Wednesday 28 August 2013

How to keep your Final Fantasy XIV Online Account Safe & Secure

Final Fantasy XIV, is a new online multi-player role playing game (MMORPG) which was launched on the Sony PlayStation 3 and PC this week by Square Enix. Gaming accounts on such games are actively targeted by cyber thieves, as they look to profit from victims by selling off in game character equipment in exchange for real life money, and to even also harvest personal.

Protection of the Square Enix user account by the gamer, is the key to the games security, and it is much the responsibility of the gamer, not Square Enix, to ensure it is kept secure, which will become clear in the rest of this post.  If a bad guy gains access to this account, he will have achieved his objective, and can go on to steal. Many victims don't understand how their accounts were compromised by hackers, and consider the hackers to be super clever, and the gaming company to be at fault. However the attacks are old techniques and fairly simple, and in the vast majority of cases, it is the gamer at fault, in having poor security habits leaving themselves wide open to attack. There several common techniques used to steal credentials from gamers online accounts, which I'll explain below together with advice to protect against such methods.

1. Phishing Emails
Most online game accounts credentials are typically stolen through phishing attacks. Hackers send a professionally worded fake email to a gamer, typically pretending to be from the company providing the game. The email will include a link to a fake but genuine looking website, and the message will have a reason, based on either fear or greed, to access that site by clicking on the link. For example the email message might say "Urgent your account has been hacked and the password requires resetting" -fear, or perhaps "you won our competition for free access and in game rare items." - greed.

Gamers are duped into entering their account credentials on the fake website, and then are typically forwarded onto the actual website so they don't realise they have been hacked, meanwhile the hacker has harvested the gamers username and password. 
ADVICE: Be wary of any email which appears to be from Square Enix or Sony, and requests for you to click on a link or opening an attachment or form, no matter how real an email looks or what the senders email address is, never access a website through a link in an email.

2. Same account passwords on other sites
Another method is to steal account credentials from other supporting websites, such as fan forums, which often have poor security. Such sites can have their entire databases stolen without the knowledge of their administrators, or have hidden malicious scripts in posts which steal data from PCs accessing it, or even have the data stolen and sold on by dodgy administrators.
ADVICE: Never use your Square Enix account and password combination on any other website or other online account ever.

3. PC Keylogger
Another method for stealing account credentials is via malware infection of a PC, typically involving the hidden installation of keylogging software. Keyloggers collects your credentials as you type them into the game's login screen or even into the official website, so even PS3 gamers aren't safe. The keyed data is then forwarded on covertly to the hacker.
ADVICE: Ensure anti-virus is installed, definitions kept updated and it is always running.  Ensure your firewall is enabled. Avoid installing any additional unofficial plugins or tools for the game, especially tools which claim to give you an advantage in the game. Sometimes these tools and plugins act as Trojans, provide their function but will steal your credentials and forward them on to the bad guys behind the scenes.

4. Use Square Enix’s one-time password system (two factor authentication)
This is by far the most effective way to protect your Final Fantasy XIV account, sign up to the Square Enix one-time password system.

They have an option of either purchasing a hardware token which generates a one-time password on it (see picture), or a software token, namely an smartphone app which you can install, which like the hardware version, generates the required unique one-time passwords.  You enter the generated one-time password as part of your login into game, the security is that you must have possession of your phone or hardware token to login to the game, so even if someone has obtained your account username or email address and your password, they cannot log into your account. This proven authentication method has been used by industries to protect accounts and online banking.

Wednesday 21 August 2013

Why Manning had access to vast amounts of Classified Information

A hot topic of discussion amidst security professionals is the Bradley/Chelsea Manning case, the US soldier who was today convicted for 35 years for leaking classified cable documents and media footage to WikiLeaks. The question security professionals are asking, is how come one guy, seemingly at a lower rank level, had access to so much classified information in the first place?  Where was the ‘need to know’ access doctrine? And where was the information access controls?

The answer to these questions is simply 911. As a result of the soul searching in the aftermath of terrorist attacks on the World Trade Centre and Pentagon in 2001, US politicians decreed the military and their various security service agencies had a communication disconnect, and had failed to share vital information between each other, which may of prevented the attacks, as concluded in post 911 reports such as The 911 Commission Report.
In the decade since 911, much of the ‘need to know’ basis access was relaxed in the US military and across US secret services, so information could be shared more freely. It would appear this relaxation on information sharing is what Manning exploited, and allowed him (now her) to steal vasts amounts of information from all and sundry.

The Manning case is not just an example of the rogue internal staff threat, but the case shows there is always an imperfect trade off between the elements of risk/security and function, the very same balancing act applies within business settings..

Thursday 15 August 2013

Dealing with persistent web based harassment in the UK

Even in 2013 reporting internet crime to the UK police force is a hit and miss exercise, and is certainly more miss unless you are a celebrity, or report the crime in the right way.  Here is my advice on reporting continued (persistent) web based harassment.

If you are aged 16 and under, and are suffering from online harassment, you must tell your parents, teacher or legal guardian.

1. Identify your harasser
If you are subjected to weeks and months of persistent anonymous harassment over the web, 9 times out of 10, it will be by someone you know. You can work out who it is likely to be, by examining the nature of the harassment;  the type of language used, the subjects they harass you about, the websites they harass you on, and your own recent history in disagreeing and falling out with people, these are all clues to who your harasser is. They tend to be people who likely will bare a grudge against you; ex-boyfriends are very typical. In some circumstances once you have identified your harasser, you can confront them and but an end to the harassment.  In some cases ending the attacker's online anonymity, and bringing the issue into the real world is an effective end game.

2. Build an Evidence Journal
The next advice is very simple to do yet important, keep a journal of all the harassment and bully that happens to you.  Log dates and times, take screenshots of any messages you receive and is post about you. This journal not only provides clues in identifying your harasser, but it can be used down the line in police computer forensics investigations, and in court.

3. Secure you PCs, Laptops, Mobile Phones and Web accounts
Securing your online accounts and computing devices are vital to preventing your harasser from accessing your accounts, and then using them to cause significant personal distress. You particularly need to prevent your harasser from accessing any of your email and social media accounts, so use best practice password management, strong unique passwords, and where possible use strong authentication methods, such as Google’s Step two authenticationSee elsewhere in my blog and website for more detailed advice on this. 

4. Reporting the Crime to UK Police

If the online harassment is persistent, report it to your local police, but do NOT report it as a cybercrime, internet crime or e-crime, report it as harassment. Then explain what has happened, who you think it is, and then present the evidence you have collected in your journal.  If you report as an e-crime, you are more likely to be ignored by police, but if you are female and report as harassment by an ex-boyfriend, it goes without saying the police will be far interested in helping you. Finally if the police are of no help, check out some of the websites listed below for further advice, but my advice is to keep going back to the police with your evidence journal, especially if the harassment continues and is causing you distress.

Friday 9 August 2013

PayPal's 'Pay with your face' Creepy Privacy Concern

PayPal launched a new smartphone payment service in the UK, where the customer pays using their smartphone. The merchant (shopkeeper) receives the customer's name and a photo of the customer's face, and then verifies the customer is the owner of the smartphone and PayPal account, by comparing the PayPal sent photo of the customer on the shop's smartphone, with the face of the person stood in front of the till.  This is a passport control type facial recognition authentication, in other words biometric verification.

There is a video of it in action on the BBC website -

The fly in the ointment which the BBC report neglected to mention is privacy. A lot of people who value their right to privacy and personal information, will simply not want to have a photo of their face together with their full name sent to shopkeepers mobile phones. There is also the age old problem with any biometric verification, it just tends to creep people out. People just do not like the intrusive feel of biometric verification, which is why it has never taken off in any customer focused industries.  This is why the security concious payments industry sticks with other non-biometric factors of verification, such as  'something you have' i.e. the credit card or smartphone, or/and 'something you know', i.e. passwords, as friendly factors of authenticating customers.

Thursday 8 August 2013

Recommended UK Security Awareness Training Videos

I specialise in information security awareness, so I am often asked about simple awareness techniques. One easy and free way to delivery security awareness training, especially to those in the dark, whether they are at home or in the workplace, is to use online videos. These are often free, simple to deliver anywhere, and can be a highly effective awareness tool, as long as they are of a decent standard.  By a 'decent standard' I mean videos which aren't going to bore folk to death, of amateur (blogger!) quality, or cringely cheesy to watch.

Here are some of my recommended UK favourites:

UK ICO; as you might expect these are personal Data Protection focused, but the ICO have done a good job with these videos, especially with "The Lights are On"

UK CPNI; recently released security awareness videos, interesting watch as well

If you know of any other 'decent' free online videos, please lets everyone know via the comments.

Tuesday 6 August 2013

The Right Anti-Cyberbullying & Internet Safety Strategy

Social networking are getting hammered by the press following several high profile cyber-bullying cases on Twitter and Politicians and parents are being vocal, wanting to ban social networking usage, and pass laws to regulate the internet, both of which are pointless and rather concerning exercises.

The answer is education, and "privacy on" default settings.  

It should be mandatory for all UK primary school children to be properly educated on how to use the internet safety,  learning about their online privacy and how to use social networking safely.This should be akin to the cycling proficiency test, as with kids riding bikes, all kids are online. Indeed many UK primary school aged children are using social network sites despite the teenage age limits, the problem is some parents are complete luddites, and are alien to such communication technologies, so cannot teach their sons and daughters even the very basics of online safety.

Default privacy settings on social networking sites are part of the problem. Any company, such as, which doesn't provide a default settings of privacy protection upon sign up, should be ridiculed by the media, users must turn off privacy themselves, which ensures they consider and accept the risk it posses to them. Perhaps such companies will eventually bow to public pressure and change their default privacy settings, as seen with twitter, they responded to such pressure with the abuse reporting this week, but in the past without the media spotlight, they just ignored their user's complaints. Many social networking sites desire to have user privacy set as off, as it is a fundamental ingredient to allow them to grow vast number of subscribers, which means bigger advertisement revenues, meaning more profit.

As teacher, parent or child, if need further information on internet safety  or even find yourself in a jam, you can get all the help you need at