Category Archives: Cyber Security

A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on if you would like to be added to the guest list. We hope to see you there.


Laughing all the way to the bank: Why banks need to rethink their approach to social media

by Angus Batey

Every day, I check my bank accounts online. Every time I check, my bank is encouraging me to send it Tweets. So every day I find myself wondering whether I am the only one of their customers to find this bordering on insane.

The social-media revolution has changed the way all companies do business and interact with their customers, and it would be naive to imagine that banking hadn’t been as affected as everybody else. Facebook, Twitter, Google Plus and the rest are powerful tools, enabling individuals and corporations to strengthen relationships through easy interaction – and best of all, the costs are met by somebody else. What’s not to like?

Just about the only other thing I can guarantee on happening every day is that I’ll receive an email telling me that my bank account has developed some problem or other, but that help is at hand, if I’d just click on the link and resubmit my details. I’ve been getting them for the thick end of 20 years and they’ve not evolved greatly in their wit or sophistication. We all know the more obvious telltale giveaways, from the hilariously inept salutations (“Dear esteemed beneficiary…”) to the clumsily hidden address they really come from. Yet these scams still manage to fool some users – according to a 2010 report by Cyveillance [PDF], a spammer can expect to get about 250 people to hand over their data for every half-million phishing emails sent. This is a tiny fraction, but a significant number.

Usually, the first thing that lets you know a purported banking email is a fraud is that it claims it comes from a bank you’ve never had an account with. But what if the scammers knew who you banked with, and took a little more care to make their emails plausible? Wouldn’t that low rate of success quickly start to climb?

Every major High Street bank has a range of official Twitter accounts it uses to communicate with the outside world – often little more than a stream of links to corporate press releases or items of perceived interest to customers. But even if that’s all a bank uses Twitter for, its accounts represent an incredible intelligence-gathering opportunity for anyone willing to spend a couple of hours to better target phishing attacks.

Unless you’re an avid student of the banking industry you’re unlikely to subscribe to a bank’s social-media feed if you don’t hold an account with them – and on Twitter, where you don’t even need to be a registered site user to view details of who is following a particular account, the High Street banks’ feeds are a potential scammer’s goldmine. True, a list of followers will only give you a list of Twitter account names: but, obligingly, a significant number of Twitter users include their real names on their publicly accessible profile pages, sometimes with a link to a personal website which will contain contact information: some users even include email addresses and phone numbers on those public pages.

Worse – from a security perspective – most banks also operate helpline-style Twitter accounts, where users publicly out themselves as customers, often of products including mortgage, insurance and share-dealing services as well as just ordinary current accounts: and while conversations requiring detailed information are conducted via email or private Twitter direct messages, initial queries are asked and answered in full public view.

In the real world, someone wishing to target you for banking fraud would either have had to have sold you something and have you give them a cheque to know where you banked, or followed you up and down the High Street on the off-chance you might visit your local branch. Following your bank on Twitter is like walking up and down that High Street wearing a t-shirt emblazoned with the name of the bank; Tweeting a question to your bank, from a Twitter account that includes your email address, is like walking around in that t-shirt, and with a flashing neon sign fixed to your head saying “Please rob me”.

The criminals clearly prefer to spend their time counting the loot, not finding more effective ways to raise it – and for that we should be thankful. Because, in their enthusiasm to embrace the new opportunities for customer engagement that social media provide, our banks are giving criminals an unprecedented opportunity to improve their phishing success rate. Clearly the banks’ market research has told them that no new method of customer interaction should be shunned: and to the average internet user, who thinks anything free and convenient is to be applauded, a bank refusing to embrace social media will look out of touch. But by encouraging customers to publicly reveal information about the products and services they use, banks are playing a dangerous game – undermining security to promote customer dialogue seems a curious business decision for an industry that relies, more than most, on protecting its clients’

* Angus Batey is a freelance journalist who has covered cyber defence and data security for titles including the Sunday Telegraph and Digital Battlespace. He doesn’t follow his bank on Twitter.

Online retail crime needs to be addressed

Over the last six months it has rained so much that even a mere glimpse of blue skies or the feeling of sunshine upon our skin has left us elated but nervous. It’s as if we’ve forgotten what that used to feel like, so grey and wet has this year been.

While it may have dampened – literally – our domestic holiday plans, our want to sort the garden shed out, to dine alfresco or spend time watching the world go by in the great outdoors, thankfully, other aspects of our daily lives, have pretty much continued as normal. The digital age has brought everything to our fingertips.

We might have desired to go to the cinema, but streaming videos lets us link up our PCs to our gigantic TVs; a gig might have been called off, but with YouTube, we can watch the band’s music videos; and where we’ve needed to fill up our fridge and not wanted to get blasted with torrential rain, well, with a few clicks, we’ve navigated a virtual supermarket without stepping out of the door.

Everything is possible with the digital life, but while it comes with benefits, there are always downsides. A new report from the British Retail Consortium (BRC) has found that cyber crime, or e-crime as it describes it, represents one of the biggest challenges facing retailers in the 21st century.

In 2011-12 for example, British retailers were hit hard, with breaches to network security costing, in total, £205.4 million. Of this figure, £77.3 million was lost as a direct consequence of fraudulent activity, while the remainder was calculated as projections of business lost as a result of being a victim.

The most popular type of crime was personal identity fraud, followed by card fraud in general, after which came refund fraud. Though this was the bulk of criminal activity, it was by no means exclusive, with phishing also proving to be a growing problem for retailers.

While this in itself is problematic, it doesn’t help that retailers are not approaching such crimes in the same way as they would for non-digital crimes. The study noted that 60 per cent of businesses in this industry were unlikely to report any more than ten per cent of crimes to the authorities.

This indicates that somewhere, along the usual lines of communication, something has gone amiss. Considering that the UK is a leader in online retailing, such losses are harmful to finances and reputation.

“Online retailing has the potential for huge future commercial expansion but government and police need to take e-crime more seriously if the sector is to maximise its contribution to national economic growth,” advised Stephen Robertson, director of the BRC.

“Retailers are investing significantly to protect customers and reduce the costs of e-crime but law makers and enforcers need to show a similarly strong commitment.”

According to the expert, the study shows where efforts need to be directed. Mr Robertson said that the government, along with law enforcement agencies, need to work to develop a “consistent, centralised method for reporting and investigating e-crime”.

We welcome this. If there is, as the BRC calls for, a better, more organised system for getting businesses to consistently report, record and investigate crime, backed up with more support from the authorities, we can get a better, more detailed picture of trends in cyber crime. Knowing this allows us to build up better security measures.

After all, the last thing we want on a rainy day, cooped up in the home, is to lack the confidence to shop online for clothes, food or treats. Technology is about moving forward, it’s about high time retailers stepped up.

We could all do with talking more

There’s something to be said about good communication, whether it’s an after work chat on the crazy wages of football stars, an enlightening exchange of tweet with someone across the world on press privacy in a digital age, or a networking meeting to discuss the latest happenings in the information security and risk management industry.

It’s always good to talk, whether you’re the individual imparting your expertise on some of the pioneering ideas you have with regards to penetration testing, or whether you’re an audience member, completely enthralled by an interesting and revelatory discussion on new models of business continuity and disaster recovery.

Human thirst for knowledge, though attainable through an autodidact orientation, is often best in a collaborative environment, ideas bouncing between different minds, the result being unintended outcomes that enlighten.

Bearing all that in mind, we find it odd then that new research from the European Network and Information Security Agency (ENISA) has found that many organisations and individuals across the continent not only are unaware that they have been the victim of cyber crime, but don’t report it.

The consequence of this is a sort of fictitious environment where the actual reality of the cyber crime landscape is not as it seems. Because there’s a gap of knowledge, no coherent system of reporting, what we think we know is decidedly lacking.

“Lack of transparency and lack of information about incidents makes it difficult for policy makers to understand the overall impact, the root causes and possible interdependencies,” the authors of the report state, highlighting the problems this lack of uniformity leads to.

“It also complicates the efforts in the industry to understand and address cyber security incidents. And finally, it leaves customers in the dark about the frequency and impact of cyber incidents.”

This is in spite of the fact that in recent years, many countries, not just Europe specific, but all around the world, have stepped up their game with their efforts against cyber crime, recognising it as a big challenge to keeping order.

However, where they have fallen short is in talking to one another, keeping each other informed of when they’ve experienced major cyber crimes, and letting other European nations know of advancements they’ve made.

The reason it is important to have cross-nation rapport is pretty self-evident. We live in a global world, where movement across borders, especially in Europe, is the norm where organisations have bases in many countries. Moreover, cyber crime doesn’t care for boundaries. It can happen anywhere in the world and have an international impact.

If, as ENISA notes, there is a common approach to tackling such crimes, a uniformed approach in their reporting, and constant dialogue between experts in respective European nations, you’re already well on your way of addressing the current gaps in knowledge and denting the success of fraudsters. Otherwise we’re always going to be losing.

“Reliable and secure internet and electronic communications are now central to the whole economy and society in general,” the report said. “Cyber security incidents can have a large impact on individual users, on the economy and society in general.”

Humans are supposed to be social creatures. Let’s get talking.

Taking a leap into the unknown

Sun-Tzu, the great ancient Chinese military general and strategist, famously said: “Keep your friends close but your enemies closer.” He was a very wise man and his iconic work, the Art of War, is popular among successful politicians and businessmen and women all around the world.

We’re talking about Sun-Tzu because we speculate that Keith B Alexander, a top man at the National Security Agency (NSA), has recently brushed the dust off his version of the book and had a good peruse to explore new ideas.

His speech at the 20th annual Def Con convention, which is attended by and aimed at hackers, suggests that he’s keen on exploring non-traditional avenues to make the internet a safer place. He certainly was in an affable and accommodating mood, turning up in jeans and a t-shirt. It was a statement that said: “I’m not the enemy.”

“In this room, this room right here is the talent our nation needs to secure cyberspace,” Mr Alexander told the audience. “We need great talent. We don’t pay as high as everybody else, but we’re fun to be around.”

The appearance of a senior member of the NSA, the US government’s influential and power security agency, is unprecedented in the country’s history. His language was placatory: “You know that we can protect networks and have civil liberties and privacy; and you can help us get there.”

What he’s promoting is essentially collaboration. He’s not condoning those who engage in criminal behaviour, exploiting networks for commercial reasons or in the name of extremism, political or religious. Such individuals or groups will be found and prosecuted.

Instead, he’s after those who show a promise in this field, precocious youngsters who are bored, those who feel like they are engaging in legitimate protest – the digital manifestation of civil disobedience, for example – who can make a difference to the world if mentored.

“From my perspective, what you’re doing to figure out the vulnerabilities in our systems is absolutely needed,” Mr Alexander said.

If anything, it’s a novel approach and certainly an interesting way in recruiting talent. At a push perhaps, it also implies that there are gaps in knowledge and indeed in the number of specialists. He could certainly do a lot more to attract those who have a gift in this area by actually making an effort to improve public sector pay in this area.

Fun is great; don’t get us wrong, but everyone wants to earn a decent living. Match private sector pay and you’ll have a generation of talent doing a lot of good. Make people feel valued. Sun-Tzu knew that:

“For them to perceive the advantage of defeating the enemy, they must also have their rewards.”

The funny thing about the bustling security industry

In this day and age, characterised by economic stagnation, dwindling spending power and limited opportunity – further compounded by the fact that it had seemingly poured cats and dogs since time immemorial – the idea that businesses might struggle to retain staff appears at first anomalous.

But it really isn’t. Even in the hardest of times, people still keep an eye on opportunities, be it for reasons that their current position isn’t just a means to an end; they’re looking for a promotion; or even a career change. Life’s an experience, after all.

Some industries buck the trend, like for example security, which, by the nature of its growing importance in society – it’s becoming an important facet of most people’s lives and of businesses – is expanding. Staff retention in this context takes on a different meaning.

Here’s a very apt example that has wider resonance. A new report from the Intelligence and Security Committee – a must read for CIOs, CISOs and the like – has observed that the UK’s Government Communications Headquarters (GCHQ) is at real risk of losing out on a generation of skilled professionals.

The reason is simple – they can’t keep hold of them (which we’ll come back to). The problem this results in, however, is very serious. Without this important, proficient and accomplished workforce, the UK’s ability to be at the top of their game and ensure that cyber crime is thwarted is at a real risk of crumbling. That’s not a pretty picture.

Iain Lobban, the director of the GCHQ, is very candid at the dilemma this reality poses. Because it’s a healthy industry and there is a growing demand for cyber security experts across the globe, professionals are simply doing what is normal – packing their bags and heading off.

When you’re presented with a great opportunity and a bump in pay, it’s logical. The government simply can’t match the salaries being offered. However it isn’t all bad. For one, it paints a very good picture of the private sector in this field and, in general, of the industry as a whole.

If, for example, you log onto Acumin’s website – a leader in information security recruitment and risk management recruitment services – what hits you is both the number of jobs available and the variety. This is an industry that is on the precipice of serious activity.

So, while the picture for the government isn’t going to change in the interim, there is a business model that can work to a satisfactory level, Mr Lobban has explained.

“One of the things that I’m looking at is whether or not we can recruit people, train them and then employ them with the expectation … of losing them at the end of that period,” he said.

“And, as they move into industry, for them to be useful for us. If they’re working with some of those companies that we work very closely with, perhaps there is a benefit that we can get from them.”

It’s not perfect, but neither is the weather or the economic situation. So, we do what we do best and we adapt, always optimistic. That’s called character and Brits have plenty of it. And hey, even Carol Kirkwood, the BBC’s popular weather presenter, says that there is sunshine around the corner. Let the good times roll.

Cyber security is in an era of ‘prominent activity’

When one of the most senior figures in British security remarks that cyber security is a global threat, you know he isn’t beating about the bushes – he’s informed, he knows, and he’s happy to spread the bad news.

Jonathan Evans, director general of MI5, the British intelligence agency that works to protect the UK’s national security against threats, informed an audience at the Lord Mayor’s inaugural annual Defence and Security Lecture, that although cyber crime has been a threat to network security for many years, we are now in an era defined by prominent activity.

Such is the threat of online malicious activity to the integrity of UK security that it is up there with terrorism as one of the four major security challenges the country has to battle on a daily basis. 24/7, one simply cannot rest on one’s laurels.

“Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states,” he said in a speech entitled The Olympics and Beyond. “And the extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people lying behind both state sponsored cyber espionage and organised cyber crime.”

Serious words indeed. Backing up his arguments about the need to develop a robust system, tighter relationships with various organisations and improved sharing of best practice, he cited an example of how detrimental the actions of cyber criminals can be.

One major company, listed on the London Stock Exchange, was hit with revenue losses of £800 million – just imagine that on a national scale and you begin to see a clear picture of how damaging this can be. That money could be redirected elsewhere, help create jobs and boost economic activity.

“This is a threat to the integrity, confidentiality and availability of government information but also to business and to academic institutions,” he added.

“What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations.”

We definitely agree that it is important to develop closer links within the IT industry, across sectors that specialise in risk management, information security, ethical hacking and business continuity.

This is why Acumin hosts and invests heavily in RANT, a forward-thinking, blue-sky thinking risk and network threat forum. We love conversation, ideas, communicating with people – even those we don’t agree with – and exchanging information, which is the most valuable currency we have.

“The two words ‘information’ and ‘communication’ are often used interchangeably, but they signify quite different things. Information is giving out; communication is getting through.”

So said the renowned American journalist Sydney J Harris. Bear this in mind and there’s nothing an organisation cannot achieve. We’re in this together; a team.

Everyone’s talking about DDoS: Part Two

Contradictions are good, they’re very human, a sort of nod to duality. With night comes day, with heat comes the cold, with the Force comes the Dark Side.

While we began the first half of this feature sounding off about excessiveness – with good reason we hasten to add – we are, through being involved in the conversation about DDoS an example of what we call legitimate over-abundance. In this case, lots of eager banter about DDoS is a good thing.

We left you on a quasi-cliffhanger, which was deliberate. Some wise person once said you should never go to sleep having not ended an argument, but our precipitous subject matter was more a volley of information into your court to sleep on, after which, you kindly smashed it back, with shrewd insight no doubt.

Now, while the legality of DDoS might be something that a small band of ethically-minded people perceives to be sound, it is, in today’s wisdom, anything but. It’s illegal and carries with it serious punishments. That’s because DDoS attacks can damage big corporations and government.

Ryan Cleary and Jake Davis have recently admitted attacking both the Serious Organised Crime Agency in the UK and the CIA in the US, as well as running DDoS attacks against well-known brands like 20th Century Fox, Sony, News International and Nintendo to name but a few.

The reasons such organisations have responded severely is that they recognise that DDoS attacks are more than just a nuisance. As we shift to operating more and more of our lives online, such attacks have the power to seriously disrupt the way society functions.

If they can bring down a government website, who’s to say they can’t do the same to the NHS website, where, in the hypothetical future, patients may end up with essential medicine?

According to Vic Mankotia, security vice president of CA Technologies for Asia-Pacific and Japan, DDoS attacks are becoming more sophisticated and consequently damaging.

For example, the fact that some DDoS attacks originate from automated systems with “payloads delivered from USB sticks and protocols such as Bluetooth and magnetic strips of cards” reveal a new era in this criminal activity, he told ZDNet Asia.

It’s hard to keep up with changes, that much is true. Sometimes, it has to be said, businesses themselves are at fault. Don’t get us wrong, we’re not condoning the activities, everyone hit by a DDoS attack is a victim, but companies could be better off if they beef up their security.

In a fascinating article for Wired recently, one that concentrated principally about the lack of insurance cover for DDoS attacks, Miguel Ramos, a senior security consultant at Neustar, took us briefly back to the not so distant past.

“Think back to your history classes and ponder the Maginot Line, the pre-World War II French military fortifications. Hailed as a brilliant innovation and utterly impregnable, the line was quickly outflanked by a cunning and determined foe,” he observed.

“This is not too dissimilar to the way many businesses defend against DDoS attacks. It’s not uncommon to hear, ‘No problem, we’ve got it covered.’ But with what?”

He cited the example of the “woeful” weaknesses demonstrated earlier this year when such an attack on the DNS server of the British Home Office achieved the goal every hactivist aspires to: Garnering global attention through strategic targeting to raise awareness for its cause.”

Such things to bring the matter to the public arena, hence this extended feature. We commend organisations like Check Point for developing tools to fight this battle; we even welcome the chutzpah of D66, for helping us come up with answers as to why DDoS should remain illegal.

Now, enough words have been written, that much is true, so, we put an end to abundance, and leave the thinking to you.

Google’s insight into online attacks

Google matters. It is central to our most people’s lives, a steadfast friend whose counsel is invaluable, whose knowledge is like the never-ending expanse of space, a trusty source to consult for information, facts, and entertainment.

Marissa Mayer, the American multinational company’s vice president of location and local services, perhaps said it best when compared Google to a Swiss Army knife: “Clean, simple, the tool you take everywhere.”

The company has just released a new report based on over half a decade of data, which it has analysed in-depth. It is part of its Safe Browsing service (malware and phishing protection), testament to its desire to be a “good company”.

One of the most astonishing things we observed in the report is this statistic: every day Google finds approximately 9,500 malicious websites. Such websites fall into two categories – one is innocent websites polluted – or compromised – by cyber criminals or those which are purpose-built to distribute malware or phishing. This is serious stuff.

“Many phishers go right for the money, and that pattern is reflected in the continued heavy targeting of online commerce sites like eBay & PayPal,” explained Niels Provos, of Google’s security team.

“Even though we’re still seeing some of the same techniques we first saw five-plus years ago, since they unfortunately still catch victims, phishing attacks are also getting more creative and sophisticated.”

Now while Google strives to offer as robust a security service as possible to counter such attacks, developing new software and strategies along the way, the last part of Mr Provos’ statement is telling. Threats continue to evolve and the problems they will bring will never end. It is a cat and mouse game. Still, a positive attitude to information security and risk management is always a plus.

Shifting the conversation to Malware, Mr Provos has observed an increase in social engineering over the last few years, reflective of the move towards an uber-connected age, where people live, work and engage in a virtual framework.

“As companies have designed browsers and plugins to be more secure over time, malware purveyors have also employed social engineering, where the malware author tries to deceive the user into installing malicious software without the need for any software vulnerabilities,” he noted.

“A good example is a “Fake Anti-Virus” alert that masquerades as a legitimate security warning, but it actually infects computers with malware. While we see socially engineered attacks still trailing behind drive by downloads in frequency, this is a fast-growing category likely due to improved browser security.”

What does all this mean? The most straightforward answer is that we’re shifting into a new era of threats. The landscape, so to speak, is transforming in a very dramatic way, characterised by highly motivated cyber criminals. As Google has noted, a lot of these people are more than happy to engage in such fraudulent activities because of the financial pay-off. That is a hard thing to discourage.

The only saving grace is that the enthusiasm, energy and drive in putting a stop to such behaviour is equally powerful and just as hard to distinguish. Google’s commitment and investment in its Safe Browsing team is testament to that. Cyber criminals, you have been warned.

What LinkedIn’s security breach tells us

It’s a rule of law that the mightier you are the harder the fall will be, which is to say in this 24/7 age of interconnectivity, wired-up to the internet every single second of the day, with everyone effectively an IT practitioner, any shortcomings, big or small, will be most visible.

When the professional social networking site LinkedIn was revealed to have experienced a network security breach, resulting in millions of users’ passwords being uploaded to a website, the online world and media outlets from around the globe went into heated discussion.

Now while LinkedIn isn’t unique in being targeted by cyber criminals, a lot of criticism towards the popular company – it has approximately 161 million users – is justified in the sense that a lot of weaknesses and vulnerabilities have been identified.

One would expect a big company to have a seriously robust system of security, but something has clearly gone amiss. However, it would be too easy to say that this is the product of the fact it has no chief information officer, someone who has the skill, tact and knowledge to “beef up” and monitor security.

That’s because it does have a security team, a world-class one in fact, as its director Vicente Silveira was keen to articulate. This typified by experts like Ganesh Krishan, the former vice president and chief information security officer at Yahoo! and David Henke, senior vice president of operations, who oversees all areas of this.

LinkedIn wasn’t the only one being hit – eHarmony and were also targeted. In January of this year it was reported that Facebook, the giant of social media networks, had been breached, with 45,000 passwords being stolen. Hackers had deployed a ramnit worm.

As the Financial Times noted recently, cyber criminals are preying on social networks – it’s the new playground so to speak. The significance of the LinkedIn story is the scale of it. When you get into the millions you know you’re into unchartered territory.

One of the reasons for the shift, explained Graham Cluley, senior technology at the security research firm Sophos, is that the anti-spam features on these websites are “nowhere as mature as places like Hotmail and Gmail”.

Furthermore, the openness of such websites, in terms of sharing information, developing applications and becoming friends – as a status thing (the more people you have, the more “popular” you are) and a strategic thing (the more reach you have, the more exposure you have to services and products) – makes them more culpable of been breached.

No doubt that the likes of Facebook, Twitter, LinkedIn and new kid on the block Pinterest will be evaluating their policies and considering how they respond to this new era. They owe it to the collective millions of users who give them the very digital air they need to breathe to ensure that they are safe and protected. If not, users will walk away, and then where will they be?