Live webchat about cybercrime with broadcaster and author, Misha Glenny 1 - 2pm Monday 3rd October

[RachelMumsnet]

We're joined on Monday at 1pm by Misha Glenny, broadcaster and author of numerous books including McMafia - Seriously Organised Crime and his latest DarkMarket: CyberThieves, CyberCops and You.

The benefits of living in a digital, globalised society are clearly enormous, but so too are the dangers. The world has become a law enforcer's nightmare and every criminal's dream. We bank online, shop online, date, learn, work and live online. But have the institutions that keep us safe on the streets learned to protect us in the burgeoning digital world? Have we become complacent about our personal security? sharing our thoughts, beliefs and the details of our daily lives with anyone who cares to relieve us of them?

Misha Glenny has gone behind the scenes in the murky world of cybercrime and has talked to the criminals, the police and the government security forces for his new book DarkMarket: CyberThieves, CyberCops and You. He is excellently placed to advise us on how to keep our personal details from being hacked online. Join Misha for a live webchat on Monday 3rd October at 1pm or send in your question to him in advance to this thread.

Hello, I would like to leave a question for Mr Glenny if I may...

Mr Glenny, I am a researcher in this area, and a big fan of your previous book (McMafia). I have a question regarding the possibility of reducing the threat from cybercrime. Given that some of the countries from which cybercrime originates (China, Russia) are in strategic competition with Europe and the US, do you think it's actually possible for our governments to work with them to reduce the threat?

Thank you, I'm very much looking forward to the webchat!

hello

Apart from mixing up passwords what is the best way to protect your personal details online?. I use alot of internet banking and even Lloyds has been cloned in that the website wanted additional passwords etc.

I am fed up with scam phising emails drive me up the wall are people that thick they don`t know not to pressthe link ?

My partner works away and his computer is riddled with stuff when he is back even though he has norton. He only ever send mail never access paypal or the bank.So its annoying the lengths we have go to.

Hi Misha
Thanks for doing this webchat. I wonder what you think about sites such as Facebook, Linked In etc (and even sometimes Mumsnet) where people often inadvertently leave a lot of personal details, which could lead to you being hacked or cloned (is that the right terminology?). My husband works for a law enforcement agency and is very anti Facebook (he doesn't even like me pasting pictures of our daughters on it), do you think he is right to be so paranoid? What do you think we could we do to protect ourselves and our children on these sites?
Thanks.

Hello

Do you think more needs to be done to raise awareness of the prevalence of cybercrime? I think that, especially amongst teenagers, posting a huge amount of exploitable information about ourselves online these days is the norm.

What could be done? What about a website that pulled together all the easily available info about you and presented it with a description of how it could be exploited? I'm sure that's actually far too expensive to implement, but is this subject at least being covered in PSHE? I think we are all (myself included) far too complacent on this issue.

I won't be there for the web chat. But if I was, I'd have questions in two areas:

a) what is his opinion on the collection and storage of biometric information? Are the big firms like Rayethon and Safran accumulating too much data about individuals? Especially as governments could access such data. The prospect of abuse of information held - by using it in a big brother-ish way - or by criminals to substitute an innocent person's identity to a criminal's fingerprint algorithm, strike me as worrying scenarios. Especially as these systems are being used more and more in schools (which seems to me to be softening up a whole generation to see such control by multinationals of identities as normal).

b) you wrote in the 1990s a thoughtful history of Yugoslavia and its break up. The former Yugoslavia has dropped out of the headlines. Does this mean that the communities are really reconciled, or is there potential for further strife or even conflict?

Hi Misha

I have a couple of pretty stupid questions really

How much information can be retrieved about us? in one country I lived in the aparatus of the state was said to be able to retrieve every single text message every person had sent. Can this be true?

Where's the greatest "danger" to the individual with stored data? Is it state/civil liberties, commerical exploitation or is it criminal?

After all your research, do you think you're slightly paraniod? Were you shocked by what you'd found?

I'm definitely going to get this book. I feel like what's missing sometimes is very very simple guidelines for people to help protect their privacy. For example, cookies deletions, people need to know a. it's easy b. it won't break your computer c. you'll still be able to get into your bank account.

Do you think it's still too much of a mystery for people sometimes? Is this part of your aim in writing the books?

In some countries (eg Nordics) lots of personal info (incl complete tax returns) are widely published. Yet those countries don't seem to have higher rates of fraud, ID theft, etc. Why?

I am a complete ignoramus when it comes to stuff like this. I even tend to use the same password for lots of stuff but mainly for entry to shopping websites where I don't store my bank details...

My question is, is this okay to do or completely stupid?
Otherwise I would have to write all the different passwords somewhere as I couldn't remember them all!

Is Norton security enough to protect your home computer?

And for the average Joe, what is the most important thing you suggest we do to avoid being hacked or cloned?

Thank-you. Looking forward to the webchat and learning more!

Yy - in Belgium your name and bank acc number is known to all. I don't know about the rates of ID theft.

Also how do you know when you check your retained data status or whatever it's called, how do you know you're not being fobbed off?

eg I asked not to be in the NHS central computer, now abandoned but still I've asked not to be in whatever's left of it. I have no idea if I'm in there anyway and no way of finding out.

I like gincognito's idea - what do you think?

Rather like a credit record site where you can pull up all thsose details

an internet record site, that sort of thing

i am another that is so fed up with scam phising emails - i just delete them, what else can you suggest please?

Hi there

Are you aware of the looming cybersecurity disaster that is Smart Meters for electricity (and possibly gas) and in-house "smart" socket networks?

The in-house networks allow individual sockets to be controlled from outside the house via an oh-so-hackable website (naively gungho article in Guardian, Saturday) or by mobile phone; the Smart Meters will allow the power supply to the entire house to be cut off remotely by electronic means.

Ross Anderson, prof of security engineering at Cambridge, has been banging the drum about this for a while (eg "Who Controls the Off Switch") but I've yet to see mainstream media pick up on the problem.

Was this something that had come to your notice, and anyway what are your thoughts?

I have another question about personal security, if I may.

Do cyber-criminals somehow 'filter out' people who don't have much money?

I ask because my DH and I have (knock on wood) not had problems in this area, but then we never have much money in our accounts, don't own a home or car, etc. Whereas a friend of mine who is hyper-protective of her online security, to the point of paranoia, has still had her bank account accessed twice. She has a reasonable amount of money in the bank though.

So is relative poverty a form of protection?

Hi there, I can't be there at lunch but would really appreciate any answers to my questions, sorry it's more than one.

I'm a bit tin-foil-hattish on these issues

And thanks in advance.

Hi Misha, I know (from Google, obviously!) that you have children.

What has your advice been to them about sharing personal info via Facebook etc? Is there one absolutely essential thing all parents should be doing vis-a-vis their children's online security, or is that too simplistic?

I read that some children are creating multiple accounts on social media sites, so their parents see the 'official' one but they're busy doing their real networking under other guises (today's equivalent of getting changed at the bus stop, I guess).

I suppose I'm asking how high in the panoply of parental anxieties online security should come!

Thanks in advance.

Misha is here in the building so he'll be getting started in a few minutes.

Hello everyone and thanks for all your questions so far - I'll be doing my level best to answer as many and in as much detail as possible.

But just briefly to explain where I'm coming from on cyber security...when I was writing my last book, McMafia, about global organized crime, I came across a group of criminal hackers (half were in jail but half had escaped the police) who explained to me how they made tens of millions of pounds using a phishing scam (sending out emails with links to mocked up bank sites) which succeeded in extracting people's login details.

I also spoke to the Brazilian cops who had busted them and then to an American private security company whose chief cyber investigator was a former officer of the CIA. When I realised how much money was involved both in the crime and, increasingly, in the prevention of cyber crime, I was convinced that I should write my next book on the subject....which has turned out as DarkMarket.

In researching this I had to teach myself a lot about IT security but I remain a lay person. But in order to try and make the subject comprehensible and (more importantly) entertaining and interesting to people who don't speak the arcane language of IT security, I tracked down the virtual cops and robbers involved in the English-language's largest criminal website, DarkMarket, until it was closed down in 2008. I also followed their fates since then.

I think the most important thing I discovered is that most of the young men (I use the gender advisedly - 95% of hackers are male) who become involved in this, do so at an incredibly young age before their moral compass has been fully formed.

On the bright side - cybercrime generally doesn't involved violence although it can of course lead to extreme levels of distress on the part of victims.

Sorry for wittering on...now to your questions...

@dreamingbohemian

Hello, I would like to leave a question for Mr Glenny if I may...

Mr Glenny, I am a researcher in this area, and a big fan of your previous book (McMafia). I have a question regarding the possibility of reducing the threat from cybercrime. Given that some of the countries from which cybercrime originates (China, Russia) are in strategic competition with Europe and the US, do you think it's actually possible for our governments to work with them to reduce the threat?

Thank you, I'm very much looking forward to the webchat!

This is a complicated but very important question. Cooperation between US and Western law enforcement and their counterparts in Russia and China is very limited. Police here and in America have a big problem trying to run down the many cyber criminals operating out of the former Soviet Union in particular. In DarkMarket, I explain how this works in detail ? in particular how the Russian intelligence services monitors all traffic going across the Internet there.

At the same time, all the great powers around the world (and many smaller ones too) are engaged in cyber espionage trying to ascertain one another?s weaknesses. China?s espionage programme is regarded (including by the Russians) as the most extensive in the world ? involving hoovering up so much confidential documentation from companies, governments and international institutions around the world that Beijing cannot possibly have enough capacity to analyse it all.

The West, in turn, is also probing its competitors? networks establishing where their weaknesses lie ? so there everyone is engaged in a lot of murky activity out there. However, we must not forget that economically we are now deeply dependent on each other. If the US economy were to collapse, so would the Chinese and so Beijing has a vested interest in not inflicting excessive damage on the Americans. Likewise, if Russia were to attempt a major disruption of Western Europe?s economy through a cyber attack, it would lose its most lucrative energy market by far.

So although ALL major powers are using cyber as a way of getting some advantage or other over their rivals, for the moment they are unlikely to tip things over the edge.

Western police forces are particularly concerned at the moment about the leaps and bounds being made in Africa with mobile technology as West African criminals in particular have proven most adept at developing highly theatrical but often very successful scams using spam email. Police fear that this type of activity will shoot up as Africa leapfrogs over PCs and becomes a continent that does the great majority of its computing on hand-held devices.

How better can we protect ouselves from account take overs? Two years ago I discovered that somone had taken my idenity, switched my address and taken over £10k off my credit card. apparnetly my details had been taken from ancestry.com which now makes me very wary about using anything like this. Living rurally though I do do 90% of my purchases on line which does make it difficult.

@brookeslay

hello

Apart from mixing up passwords what is the best way to protect your personal details online?. I use alot of internet banking and even Lloyds has been cloned in that the website wanted additional passwords etc.

I am fed up with scam phising emails drive me up the wall are people that thick they don`t know not to pressthe link ?

My partner works away and his computer is riddled with stuff when he is back even though he has norton. He only ever send mail never access paypal or the bank.So its annoying the lengths we have go to.

First things first. Mixing up passwords is a VERY GOOD THING which goes a long way to protecting your assets if somebody has managed to crack one of them. Most cybercrime is perpetrated not by cracking somebody?s account digitally but by what we call social engineering. This comes in two forms ? the first is guessing passwords or anticipating behavioural patterns on the web. The overwhelming majority of individual passwords remain easily guessed, using information available on the web. This is stuff like the names of family members, dates of birth, default words like ?admin? and the dumbest password of all ? ?password?.

The second is by persuading people to act online in a manner that is objectively not in their interests, i.e. clicking on a link which will download malware of some sort (viruses, Trojans, worms) or a link which takes you to a fake website, purporting to come from your bank in which you type your username and password that can immediately be read by a criminal who can then access your real account.

That takes us to the phishing emails. They are very tedious but MOST email systems now have very effective filtering and warning systems. This is one area where gmail is especially good but most email systems using algorithms which are excellent at detecting them so that you don?t have to worry about them.

Nonetheless, you should ALWAYS read the subject line and (where possible) the opening line of an email even if it comes from a close friend who regularly writes to you. The point is to check whether the linguistic pattern and content conform to the usual style of your correspondent ? you would be amazed at how much crap you can detect by doing this.

As regards your partner, if he is picking up that much malware notwithstanding his Norton defences (which are, I trust, up to date), then you should ask him what sort of stuff he is doing on the web when he is travelling. If he is only doing email, then unless he is a habitual victim of phishing, he should not be experiencing such a high incidence of malware and you may want to ask him what sort of websites he is browsing (or you may not).

@BootyMum

I am a complete ignoramus when it comes to stuff like this. I even tend to use the same password for lots of stuff but mainly for entry to shopping websites where I don't store my bank details...

My question is, is this okay to do or completely stupid?
Otherwise I would have to write all the different passwords somewhere as I couldn't remember them all!

Is Norton security enough to protect your home computer?

And for the average Joe, what is the most important thing you suggest we do to avoid being hacked or cloned?

Thank-you. Looking forward to the webchat and learning more!

Hello, BootyMum!

You really SHOULD use different passwords - if necessary by writing them down and hiding them somewhere which is easily accessible to you. By not storing your card details with the supermarkets and shops, you are INCREASING your security.

In the past year, we have seen breaches in the credit card data held by several major companies (some of whom like Citigroup in American pride themselves on their impregnability - wrongly as it turns out!)

Norton and all the other major anti-virus manufacturers are fine but you MUST keep them up to date. As soon as they lapse, you are vulnerable to all manner of opportunistic viruses - so-called drive-by attacks.

The next thing I'm going to say comes with a warning - I have no commercial interest in the following statement.

The simplest way you can increase your computer security dramatically is by abandoning your PC and investing in a Mac. Over 90% of the world's computer systems use a Windows-based operating system and so on the whole cyber criminals don't bother producing viruses and other malware for Macs (there are a few sloshing about but Mac users can easily protect themselves against them).

Your likelihood of being hacked using a Mac is in the region of 90% less than if you use windows. Also most major anti-virus software companies like Sophos and F-Secure offer their Mac anti-virus programmes for free.

When I started researching cybercrime, I put my whole family onto Macs. Their security will not last for ever due to the popularity of iPhones and iPads - as Macs gain a greater market share, criminals and spies will start deploying greater amounts of Mac malware.

@strandednomore

Hi Misha Thanks for doing this webchat. I wonder what you think about sites such as Facebook, Linked In etc (and even sometimes Mumsnet) where people often inadvertently leave a lot of personal details, which could lead to you being hacked or cloned (is that the right terminology?). My husband works for a law enforcement agency and is very anti Facebook (he doesn't even like me pasting pictures of our daughters on it), do you think he is right to be so paranoid? What do you think we could we do to protect ourselves and our children on these sites? Thanks.

Facebook is a difficult one and I have real sympathy with your husband?s position. There are two different problems ? the first relates to what we can best call Online Child Protection. There is no doubt that grooming happens on the web and for those who are victims, it is unbelievably distressing. And Facebook is now the primary vehicle for grooming because it is so easy for a potential sex offender to develop a virtual relationship with an unsuspecting child by using the techniques of social engineering, i.e. pretending to be somebody that he isn?t.

At the same time, we have to recognise that Facebook is not going to go away and for many young people, it is now the preferred (and adored) means of communication with their peers and sometimes with their family. In my case, my children refuse point blank to allow me any access to their Facebook pages, although with my experience in writing DarkMarket, I have found it easy to establish an espionage network if I need to find out what they are up to (in the case of my daughter who went missing for a few hours, this turned out to be incredibly useful ? usually I am not interested in their frequently inconsequential musings).

But the exploitable information, as Gincognito describes in the next question, is really critical. Children and teenagers simply do not get how easily information can be exploited in a way that can seriously harm their prospects. It exposes their weaknesses, parts of their character that potential employers or university admissions tutors find off-putting ? and, believe me, Facebook pages are being checked regularly (especially by employers) for a character read-out. Any mention of drugs can jeopardise a child?s chances later on as does excessive amounts of drinking and even the habitual use of bad language.

Furthermore, social networking sites (especially Facebook) are now a favoured ?vector?, as they are known, for cyber attacks by organised criminal groups. One of the most successful in recent years, called Koobface, a virus which was rapidly transmitted across the world via Facebook and which could cull login information ? it led to the emergence of huge botnets ? this is when a virus places thousands, tens or even hundreds of thousands of so-called zombie computers across the world under the influence of a Command and Control computer. The infected computers then do the bidding of the C&C without its owner actually realising it.

I also think Gincognito?s suggestion that this subject be covered in PSHE is an excellent one. It is VITAL that computer users learn about security as it will increasingly affect all of us. But unfortunately it is usually discussed in arcane language amongst techies who are not always the best communicators.

Remember, one can easily protect oneself from at least 80% of criminality on the web by just following sensible practises like keeping your anti-virus software up to date.

@Blueberties

Hi Misha

I have a couple of pretty stupid questions really

How much information can be retrieved about us? in one country I lived in the aparatus of the state was said to be able to retrieve every single text message every person had sent. Can this be true?

Where's the greatest "danger" to the individual with stored data? Is it state/civil liberties, commerical exploitation or is it criminal?

After all your research, do you think you're slightly paraniod? Were you shocked by what you'd found?

Hi - at the moment, an EU directive requires member states to store all traffic going through European ISPs for up to two years (in this country, it is six months). Within the framework of local laws, various government agencies can access this material with a warrant.

If the government wants to find out something about you, it isn't too difficult for them but they do have to work within a legal framework.

The issue of the amount of private data being stored by corporations is rather different - the two biggest depositories of personal data in the world are the servers of google and Facebook. The US government can access anything on their servers with a court order within a 24 hour period (that includes all of us in the UK using Google and Facebook). For even friendly law enforcement agencies like the British, it can take up to 6 months to get authorisation from a US court to have a look at something.

This of course speaks to the weirdness of the web - it is global but it also has many national jurisdictions.

We cannot know who is looking at our private traffic but please let me tell you that you MUST assume that somebody is monitoring what you are doing (usually passively but they can go back to the records). Never ever write anything in an email that is too private or intimate that you would not mind seeing in a newspaper!