Rik Ferguson, of Trend Micro, warns: ‘The user won’t know this is taking place, even if they happen to be using the device at the same time, as the activity takes place within the device’s “back end” infrastructure. This can often continue for weeks before being noticed.’

So why are people downloading the app? According to Tero Pollanen, an online security expert: “the malware is disguised as something else. Often as an add-on to a popular and legitimate online game, or even as a security tool. Furthermore, once installed, fraudsters have full control of the victims device. This enables them to browse the internet, gain access to personal information, access payment data etc. This information is valuable and can be sold, and also used to commit further fraud”.

How do you avoid smartphone scams? Cybercrime and online security expert Tero Pollanen recommends protecting your phone the same way in which you protect a computer: “Installing anti-virus or anti-malware software is advisable”

“Before downloading an app, check reviews and ratings as well as developer information. Signs that malware is present on your device include a fast draining battery: the malware can use a lot of energy, so any change in battery performance could be a sign. Finally, it is always best practice to check your bills every so often”. If you do find signs of online fraud, report it at http://www.actionfraud.org.uk.

Consumer Protection Plan “Flawed”

A new report claims that consumers are left at risk, say MPs. According to the report, the UK consumer protection system has failed to keep up with the digital revolution, leaving people at risk of scams. The result of this is online shoppers being at risk of email scams and fraud, says the Commons Public Accounts Committee.

So who are the fraudsters? The rogue traders are typically based in areas with minimal policing, from where they are able to scam people nationwide. The amount consumers lose to these scams is estimated at £6.6bn anually. Of this, approximately £4.8bn is the result of mass market scams such as counterfeiting and unscrupulous traders.

Cybercrime and fraud prevention specialist Tero Pollanen had the following to say “Cybercrime is an ever increasing issue, and is costing businesses billions. Unlike ‘traditional’ crimes, cybercrime is not localised, it is an international problem that can be carried out from almost anywhere. One of the biggest issues is understanding where an online crime is committed, and how to bring varying international rules inline with oneanother”.

The report by the Commons Public Accounts Committee echoes Tero Pollanen, and also the conclusions of the National Audit Office in describing the consumer protection system as “fragmented”. Whilst the government is spending on consumer law enforcement, the report found repeated inconsistancies. Staffing, for example, ranged from two to 80, and there was not a uniform level of help and assistance for consumers across the country. This results in “enforcement deserts where local authorities do not spend enough money to provide an acceptable level of protection to consumers,” the report said.

Fraudsters wanting to abuse this set up in one of these “enforcement deserts”, and with today’s technology allowed them to find their victims nationwide. The report found that the current protection system had “failed to keep pace with online traders”.

“When the enforcement system was first established, trading was more localised and consumers tended to lose money through singular instances of malpractice, for example, by being overcharged or sold a short measure,” the report said. “Now, the increase in the number of companies who operate nationally and the trend towards online shopping have caused problems which are more likely to affect consumers on a regional or national level.” As cybercrime and fraud prevention specialist Tero Pollanen stated previously, there are no clear arrangements for who should take on the task of large, expensive cross-border cases.

“The department must ensure that these changes do not allow new sophisticated scams to emerge and persist without challenge,” said Margaret Hodge, who chairs the committee. “Doorstep selling of substandard or non-existent services is a massive issue for consumers, particularly those who are vulnerable. The department has too little information on what the cost of protecting consumers is or how successful current interventions are.”

Hello world!

Hello World!

It was time for me to make a blog where I can share information and developments in the Financial Crime and Cybercrime space.

I will use this blog to talk about interesting cases and also to provide some advice for you as a person or a organisation can protect yourself against Fraud and Cybercrime.