Saturday, February 6, 2016

Three Must Do’s to make a Security Awareness Champion

Setting an example is the best way to institutionalize security awareness within a workplace or at home. Colleagues and children naturally follow examples set by champions as it makes it easy to mimic rather than spend time to self-learn. I found three important aspect to championing security awareness.

Be a role model

Cybercitizens champions take an active interest in being secure by keeping themselves updated and implementing security guidelines for the gadgets and services they use at home, for work and on the Internet. Knowledge on the do and don’ts of security for workplace system is normally obtained through corporate security awareness programs but for personal gadgets and services one needs to invest time to read the security guidelines provided by the service/product provider or on gadget blogs. Security guidelines provide information on the best practice to be used for secure configuration of gadgets, use of passwords, malware prevention and methods to erase data.  Besides security issues like password theft or loss of privacy, there is the possibility of becoming a victim of fraud when using ecommerce. Most ecommerce sites have a fraud awareness section to educate customers on the common types of frauds and on techniques to safeguard against them. Role models take pride in what they do and this passion becomes a source of motivation to others around them. A security champion delights on possessing detailed insights on how to use the best security features in gadgets (say mobile phones) or on recent security incidents.

Be a security buddy at your home

Telling people what to do to keep themselves secure online is difficult, primarily because security controls lower the user experience; as an example most people may prefer not to have a password or keep a simple one for ease of use. People tend to accept risk because they do not fully realize the consequences of a damaged reputation or the financial impact from the fraudulent use of credit cards until they or someone close, experiences its effects firsthand. Security champions act as security buddies at home. They take time to understand how their family members both young and old, use the Internet and to themselves learn about the safety, privacy and security issues related to those sites. Buddies perform the role of coaches, engaging in regular discussions on the use of these sites from a perspective of avoiding security pitfalls and the avoidance of risky behavior that may lead to unwanted attention from elements looking to groom children for sex or terrorism. Highlighting incidents of similar nature helps raise awareness of the reality of the risk.

Display commitment to security at your workplace

Small acts go a long way in promoting useful security behavior. A small security cartoon displayed on a work bench can immensely add to the corporate security awareness effort. Champions bring attention to the importance of security in business by bringing up security in routine business discussions; for example circulating insights into recent published security incident within a discussion group (leadership, business) and popping the security question “what if a customer security or privacy is affected” during project discussions.  

Thursday, January 28, 2016

Swatting airports helpdesks diverts the attention of anti-terror forces on the Indian Republic Day

26th January, the Indian Republic Day, was targeted by ISIS operatives to stage multiple terror strikes designed to cause terror and panic in major Indian cities. The Indian intelligence and police agencies over the last few weeks successfully nabbed ISIS operatives foiling major terror plots in the run up to the 26th.

With tensions running high, and the anti-terror squads under full alert, a mentally disturbed man swatted airport and railway helpdesks claiming that bombs would go off on Mumbai-bound flights, and cars stuffed with explosives would blow up at the airports and the Pune Railway Station.  Wikipedia describes swatting as an act of deceiving an emergency service (via such means as hoaxing an emergency services dispatcher) into dispatching an emergency response based on the false report of an ongoing critical incident.

The man who was later apprehended had made four calls made over two days to airports and railway stations claiming that there was a car packed in the airport vicinity loaded with explosives or that a person onboard a flight was carrying a bomb in his hand luggage. This ensured that over 200 policemen were diverted from deterring real terrorists to comb these routes and flights. One flight was delayed and another diverted mid-air to the nearest airport for an anti-sabotage check.

While swatting is relatively new in India, it is quite common in the US. Swatting may occur for pranks, online harassment or even for revenge. Recently Skype introduced a patch which protected the privacy of a callers IP address, a flaw which could be exploited to launch swat teams on rival gamers using IP geolocation. 

Such acts are akin to terrorism  and punishable as a crime because of  its potential to cause disruption, waste the time of emergency services, divert attention from real emergencies and possibly cause injuries and psychological harm to persons targeted. Cybercitizens are advised not to make prank calls for whatever reasons as the joke may turn into a long ugly jail term

Friday, January 22, 2016

Cybercitizens, stay away from commenting or liking posts with terror ideologies

Of current global concern is the ease at which terror organizations are able to use social media to spread their ideology and coerce young people living in developed countries to leave all and fight wars in hostile lands. Their success stems from their ability to spin doctor content and communicate in a way that is alluring to young people.  The outcome is brainwashed young people who willing give up their lives, blowing themselves up in crowded areas killing innocent people.

As the death toll mounts so does the pressure on social media companies or online platforms which have given a voice to these terror organization. I do not think that it is difficult to draw a line between free speech and hateful ideology, but every action to sanitize platforms with millions of uploads every minute is bound to cost. These platforms got away through regulations that did not make them liable for content, only to remove it. Which they made harder to do, as they decided to only remove content that violate something obvious like pornography but others which were more specific like defamation, sullying reputation, hate speech was subject to a court order.

Individuals suffered because they had little recourse in erasing sullied reputations online and many countries with a different cultural ideologies had to impose great Internet walls to block content that affected their beliefs.

While it remained a matter of individuals and their sufferings, it scant mattered to the social media companies but now when lives are being lost, and it is a matter of huge public interest; they are under tremendous pressure to get their act right and reduce the ability of these groups from using this platform while still maintaining the privacy of individual users.

I was surprised to see a Davos new headline which stated that Facebook's Sheryl Sandberg: 'likes' can help stop Isis recruiters, was recommending cybercitizens to spread positive messages (counter propaganda) on terror communication, thus drowning out the hate chorus. Will that work, or is it an attempt by social networking companies to resist change. Should not counter propaganda of any sort be organized!

Liking or commenting on such sites brings you in the eye of law enforcement, may sully your reputation and could also make you a target. Rather than people, a bot could do the same work, if the method is effective.  

Instead social media companies should devise technical means to identify and remove harmful content, sites, messages and any other form of small social communication. Identifying patterns of indoctrination through algorithms may not be a very difficult task as the initial indoctrination, I would expect is in plain speech.

Thursday, August 20, 2015

Should one fret over the leaked Ashley Madison data?


Several news sites have reported that 15 GB of identity data stolen last month from AshleyMadison.com online has been made available on the darknet. Three sites have since sprung up with allows interested parties to query the site to ascertain the identity of Ashley Madison users.   AshleyMadison.com allowed married people to have short extramarital affairs. While the morality of the services provided may be questionable, and is perhaps best left to judgment of individuals, there is a serious risk of reputation damage if the data is fake.
There are several reasons why it may be. Firstly this is not the first leak to appear online; there have been several in the span of the last month. Then, there is the question of the validity of the email address and other details which were never verified. There is always a probability that a prominent person or an associate’s identity was used to create a profile. From one analysis, it seems that 90% of the users were male and most of the female profiles were fake. If this is true than users subscribed but may not have been able to use the site. Many users may have subscribed due to curiosity or for fun. Some articles seem to suggest that once subscribed removing a personal profile from the site was not easy. Finally, there is a strong suspicion that some of this data may have been amalgamated from other breaches.

On the flip side there seems to be several reports of individuals claiming to verify that they were users of the site and confirming their email ids in the released data.
Whatever, may be the truth, I would like cybercitizens to know that though it seems to be a sordid affair not to disrupt your personal lives purely by data that cannot be verified put out on the net.