Halt. Who Goes There?

Reputation - both made and lost in cyberspace. A man is suing a ‘friend’ for allegedly setting up a fake Facebook account with incorrect and damaging details on. Herein lies the problem - it is so easy to do. You don’t need any proof of identity to set up a web page on any of the social networking sites, so you can frame anyone and everyone if you really want to.

I have written before on whether you should or shouldn’t join social networking sites - if only to ensure that others can’t impersonate you. As well as on ither forms of impersonation on the Internet.  But… let’s face it, these things are popping up all over the place, OK, so there are a few really popular ones, but you could never cover them all. The problem is that a damaged reputation can takes years to recover if you are a company, and sometimes never recovers if you are an individual - as there is always a nagging doubt.

We don’t have any specific legislation to cover this issue and I’m not sure if any of the legislation we have that skirts the topic (impersonating others) can be brought to bear as it is not being done for personal gain. Perhaps liable - but then again the site is purporting to be ‘you’ rather than someone else saying defamatory things about you. I would welcome any other peoples thoughts in this rather grey area.

Perhaps it is time for social networking sites to grow up, after all their success is based on accuracy - the person you find, is the person you know. It looks like this is an other example supporting the decline in Implicit Trust.

July 2, 2008 | Filed Under Reputation | 1 Comment 

How Would You Know?

There is a case running in the US at present where a student hacked into his school’s database and changed his grades. This could be considered as malicious data corruption! The allegations arose when some cross checking showed up some anomalies which led to an investigation. The question is, would you know if something similar was going on in your organization?

Data loss is easy to spot if it is a laptop that has gone missing - it was here one minute, now it’s gone. Data skimming is tough to spot, i.e. where data is being slowly an steadily extracted, for example over a wireless network - but it does get eventually found out, however, it sometimes takes years. But what about malicious data corruption, how would you know? In this case it was relatively simple to spot once the cross check event occurred - but what if there hadn’t been the need for a cross check? what if someone had broken in to a system and upped a credit note? The automated cheque system would probably print out the rebate without hesitation - providing it wasn’t over a specific amount.

Audit trails would provide some comeback (should a cross check occur) but the operation to alter credit notes is probably a valid function, so how would you know which was ‘real’ and which was not?

June 24, 2008 | Filed Under Insider, Reputation, security | 1 Comment 

Do You Join… Or Not

I seem to have been inundated with requests to join a new ‘Business Social Networking’ service. It appears that a quite a few people I know have joined up… they have then had their address book savaged and emails sent to everyone they know. So… here’s the dilemma, do you sign up or not? I belong to one business social networking site already, do I really need another?

I think the answer is no - I don’t need another, especially as the one I belong to is well established and does what I need it to (basically keep email addresses up to date - people change jobs all the time, so keeping up with a valid address can be a real task.) Having said I don’t need to sign up to another service, I have joined this new one… why? Just so no-one else can join as ‘me’. I have posted my picture but that is all - and I didn’t let the system look through my address book!

Internet based reputation is just around the corner but it isn’t here yet - and when it does arrive it needs to be guaranteed and user friendly. In the mean time, if someone has put my details out on the web and I need to have an account to correct them, or to keep someone else from signing up as me, then I will. This isn’t foolproof, far from it, there are so many ‘free’ email providers, social websites and the like, if you want to be someone else, it is very easy to do, perhaps a little too easy?

June 2, 2008 | Filed Under Reputation | Leave a Comment 

The Fine Art Of Zippering…

… or ‘enrichment’ as it is sometimes known. Zippering is where you take data from multiple sources and put it together to create something more meaningful. It is usually used in the ‘phishing’ sense, where cyber criminals gather the information to put together a targeted attack (aka spear phishing). However, there is a call to collect all sorts of information in a single database but there are a number of problems - not withstanding the privacy ones!

Firstly, if someone gets hold of all the information, they need look no further as it is a treasure trove for phishers. Secondly, when zippering information it is vitally important that the pieces relate to a specific individual - and this is the tough part. Imagine if it is done based on name… oops… too many John Smith’s out there… what about address… umm… well there are quite a few people at the same address who have different email addresses… by phone record… pay-as-you-go. Email… cyber cafe’s. The list of potential problems is vast. If you do get it wrong the consequences for an individual can be disasterous. There was recently a case where a stolen credit card was used to download illegal material - and the card owner was accused and it, to all intensive purposes, destroyed his reputation and his life.

So… if we are going to collect vast amounts of information it needs to be secure AND accurate - and failure on either of these counts, is not (as the saying goes) an option.

May 28, 2008 | Filed Under Reputation, data-loss, security | Leave a Comment 

5 Million And Counting

The White House has lost 5 million emails which is a pretty impressive feat. More worrying is that there is confusion over what is there, what isn’t, and who is responsible. If this had been a company then they would have been hauled up in front of a judge and forced to answer diffcult questions, however governments are a different story and seem to operate on their own rules. When it comes to data loss a government does have a reputation, but there isn’t the competition - you can’t choose to pay your taxes to country X… however it is up to a government to set a standard and precedent which will give give its citizens confidence that, if nothing else, they can look after your information.

Perhaps it is time to have a watchdog for governments and information protection?

May 9, 2008 | Filed Under Compliance, Reputation, data-loss | Leave a Comment 

Minnowing… The Opposite Of Whaling

A couple of weeks ago I wrote about phishing at the top of an organization or whaling. There is, of course, phishing at the lower end of the organization - minnowing. This is where the cyber-criminal targets the people in departments such as Accounts Payable to get them to pay a fictitious bill. We saw this happen late last year when a supermarket chain was targeted and the criminals were caught. This is happening more frequently and is either not reported, or not even noticed.

To begin with you need to pick the company - it needs to be ‘big’ so that people in accounts payable don’t necessarily know what has or hasn’t been done. You then need to find out a little more information about an individual - and this is where social networking sites prove to be a risk. People put other information (along with pictures) including where they work, the department and even phone numbers on the web for all to see. Armed with this, the attack vector is the same as the FAX scams of old, you email to find what has happened to payment and then escalate from there. If impersonating a real supplier, then a quick phone call can ascertain an outstanding bill… “I was just checking to see what happened to payment for invoice 1234″, “Don’t you mean 5678″… “oh, did you get the change in our bank details / address for payment…”

What can be done? In the same way as whaling needs people to pay more attention to the content, the same is true for minnowing. Awareness and education to those staff most at risk that this threat has been seen is important. Additionally, other process changes may be required to establish that the person on the end of the phone, or email is the actual supplier and not an impersonator.

April 29, 2008 | Filed Under Reputation, security | Leave a Comment 

Phishing From A Great Height

Most people think of phishing as something which is done across millions of people at a time - and only the daft fall for it. However, this is not always the case - how about going for CEOs? CEOs are busy people and when they get an email about a subpoena in a civil case then you end up fooling a few. This happened this week as reported in the NY Times and just points to how crafty the cyber criminals are getting. The email looked official, with official looking graphics and a link to a site with the full details. Of course if you followed the link - and you didn’t have up to date anti-malware you got infected with a nasty keylogger.

What could the CEO have done? The obvious comment is that they should have checked the content and the validity. BUT… who has the time to do that? In this case the fear factor from a social engineering perspective comes into play and the knee-jerk reaction is tough to control. However, that is what you need to do - if you receive an email which you were not expecting then sit back and think about it. We live in a world where people think they should respond to email instantly - sometimes a little additional thinking time would help. In this case there were names and addresses - it looked real, but there were no telephone numbers - and would the district court rely on email to issue a subpoena? No… if it was that important it would come via the mail, probably as a registered letter. So, there were a few pointers that should have raised alarms. The truth is that everyone needs to remain vigilant - and become a little more wary of unsolicited and unexpected email.

As for a catchy term for this new kind of phishing… Whaling… after all, this is all about going after the biggest fish in the sea. (I know, whales are mammals… but you can’t have it all!)

April 17, 2008 | Filed Under Reputation, security | Leave a Comment 

Eat In And Take-Away

It was reported this weekend that a member of the military popped into a MacDonald’s and while there an opportunist took his laptop from under his chair. Bad News. However, the laptop was encrypted and password protected. Good News. The laptop apparently contained no sensitive information. Strange News.

It’s good to hear that government laptops are now being protected appropriately, although if there is no sensitive data, then why does it need to be encrypted - perhaps a little overkill? Maybe, the definition of sensitive is different, or perhaps it might contain sensitive data in the future? When it comes to laptops full disk encryption is the best bet - that way you can be sure the data is reasonably well protected - and if you happened to be in the US then you wouldn’t have to disclose the fact it was lost. Perhaps this was disclosed over here to start re-building confidence in the government’s data handling policy?

April 15, 2008 | Filed Under Reputation, data-loss, security | Leave a Comment 

Don’t Take Sweets From Strangers

We spend a lot of time educating children about the dangers of strangers. Don’t speak to strangers, don’t get in cars with people you don’t know and don’t take sweets from them. This education starts from an early age and so becomes part of their philosophy.

It is time we do the same thing for information that is requested online - and the education needs to start just as early. Why would you give your name and address to someone online when you wouldn’t dream of doing the same thing if someone asked you for them in the street? What about credit card and bank details - of course not. But… online… well anything goes. When you do need to use a credit card, in a shop, then you are ‘in the shop’ and that goes a long way to  that it is a bona fide shop which has a (hopefully) good reputation - when you are online how do you know who you are dealing with? What additional precautions do you take to ensure that you will not be ripped off, or become another identity theft statistic?

Of course this is not just about children - it is about everyone who is active on the Internet. Education that changes behaviour is tough - the earlier you start the more you remember and the behaviour becomes second nature.

At the moment, I guess most cyber-criminals talk of their latest exploits and the gullibility of their victims as “it’s as easy as taking candy from a child”.

April 11, 2008 | Filed Under Reputation, security | Leave a Comment 

You Are What The Internet Says You Are

So if it says that you are going away and all your belongings are up for grabs… then people are going to turn up at your house and take all your stuff, including a horse - without you even knowing. All sounds a little unbelievable? Well it happened this week in the US when a hoax advert was put onto Craigslist and people responded while the owner was out of work…

So what does this mean? Gullible people? People believe everything they read on the internet? We are at the start of a new era of fraud? All of the above? The internet can be seen as an interesting social experiment, with social networking and the influence it has right at the forefront. As we move into the next era of web based technologies and businesses it will become increasingly important to prove that you are who you say you are - and not what someone else says. It will all come down to reputation - protecting and maintaining your own reputation and the reputation of your company… before someone runs off with more than just your belongings.

March 28, 2008 | Filed Under Reputation | Leave a Comment