Social Networking is popular and packed with features, and yet it offers so little to so many. The favourite timewaster for many office workers, sites such as Facebook and MySpace offer swathes of features to keep you clicking around on the site without achieving anything other than leaking your personal data. Creating a bad first impression of yourself for potential employers and ruining your eyes.
Facebook is undergoing a new look, and is still incredibly popular. It contains an enormous database of college-educated users who use the site to keep in contact (a bit like email but more onerous), play silly games that suck the time out of their lives and upload private details and photos that should be kept private. Even with the newly designed interface, Facebook still neglect to keep your privacy safe.
However, even if you’ve hardened your profile, someone still has access to this data. That someone is just as faceless to you as the guy or girl you’ve never met but wants to be your friend. That someone is Facebook itself.
Lately I have been playing about with Facebook. I have undergone a test to see how powerful facebook is in the wrong hands. What I should be saying: “Facebook is a Stalkers dream…”.
Some of my research found that with simple information like a name and location, a workplace, school or college - that this information can be used to physically track down individuals and stalk them. What follows is an actual true case study from the United States. Make your own conclusions about Facebook.
Around 3:30 a.m in a dimly lit room, Andrew Manters found his perfect girl. As his jaw dropped and his eyes became saucers, he pinched his best friend and whispered, “Dude, she is so hot!” For the next five minutes, Manters did not avert his gaze from the well-tanned, blond gazelle with enticingly sapphire eyes.
To his amazement, the object of his attention shared his love of soccer and Beatles music.
The only problem was that they never met.
Instead of seeing this perfect girl in class, at a party, or around campus, Manters spotted her on a popular college site called Facebook. By just gazing at her profile, Manters learned not only what she looked like and some of her hobbies, but also her name, exact residence, cell phone number, screen name, and class schedule.
Ironically, he might have learned more about her from this site than he would have learned in a face-to-face interaction.
“I wouldn’t tell some random guy exactly where I lived and I hardly ever give out my phone number,” said Virginia Tech junior Christen Campbell. College girls like Campbell might not be verbally divulging their private information, but, according to Facebook spokesperson Chris Hughes, females from 863 colleges and universities nationwide have Facebook accounts displaying some or all of the aforementioned information.
If we’re honest every one of us imagine what we’d do with a few million in the bank. The yacht in Cannes, the private jet in Nice, possibly our own football team, and maybe a few other high maintenance accessories top our list of must-haves.
But of course the question is how to get there. Working till I’m too old to enjoy it is one option but of course there is an alternative; the lottery, online poker, a rich widow, stocks and shares - increasingly risky these days - or why not simply help myself to something very valuable.
After all if I’m working in IT I probably have access to the corporate crown jewels. And that could be anything; source code for the next money spinning application that will be released, credit card details for thousands of customers, even the recipes for KFC or Coca Cola. Just a few years ago, a Coca-Cola employee and two accomplices were arrested in Atlanta for allegedly stealing confidential information from Coca-Cola and trying to sell it to PepsiCo.
In fact it’s actually quite easy because if I’m working in IT I have access to systems with all kinds of privileged information. Here is my employer thinking that his Company Data is safe and I’m allowed ‘free access‘ to the servers storing the data. I can help myself to whatever I want and no one will ever know.
And of course it’s much easier now than it was when I first started this job. Then I somehow had to get out of the building with everything under my arm, but now I have dozens of ways to get it out. Just make my choice - mobile, USB stick, email attachments, VPN access from home and no one will ever know. And of course it may not even be my employer, just some company that we provide outsourcing services for - it’s never been easier.
The problem often lies in the fact that we are constantly tempted because the corporate jewels are literally just lying around where anyone can find them. The problem for today’s enterprise is that the transfer of information is increasingly time-critical and the traditional approaches such as FTP and secure email are awkward to manage, and often lack the security mechanisms that sensitive/confidential data demands, thus making the risk of leakage very possible. And where it becomes really challenging is when you need to share information with business partners. So here are a few suggestions:
1. Do not expose your internal network
The process of transferring files in and out of the enterprise must be carried out without exposing and risking the internal network. No type of direct or indirect communication should be allowed between the partner and the enterprise.
For a while now I have been using this program in a computer forensic capacity, but Photosynth made the jump from the lab to the small screen as detectives on the CBS crime drama CSI:NY called upon Microsoft Live Labs™ Photosynth™ to help solve a grisly murder at a high school dance. The TV detectives needed to reconstruct events from hundreds of images taken by student cameras and mobile phones. They turned to Photosynth to help them build and explore the scene which ultimately led police to their suspect. Producers from CSI were introduced to Photosynth during a visit to Microsoft last summer and were so impressed they asked to use the technology in the show. Members of the Live Labs team were on the set and worked with the show’s crew to fully leverage the technology’s abilities.
Producers were so happy with the experience that they decided to allow Photosynth to “do its own stunts” for this episode and have the actors interact with it live, as cameras rolled. Needless to say – there was much cheering as a very stoked Photosynth team watched the episode together. If you missed the show, you can catch it online on the CBS website or by exploring the current technology preview by going here.
Here’s a Video clip of Photosynth being used in CSI:NY
Are you working as a cybercrime investigator and looking for something which can prove in court of law that there was some pornographic content on the suspect’s machine? Or worried that your partner has images of men or women from online correspondence? I will show you how to use Windows itself to get the proof you need. There is a file with a name “thumbs.db” which is automatically generated by Windows whenever user views the folder or image in thumbs view or in filmstrip view. Automatic generation of this file is ON by default. Thumbs.db contains a copy of each of the tiny preview images generated for image files in that folder so that they load up quickly the next time you browse that folder. If a user tries to view this file by any image viewer then it will be of no use. For extracting the juicy content from this file, a forensic investigator has to understand the header of the thumbs file present in thumbs.db. Let me explain step by step on how to extract useful content from thumbs.db file.
Open any folder which has got some jpeg files and make that folder view in thumbs view as shown here:
I still remember receiving my first phishing email in my Microsoft account. I had won the the lottery! As good as it sounded, I was sceptical at best. So without much thought, I opened the email and clicked on the link inside to check if I truly was a millionaire after all. Almost instantly, my computer crashed, and with each subsequent restart would crash again.
Countless computer crashes and thousands of spam emails later, I had learned the lesson that just opening spam email can bring harm to my computer. Unfortunately there are a whole host of traps and errors that catch new email users just because “they didn’t know any better”.
In this article we focus on 25 of the most common and easy to fix mistakes that people make when it comes to email security. We’ve designed this article with the new internet user in mind, so if you’re an email expert, you may want to pass this along to your novice friends.
Properly managing your email accounts
1. Using just one email account.
Individuals new to email often think about their email account like they do their home address, you only have one home address, so you should only have one email. Instead, you should think about your email address like you do your keys; while it may be OK to use the same key for your front and your back door, having a single key open everything is both impractical and unsafe.
A good rule of thumb for the average email user is to keep a minimum of three email accounts. Your work account should be used exclusively for work-related conversations. Your second email account should be used for personal conversations and contacts, and your third email account should be used as a general catch-all for all hazardous behaviour. That means that you should always sign up for newsletters and contests only through your third email account. Similarly, if you have to post your email account online, such as for your personal blog, you should only use your third email account (and post a web friendly form of it at that).
While your first and second email accounts can be paid or freebie, your third ‘catch-all’ account should always be a freebie account such as those offered by Gmail or Yahoo!. You should plan on having to dump and change out this account every six months, as the catch-all account will eventually become spammed when a newsletter manager decides to sell your name or a spammer steals your email address off a Web site.
One of the most infamous Email frauds is the so called “Nigerian” or “419 fraud”. If you have used email for a good few years or even recently, you will have had one of these emails come through. Here’s how they work. You or your company receive an Email (or in some cases a mailed letter or a fax) from someone in West Africa trying to move a large sum of money to American (and recently UK) banks, and if you’ll do him/her the simple favour of allowing them to deposit this money into your bank account, you’ll be able to keep a sizeable chunk of it.
These Emails are humble, charming (“complements of the season. Grace and peace and love from this part of the Atlantic to you…”) and hint in a roundabout way that this deal is not exactly the most legal thing in the world, which is why you have the potential to make a lot of money.
The Request
As with all hoaxes, there is always a request. Here is an opening statement from a 419 fraud email:
Dear Sir
REQUEST FOR URGENT TRANSFER OF $22,500,000,00 INTO YOUR ACCOUNT
My name is Chief Collins Ozobia. I am the deputy director of finance for the Federal Ministry of Petroleum (F.M.P). I have been assigned to seek for the assistance of reliable foreign company through which we can transfer the sum of US$22,500,000,00 …
Where did this windfall come from? Why, it’s an insurance payout after a horrible plane crash. Or (other versions goes) it’s money right from the Nigerian Government, in return for completing a contract. Or it’s a big fat Family Inheritance, a Real Estate Deal or Crude Oil at below market prices. Whatever the tale, it’s a ton of money – anywhere from 10 to 30 percent of the total haul, which usually reaches into tens of millions – that needs to be moved out of the country for safe keeping as soon as possible. How can you refuse? How can your bank account refuse?
Non-technical juries could be letting criminals go free because of the difficulty in dealing with computer-based evidence.
In England and Wales the only qualifications required of a jury member to be eligible to appear in a court of law are that they are registered on the electoral roll, aged between 18 and 70 and have lived in the UK for at least five years.
Jurors are not required to hold any professional qualifications and there are to date no technical jury qualification guidelines for cases involving complex computer data.
So what happens when complicated technical information needs to be communicated and thoroughly understood in order to fairly evaluate a case?
I believe that the majority of the legal system is still unprepared to deal with the issue of computer based evidence.
Legislation such as the Data Protection Act 1998, Criminal Justice Act 1994 and Protection of Children Act 1978, has generated a new wave of criminal offences that demand digital evidence to be evaluated in order for successful prosecution.
The theft of CDs containing the personal information of 25M UK citizens has rightly caused an outpouring of ‘Shame on you’ on HMRC and prompted questions like ‘How could you let this happen?’ The real question that the British people should be asking though is this: ‘Who else has lost my data that I haven’t been told about?‘
Companies of all sizes, including local and national government, hold huge amounts of very private information on virtually every individual in the UK, yet amazingly, there are no laws to force them to either protect that information (such as by encrypting the data), or to tell you if your unencrypted information gets lost or stolen. Make no mistake about this: Ever since the first credit card number was put on the first laptop computer or CD, companies have been losing your information and just simply not telling you.
There’s a sad fact of economic life here: It’s cheaper for a company to say nothing and do nothing if they lose Joe Public’s private information, rather than to do the right thing - ensure that all the data is encrypted, or telling consumers if there’s a risk that their private data could have got into the wrong hands.
The situation in the US today is very different: Following on from some very high-profile data thefts, many States have now enacted so-called data breach notification legislation. See http://www.ncsl.org/programs/lis/cip/priv/breach.htm
Put simply, this legislation says that if you lose customers’ personal identifiable information (social security numbers, credit card numbers, driving licence numbers and so on) and it wasn’t encrypted, then you MUST notify everyone who’s likely to be affected. Many States have also included additional consumer protection, such as one year’s free credit monitoring services to protect against possible identity theft.
The US federal government - immune from state legislation - has also mandated strict data security standards for itself. Following an incident similar to the HMRC in mid-2006, President Bush issued a mandate that all government departments must implement data encryption – no exceptions: http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
(In that breach, a laptop containing health and financial information on 26.5M veterans was stolen from an employee’s home - the cost of just mailing the notification (letters, envelopes, postage) was about £22M).
The net effect of US legislation has been to change the economic balance of data security: Now, it’s cheaper to implement a good data security solution (ie encrypt the data) than to bear the cost of a data breach notification. The figures speak for themselves. When items such as credit monitoring are added in, it’s estimated that the average cost of a breach notification following the loss of unencrypted data is in the region of $90-$140 per customer record. http://www.tech-404.com/calculator.html
So, if the loss involved 100,000 customers, this will typically cost a company on average about $11.6M. What’s the cost of a good data security solution to avoid this in the first place? Much, much less than that!
US legislation hasn’t stopped data theft, any more than burglaries have been stopped by property laws. What it has done is to provide insurance for affected consumers by forcing companies and the government to either protect consumers’ data, or come clean when they lose it so consumers can get the protection they deserve. It has also put the spotlight on companies who fail to protect consumers, as these breaches are now tracked by a number of public websites: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP
The UK government must follow the US’s lead. They must enact legislation to protect consumers against the horrors of data theft and the subsequent risk of identity theft. If nothing else comes out of the HMRC incident, then just let this be a lesson learned the hard way!
The Internet has shown that reputations are important but don’t have to be tied to specific real individuals. The entire banking system is built on top of the idea of reputation, but tries hard to tie them to real identities. The problem of identity theft is likely to break this connection. We will see a greater disconnect between individuals and their reputations.
Identity theft has been a big hit with the purveyors of fear in recent years. We all now live in terror of waking up one morning and finding that someone has stolen our identity, and we can’t even remember who we are.
Well, maybe not. But identity theft is a real problem. If someone manages to construct a copy of your identity, you don’t stop being you, you just stop being the owner of all of your money (unless you can persuade your bank it’s their fault). You might get back from vacation to find that your house has been stolen…
Identity is closely tied to the concept of reputation. We are now trying to apply ideas from villages of a few hundred people to a global scale and (not surprisingly) finding that they don’t quite work.
In a small community, everyone knows—or knows of—everyone else. Reputations are very important. If you want to borrow something from a neighbour, or ask them for a favour, then you will have some idea of how much you trust them.
When banks started, they would use this sort of model. They would be willing to lend you money based on letters of recommendation from people they trusted, or based on their prior dealings.
Now banks have grown so big that they use a much less personal system, but still deal in the idea of reputations.
The Social Security Scam
Some time ago, the UK and the U.S. governments introduced the concept of a Social Security number (SSN). This was a unique identifier assigned to every taxpaying citizen, allowing their tax records to be connected together.
Social Networking is popular and packed with features, and yet it offers so little to so many. The favourite timewaster for many office workers, sites such as Facebook and MySpace offer swathes of features to keep you clicking around on the site without achieving anything other than leaking your personal data. Creating a bad first impression of yourself for potential employers and ruining your eyes.
Lately I have been playing about with 
If we’re honest every one of us imagine what we’d do with a few million in the bank. The yacht in Cannes, the private jet in Nice, possibly our own football team, and maybe a few other high maintenance accessories top our list of must-haves.
For a while now I have been using this program in a computer forensic capacity, but Photosynth made the jump from the lab to the small screen as detectives on the CBS crime drama 
Are you working as a cybercrime investigator and looking for something which can prove in court of law that there was some pornographic content on the suspect’s machine? Or worried that your partner has images of men or women from online correspondence? I will show you how to use Windows itself to get the proof you need. There is a file with a name “thumbs.db” which is automatically generated by Windows whenever user views the folder or image in thumbs view or in filmstrip view. Automatic generation of this file is ON by default. Thumbs.db contains a copy of each of the tiny preview images generated for image files in that folder so that they load up quickly the next time you browse that folder. If a user tries to view this file by any image viewer then it will be of no use. For extracting the juicy content from this file, a forensic investigator has to understand the header of the thumbs file present in thumbs.db. Let me explain step by step on how to extract useful content from thumbs.db file.
I still remember receiving my first 
One of the most infamous Email frauds is the so called “Nigerian” or “
