OTTAWA - Many of the Justice Department's finest legal minds are falling prey to a garden-variety Internet scam.

An internal survey shows almost 2,000 staff were conned into clicking on a phoney "phishing" link in their email, raising questions about the security of sensitive information.

The department launched the mock scam in December as a security exercise, sending emails to 5,000 employees to test their ability to recognize cyber fraud.

The emails looked like genuine communications from government or financial institutions, and contained a link to a fake website that was also made to look like the real thing.

Across the globe, an estimated 156 million of these so-called "phishing" emails are sent daily, and anyone duped into clicking on the embedded web link risks transferring confidential information - such as online banking passwords - to criminals.

The Justice Department's mock exercise caught 1,850 people clicking on the phoney embedded links, or 37 per cent of everyone who received the emails.

That's a much higher rate than for the general population, which a federal website says is only about five per cent.

The exercise did not put any confidential information at risk, but the poor results raise red flags about public servants being caught by actual phishing emails.

A spokeswoman says "no privacy breaches have been reported" from any real phishing scams at Justice Canada.

Carole Saindon also said that two more waves of mock emails in February and April show improved results, with clicking rates falling by half.

"This is an awareness campaign designed to inform and educate employees on issues surrounding cyber security to protect the integrity of the department's information systems and in turn better protect Canadians," she said in an email.

"In this case, this exercise specifically dealt with the threat from phishing which is increasingly being used as an attack vehicle of choice by cyber criminals."

"As this project progresses, we are pleased that the effectiveness of this campaign is showing significant improvement."

A February briefing note on the exercise was obtained by The Canadian Press under the Access to Information Act.

The document indicates there are more such exercises planned - in June, August and October - and that the simulations will be "graduating in levels of sophistication."

Those caught by the simulation are notified by a pop-up window, giving them tips on spotting malicious messages.

The federal government's Get Cyber Safe website says about 10 per cent of the 156 million phishing emails globally make it through spam filters each day.

Of those, some eight million are actually opened by the recipient, but only 800,000 click on the links - or about five per cent of those who received the emails.

About 10 per cent of those opening the link are fooled into providing confidential information - which represents a worldwide haul of 80,000 credit-card numbers, bank accounts, passwords and other confidential information every day.

"Don't get phished!," says the federal website, "Phishing emails often look like real emails from a trusted source such as your bank or an online retailer, right down to logos and graphics."

The site says more than one million Canadians have entered personal banking details on a site they don't know, based on surveys.

In late 2012, Justice Canada was embroiled in a major privacy breach when one of its lawyers working at Human Resources and Skills Development Canada was involved in the loss of a USB key.

The key contained unencrypted confidential information about 5,045 Canadians who had appealed disability rulings under the Canada Pension Plan, including their medical condition and SIN numbers. The privacy commissioner is still investigating the breach.

Card fraud was up 16 per cent to $304 million in 2013, and the number of transactions on lost or stolen cards rose 26 per cent to $34 million.

The vast majority of the fraud was done online, accounting for $219.7 million, up 20 per cent on 2012, according to the latest figures from payments industry body the Australian Payments Clearing Association.

But since 2010, the number of fraudulent transactions for smaller amounts on lost or stolen cards appears to have jumped dramatically.

The total number of transactions made on Australian lost or stolen cards rose 94 per cent in 2013 to 162,896.

Since November last year, Victoria Police have maintained that data they have compiled shows the explosion in the use of tap and go cards in Australia is to blame for a rise in break-ins and bag snatching to steal contactless cards.

However - after extensive consultation with police - internet security experts, banks and card companies say they don't agree.

A spokeswoman for MasterCard said an industry working group on contactless payments had compiled data on fraud using tap and go cards.

It said tap and go fraud accounts for "less than 2 per cent of total card fraud", while contactless transactions have grown by 350 per cent between 2012 and 2013.

"We don't see that in the statistics and it just doesn't make sense to us that contactless is the driver of fraud," said Chris Hamilton, chief executive of APCA. "Yes, contactless cards can be stolen and used for fraud, but they are no more likely to contribute to the fraud statistics than non-contactless."

Mr Hamilton said the cap on the amount that could be withdrawn automatically limited the value of fraud on tap and go cards.

"You can't go out and buy a flat screen TV with these cards, for instance" he said. "The proposition that they are driving fraud must derive from a proposition that criminals or fraudsters are targeting these cards, and can't see that that is likely."

He also pointed to a similar shift in fraud from card skimming to card theft in the UK when chip cards were brought in there. Unlike Australia, though, contactless cards were not brought in at the same time.
"Our suspicions are that it is more to do with the fact that counterfeit card skimming is under control," he said.

Fraud from details skimmed from cards and used on counterfeit cards has fallen by 33 per cent since 2008, although it was unchanged at $37.2 million between 2012 and 2013.

Pat Boyle, Victoria Police's head of fraud, told The Australian Financial Review earlier in June that he would review new contactless fraud data that banks are compiling.

"We need to build up trust and I need to build up knowledge, so I am confident I have the right information when I brief people," ¬he said.

Mr Hamilton said the main focus needs to be on online fraud because it is growing and accounts for the greatest amount. He said banks, merchants and individuals all had a responsibility and an interest in reducing fraud.

Alastair MacGibbon, Director of the Centre for Internet Safety at the University of Canberra, said business and individuals need to do more to detect fraud and secure credentials."We need to secure our computers more, and importantly businesses need to be using better fraud detection technology to see if they are using stolen cards," he said. He said the technology is readily available to do this.

"Businesses do need to develop their skill sets for online fraud. [They] are losing money through this type of fraud."

Understanding the proclivities of the 2014 FIFA World Cup fans gives criminals an advantage. The World Cup provides a window of opportunity and a tremendous vehicle for online fraud such as phishing. Not only do the targets accept that they will receive a barrage of World Cup-related solicitations, but they often desire said solicitations and are excited to "click".

This "perfect storm" isn't specific to the World Cup. Phishing scams are often associated with current events such as:

 Entertainment in the form of movie trailers, awards and celebrity photos
 Sporting events with large, preferably global audiences
 Natural disasters, political elections and military actions
 Viral videos of animals seeing themselves in mirrors

Unfortunately for the targets of phishing, the fraudsters have nefarious ulterior motives. The fraudsters may be interested in identity theft, stealing credentials, stealing financial information, locking your system and holding it for ransom, or adding your device to their botnet army to be controlled at will. The results of phishing can impact individuals and organisations. The impact can be felt in a number of ways including depleted bank accounts, credit debt, sensitive/personal data theft, countless hours of negation with financial institutions, embarrassment, stress-the list goes on.

The risks to the criminals are low. This is because the likelihood of being apprehended and the severity of the punishment for phishing, and most cybercrimes depending on country, are low. Thus legal deterrence is ineffective.

Phishing Safeguards

While there is no anti-phishing panacea that will mitigate all threats, there are technical and non-technical controls that can reduce the risk of a phishing attack being successful. Here are 15 safeguards to consider:

1. Verify before you click, download and open
2. Use bookmarks instead of clicking on a link, or typing in a URL with potential misspellings; that URL could take you to a malicious site
3. Don't respond to emails with sensitive data
4. Don't enter sensitive data it into a form indiscriminately
5. Don't enter sensitive data into pop-up windows
6. Understand criminal tactics and if in doubt pick up the phone - criminals will try to create a compelling event such as

 Enter your password or all your cloud data will be corrupted
 Click here to avoid your Internet service being disconnected
 Final warning - download this anti-malware tool to avoid shutdown
 You have five seconds to comply or your bank account will be frozen

7. Your smartphones and tablets are computers too and the security best practices you apply to traditional computers like laptops should apply to them
8. Keep your operating systems and applications patched and up-to-date
9. Use web filtering software to disallow access to known bad sites - many are free
10. Use browser phishing protection - common in most modern browsers
11. Install and update endpoint security controls
12. All legitimate websites requesting personal information such as your bank should be encrypting communications - look for "HTTPS" and or the lock icon in the browser's URL field
13. Keep an eye on your account activity - many sites provide last login date, location, and so on
14. Use credit activity monitoring services
15. Report suspicious activity and opt in to share threat intelligence via your security solutions - use the crowd as a force multiplier

With events like the World Cup where information is flooding our laptops, tablets and smartphones from all directions, it is important not to get so caught up in the moment and forget the criminals are working overtime.

By considering these 15 safeguards and successfully mitigating phishing attacks, you're negatively impacting the criminal revenue stream and making this type of fraud less appealing.

Hass and Associates Cyber Security



Hvis vi krever endringer, vil store Tech fortsette å tjene på vår personlige opplysninger-med vår benighted tillatelse


Som sikkerhet har ekspert Bruce Schneier (en venn) archly observert, "Overvåking er forretningsmodellen for Internett." Jeg forventer ikke å endre mindre og før eksterne realiteter tvinge en endring- og jeg er ikke holder pusten.


I stedet synes deprimerende nyheter bare å bli verre. Google bekreftet denne uken hva mange hadde antatt: selv om du ikke er en Gmail-bruker, e-post til noen som bruker deres tjenester vil bli skannet av altseende søk og annonsering selskapets stadig smart maskiner. Selskapet oppdatert sine vilkår for tjenesten å lese:


(inkludert e-post) for å gi deg personlig relevante produktfunksjoner, for eksempel tilpassede søkeresultater, tilpasset reklame, og spam og malware oppdagelsen. Denne analysen oppstår som innholdet er sendt, mottatt, og når den er lagret.


Systemet gjøre ikke denne å din email når du sender meg en melding. Jeg betaler en web-hosting selskapet som holder meg email på en server som ikke er optimalisert for datainnsamling, analyse. Jeg vil bruke Gmail for meg email, hvis Google ville la meg betale for tjenesten som ikke "analysere (min) innhold" fra filtrere ut spam og malware. Google tilbyr ikke dette alternativet, så vidt jeg kan fortelle, og det er synd-hvis ikke, gitt sin innflytelse, en liten skandale.

Også denne uken, Advertising Age, en topp fagbladet for annonsen industrien, rapporterte at tech bedrifter ledet av Google, Microsoft, Apple og Facebook flytter raskt for å fastsette hva de tydelig ser som feil i systemet: det er vanskeligere å spionere på oss som effektivt når vi bruker våre mobile enheter enn når vi skrive og klikke bort på vår bærbare. Her er en spesielt skumle sitat i historien, fra en mobil reklame executive:


Universell IDen i dag i verden er Facebook innlogging. Denne bransjen utfordringen av mobile sporing er liksom stille løst uten mye fanfare.

http://www.wellsphere.com/brain-health-article/hundreds-of-south-african-facebook-profiles-have-been-cloned/1954857 Computer forensics expert Bennie Labuschagne said scammers used programs designed to "deep mine" online accounts to bypass security features."Cloning is very common and it is now like the 419 scams, only on social networks," he said. One of the South African Facebook victims, Dinesh Ramrathan, said yesterday: "A Facebook friend called me to find out why I had sent her a message asking for money online. I then discovered that my page had been duplicated. "My friends were caught off guard and accepted friend requests from the hacker, who then started sending requests for money." The impostor claimed that Ramrathan was in trouble and needed money urgently."I am lucky because all my Facebook friends know me personally outside of the social network so they knew that I was not in trouble," he said. Debby Bonnin's husband received a friend request from her even though they were already Facebook friends. One of sixmillion local users of Facebook, Bonnin said: "My major concern is identity theft and all the possible ramifications of that. On Facebook the prime issue is reputation. But the person behind the false profile could use your identity to access confidential information from your friends and then there could be security or financial problems that arise." Another Facebook user, Josh Delport, said his stored scores and tokens on game applications on the site had disappeared. University of KwaZulu-Natal associate professor of information systems Manoj Maharaj said that, though Facebook could not be hacked because of its hi-tech security features, the affected users might have put themselves at risk by clicking on links to external games, applications and shopping sites. "Users are clicking on these links without realising that their information is being passed on. If one of those sites is hacked, their information, such as credit card details, is easily a