How to avoid on-line manipulation: "Nigeria-letters"

EU Agency ENISA launches "Social Engineering"-report with 5 defence advice to counter fraud threat

Heraklion, Crete, October 2008 - The EU Agency ENISA (The European Network and Information Security Agency) launches a white paper on 'Social Engineering', (i.e. on-line manipulation, through social networks, email, also known as 'Nigeria-letters' or 'advance-fee frauds', instant messaging, or Voice Over Internet Protocols (VoIP). The Agency provides 3 case studies portraying how easy users are manipulated, identifies 5 defence measures and issues a check list, 'LIST', for users to counter social engineering. Finally, the Whitepaper includes an exclusive interview with the world famous security author, speaker, and consultant Kevin Mitnick.

What are the risks of on-line manipulation, or "Social Engineering"? Fraudsters frequently manipulate people and exploit human weaknesses through 'social engineering'. That way, people break their normal security procedures. The scale and sophistication of such fraud is increasing, (27.649/month, Jan.'07-Jan '08, according to APWG). Several new ways are used to reach users (e.g. instant messaging, VoIP, and social networking sites apart from emails). Successful social engineering entails:

1. A convincing pretext for contacting the target,
2. Getting the facts right by research,
3. Timing and exploitation of current events, e.g., the Tsunami event, or a Santa Claus mail around Christmas, with a worm included.
4. Exploit human behaviour and psychology.

Three e-mail based case studies portray how easy it is to trick ordinary users:

- Case 1: 179 respondents assessed 20 messages (11 bogus, and 9 legitimate), and only 42% of the users could correctly classify the mails; (32% were classified incorrectly and 26% as 'do not know'.)
- Case 2: Of 152 targeted end-users within an organisation, 23% were tricked into accepting malware infections.
- Case 3: Over 500 undergraduate students followed embedded links, opened attachments, etc. The rate of failure was 38-50%. The good news is that the failure rate was reduced with training.

The Agency identified 5 defence measures against social engineering. However, the key to success lies in improving users' awareness. Users should use a checklist of questions to verify the Legitimacy, Importance of the Information, the Source and Timing (LIST) (for full checklist see p 25-26 of the report.) Mr Mitnick underpins the report with the claim that it is much easier to trick someone into revealing their password, rather than making an elaborate hack. The Executive Director of ENISA, Mr. Andrea Pirotti, comments: "Making staff and users aware of security is of serious concern for Europe. We should all become more aware and 'responsible on-line EU-citizens', in our own interest of being able to benefit of the Internet safely."

The report has been elaborated with the kind support of the ENISA Awareness Raising Community and is available at: http://enisa.europa.eu/doc/pdf/publications/enisa_whitepaper_social_engineering.pdf

<>

"Children on Virtual Worlds" - 25 parental safety tips, report launched by the EU Agency ENISA

The EU Agency ENISA, the European Network and Information Security Network Agency, launches a report on virtual worlds with 25 safety tips for parents on how to make their children behave safely in online virtual worlds.

Heraklion, Crete, 06.10.2008 - Club Penguin, Barbie Girl, Moshi Monsters, Webkinz, etc. Is your child spending hours playing online games? Well, you are not alone. Virtual world sites are now hugely popular and have become a compelling activity for many Internet users. The rate of growth in online social networks, including virtual words for children has risen over the last past years. With more than 100 youth-focused virtual worlds, regulators and parents are struggling to keep pace. It has been estimated that 20 Mn children and tweens will visit virtual worlds by 2011.

Parents are naturally concerned about how their children use and behave in virtual worlds. The biggest concerns is the online safety of children (7 years old and under) and tweens (8-12 years old) and how they can be protected from online predators. Awareness of what children can do online and parental involvement is crucial. Parents should be educated, empowered and engaged to ensure truly positive and valuable experiences for their children, while reinforcing safety online habits in these three-dimensional environments.

The ENISA paper gives 25 safety tips to parents. These tips provide clear and comprehensive tools for parents to decide with their child what is appropriate and safe, to behave responsibly as well as to have fun in virtual worlds. Sample tips range from computer security, to rules, and advice on parents? and children?s education, e.g;

1. Keep the computer in a common room.
2. Set house Internet/mobiles rules if and how to use virtual worlds.
3. When activating a child?s account, always do it using the parent?s email address.
4. Be aware that parental consent should be required to process sensitive personal data, for chat rooms, send unsolicited commercial e-mails, etc.
5. Have children use neutral nicknames, not their real ones.
6. Communicate with your children about their experiences. Encourage them to tell if they feel uncomfortable or threatened online.

For all 25 safety tips, , please read the full report: http://www.enisa.europa.eu/doc/pdf/deliverables/children_on_virtual_worlds.pdf

The Executive Director of ENISA, Mr. Andrea Pirotti remarked: ?It is our responsibility as adults to secure that our children can have both fun and safely enjoy online gaming and virtual worlds?

<>