Wednesday 18 February 2009

UK Online Concert Ticket Scams are Rising

History shows with economic downturns comes increases in fraud, as the economy continues to slide there are real rises in online fraud targeting citizens. According to a recent survey by the UK Office of Fair Trading, one in four UK citizens either have, or know someone who has been a victim of an online phishing scam in the last 12 months, increasing from around one in six in the previous year.

The reason why internet concern ticket scams are proving successful and are on the increase in the UK, is its child’s play for a fraudster to setup very genuinely looking website on the internet in no time at all, which dupes the victim into trusting the website’s ticket offerings and parting with their money. It’s near impossible for the authorities to police and remove such websites until it’s too late, while it’s relatively simple for fraudsters to remain anonymous and make off with the victims money without risk of being caught. Furthermore some of these ticket scam fraudsters go on to use the victims credit card details to commit further financial fraud against the victim.


Anyone seeking to buy tickets from unofficial sources online should exercise “glass half empty” caution, and be fully aware of the risks before providing their payment details, if it’s too good to be true, it usually isn’t true.

To underline the poor economic climate pushing an increasing fraud trend, it's worth noting several truly massive frauds involving banks have been alleged in recent months, such as with Bernard Madoff and Stanford International Bank, so it looks like it's not just the small time criminals which are at it.

Thursday 12 February 2009

TrueCrypt - The Best Open Source Security App (in my view)

During the week I was advising a group of techies about free anti-virus applications and free network vulnerability scanning applications and tools. I was asked, "What is the best free security application I have used to date?  Without any hesitation I replied TrueCrypt.

TrueCrypt is an example of an Open Source application at its best.  In TrueCrypt we have a multi-platform application of real commercial quality, providing seamless “on-the-fly” encryption; encrypting folders (mounted as volumes), disk partitions and entire hard disks to rigorous industry best practice standards. Yet TrueCrypt is completely free for anyone to download and use, local country laws permitting of course.
Main TrueCrypt Window
TrueCrypt is less than 3Mb download and is compatible with just about any version of Microsoft Windows, including the 64-bit versions and Vista, as well as Mac OS X, and Linux distributions. Taking well under a minute to install, TrueCrypt doesn’t even require a system reboot and is quickly ready to go, TrueCrypt's speed of usage and low background encryption overheads is testament to years of good open source code development and coding.
To download TrueCrypt, including the open source code visit - http://www.truecrypt.org/downloads.php
I have never had any problems installing and using the latest versions of TrueCrypt, however before installing and deploying any application which is going to provide an encryption function on your system, I strongly advise to backup all your important files and data on your system first.
TrueCrypt Volume Creation Wizard
The TrueCrypt “Create Volume Creation" encryption wizard and detailed tutorial guides, even allows non-techies to protect their valuable information in just minutes.  For the encryption geeks like me, there’s a whole raft of encryption and hash algorithms options to play with, such as AES, Twofish and Serpent on the encryption side, and SHA-512, Whilepool and RIPEMD-160 on the hashing side.
TrueCrypt Volume Creation Wizard – encryption algorithms
To secure an encrypted volume, TrueCrypt gives the options of either using a “Key File” (a text file holding the full encryption key), using a password, or using a combination of a “Key File” and a password, which controls and restricts access to the encrypted volume(s). 

For the best level of protection I personally would go with using a password and a Key File, storing the Key File on a USB flash drive, but don’t leave the USB flash drive in the system, keep it on your person (i.e. keychain). In doing this provides strong two-factor access control, which means you need to physically have the USB Flash drive (hardware token), and you need to know the password.. However I would say just using a good strength password is sufficient security for the average home user.  Also it's very important to make sure you create a “Rescue Disk” and store it somewhere safe, just in case.
TrueCrypt has been developed for over 6 years by a community of clever folk (http://www.truecrypt.org), with "V6.1a" being the latest version of TrueCrypt at the time of writing. I salute and heartily thank the community behind giving the world TrueCrypt, and least let us not forget those boffins who designed and have allowed their encryption algorithms to become open source as well, and therefore used by TrueCrypt.  I recommend TrueCrypt to the business community and home users everywhere, but hey, just make sure you don’t break your country’s encryption strength laws when using it! ;)
If you use TrueCrypt, especially in a commercial capacity, please do the decent thing and make a donation (http://www.truecrypt.org/donations/). Donating will encourage further development of TrueCrypt and encourage the development of other Open Source security tools.
If anyone else reading this has any favourite “must have” free security applications or tools, please let me know, as I’m thinking about compiling a top ten list.

Tuesday 10 February 2009

Woolworths Credit Card Blunder

I have been quoted (more like misquoted!) in several national newspapers in relation to the Woolworths Credit Card Blunder, where I understand a batch of payment card details were found in a bin.

http://www.mirror.co.uk/news/top-stories/2009/02/09/the-blunder-of-woolworths-115875-21109011/

http://www.dailymail.co.uk/news/article-1139484/Woolworths-customers-risk-ID-fraud-staff-dump-banking-details-skip.html

The important points which didn't make it into these articles were...

1. Concerned former customers of the Woolies store should not panic about losing money!  Where a merchant (Woolies) are found to have been sloppy in their protecting their customer payment card details, which results in fraud against the card holders, the card issuers/banks normally fully reimburse all the fraudulent transactions. This is especially so when fraud occurs on mass, as it is a lot easier to trace back to the original merchant responsible. Therefore customers would be protected against fraud transactions even though Woolies are out of business. Technically we all pay for card fraud through higher interest rates on cards anyway, by the way card fraud cost the UK around £600M last year, with 1 in 4 UK citizens being inconvenienced. UK Card Fraud is on the increase too, going up 14% in the first six months of 2008. Because of the state of economy at the moment, I am expecting payment card fraud to rise even further when new figures are released. http://blog.itsecurityexpert.co.uk/labels/global%20credit%20crunch%20cyber%20crime%20uk%20card%20fraud%20trend%20malware.html

2. If you are concerned you might be a victim of card fraud, be extra vigilant with your credit and bank account statements, and check every transaction. Fraudsters tend to test whether stolen card details are active by trying a transaction for a small amount, or going for a mobile phone top-up credit.

Also credit card issuers and banks are very good at detecting fraud on your behalf, so if they alert you about potentional fraud or unusual transaction(s) on your account, get in contact as soon as you can in case it is fraud, which will allow you to limit the damage.

3. I have put together a "Reducing your Risk of Identity Theft" guide http://itsecurityexpert.co.uk/downloads/ITSE-Reducing_your_Risk_of_Identity_Theft.pdf , which can really help reduce your risk of payment card fraud, there are also plenty of other good guides on the internet to search for.

Friday 6 February 2009

Twitter & Google Latitude Security – Just be careful

Twittering is really taking off in the UK at the moment, thanks to celebratory endorsements by regular twitters such as Stephen Fry, Jonathan Ross, Phillip Schofield, Andy Murray and Alan Carr to name a few.  In simple terms, Twitter allows you to write and share 140 character statements with other Twitters, which is a kind of a current status update, with the majority tweeters using mobile devices to provide regular updates of what they are currently doing or thinking about. It's as not as boring as it sounds, for instance Stephen Fry just posted "Just landed in a rainy LA. Phones banned in customs hall these days. Will confiscate them if used. Gulp.", while Alan Carr posts "Get back to school you little s**s and stop throwing snowballs at my hanging baskets."
I’m not one for social networking as I don’t like the idea of sharing all my personal details with the whole world, only my views on information security.  However I have been giving Twittering a go (www.twitter.com/SecurityExpert - follow me if you wish!), although I have to say I am having a few difficulties.  I really don’t like revealing where I am, nor can I talk about what I’m doing most of the time for client confidentiality and general security reasons, and I don’t really want to go on about what I had for breakfast either!  Another problem for me is I’m not really good a doing short posts, as you will gather from reading this blog, but nether-the-less I am going to persist with twittering, mainly to keep a couple of nagging mates happy, and besides I find reading some of those celebratory tweets rather amusing.
  
Security wise, I don’t want to appear hypocritical and some sort of kill joy or an alarmist, but I do have a nagging security concern with Twitter which bothers me. I simply don’t think it’s a good idea to tell the world where you are all the time, especially when out of the country or on holiday. Surely telling the world where you are is bound to increase the risk of having your home burgled, especially if you are a celebrity who is followed by countless anonymous thousands.  For instance seven Liverpool football players have had their houses broke into while they were playing football matches, because the thieves knew where they lived, and knew the players wouldn’t be at home.  http://news.bbc.co.uk/cbbcnews/hi/newsid_7710000/newsid_7716500/7716505.stm.
  
Google launched Google Latitude this week, which allows mobile phones to be tracked within Google Maps. The initial response by non-tech savvy media was to prey on people’s privacy fears.  But I have to say Google have got privacy approach right, which is to have the privacy set to “on” as the default position. Most social networking sites adopt the opposite position with privacy settings, for example the privacy default in Twitter is allow anyone to follow your posts, rather than trusted friends.
 

Let's make the privacy of Google Latitude clear. For any mobile phone to be tracked on Google Maps by Google Latitude, the mobile phone owner must first enable the tracking feature on their mobile phone. The entry of phone numbers via the Google Latitude webpage (see above) is just a misleading rouse, and merely sends a text message with a link to Google Maps to the phone. So you just cannot track anyone or any phone number you want!
 
The mobile phone user must enable the tracking on the mobile phone itself, and then select who he\she would like to see his location. The default setting is to not allow anyone to track, with the user selecting specific Google friends to be allowed to see his or her location, rather than the entire world. And finally the user can select the level of tracking detail, which for instance can be set to track by city name rather than to specific streets.

My security advice with Google Latitude is to be careful about being too over zealous in who you are allowing to known your location; I mean, do you really want your boss and work colleagues to know where you are at the weekend?

Google Latitude is certainly an interesting tool, sure there are some privacy concerns to think about, but I think Google’s approach is spot on, and it could have some interesting uses, such as tracking where your kids are!