What's More Valuable Than Money?

Data. However, the value placed on different types of data is shifting

While cybercriminals were once clamoring for your payment data, today they are much more interested in other types of information. And of course, it's all about the money.

Stolen credit-card accounts available on the "deep Web" are selling for 22 cents per record. Netflix account information, on the other hand, averages 76 cents per account. But the real deal is Facebook. A cybercriminal with stolen Facebook  account information averages $3.02 for each one he sells. Uber accounts are even more valuable, bringing in $3.78 per account!

Change your passwords often, use strong ones and never use the same password more than once. If that's not realistic for you, use different passwords for your social and financial accounts. 

Three Fast 'Data Privacy Day' Tips

In advance of the annual international Privacy Data Day, please share these three action tips to protect the privacy of consumers and businesses:

• Nothing is truly free, including mobile apps. Be aware of the personal information you give mobile app providers. Many free apps sell your information to a wide range of companies, some of which may have malicious intents. Studies have shown most apps do not have many, or even any, security controls built in. Check privacygrade.org to see if the app you want respects your privacy and has security built in.
   
• Be cautious with new "smart" devices. A wide range of new and unique gadgets -- from socks to smart cars -- connects you directly to other entities (and even to the Internet) to automatically share information about your activities, location and personal characteristics. Before using such devices, make sure you know which data they are collecting, how it will be used and with whom it will be shared.
   
• Only share personal information with trusted sources. Be extra careful not to share sensitive personal information, such as social security numbers, credit card numbers and driver's license numbers. Don't do business with an entity that does not have a posted privacy notice.

Quick Round-up of Some of the Latest Tricks and Traps

Beware of new scams and privacy pitfalls

New ways to fool people out of their money, information and identities pop up nearly every day. Here's a quick round up of some of the latest tricks and traps:

New Scam Targets Homeless: Fraudsters pay homeless people to take out cell phone contracts in their names. The fraudsters keep the phones, rack up the bills and then sell the phones, ruining the homeless person's credit.

Getty Images Allows Free Embedding, but at What Cost to Privacy? People can embed images in their sites for free, so long as they use the provided embed code and iframe. Because of the scope of Gettys' reach, this may allow the company to correlate more information about a user's browsing history than any single site could. Just another reminder that nothing's truly free in this world!

Human Error Tops Ponemon Patient Data Security Study Threats: 75 percent of healthcare organizations view employee negligence as the greatest data breach threat. This result underscores the importance of good security and privacy controls (and excellent employee training!) in healthcare environments. This extends to medical device manufacturers, who often work off very old technology software and continue to insist that controls are too cost-prohibitive.

The Data Brokers - Selling Your Personal Information: 60 Minutes' Steve Kroft recently reported on his investigation of the multibillion dollar industry that collects, analyzes and sells the personal information of millions of Americans with virtually no oversight.

Reminder: To Whom are You Really Emailing?

Confirm the email address before you hit send!

Nowadays, it's not uncommon for people to have multiple email addresses. Some people even belong to group email accounts in which an email sent to one address is actually received and potentially read by multiple people.

Before you hit send, be sure you know exactly where your email message is headed. Even when you're replying or forwarding, take the extra moment to hover your mouse over the address in the "To" field to be sure it's going to the intended address.

If you find yourself making this mistake often, consider changing email clients. Gmail, for instance, is notorious for allowing this recipient confusion. Gmail users should also be aware that Google has copies of and access to all email sent using its system. Mr. Snowden provided some proof of that.

Businesses especially should always use a proprietary domain for their email (not Gmail, Yahoo, etc., and certainly not a social email address, like those from Facebook). Business owners should always ensure their email provider follows good security practices (e.g., not storing any email on their servers after it is delivered to the client destination).

Top 5 Tools Every Security Professional Must Learn

5 basic tools for security professionals

As the role of the information security professional continues to evolve within organizations towards that of an executive level position, we see a growing emphasis on traditional business administration skills over the more technical skills that previously defined the top security leadership job.

Nonetheless, Information Security Professionals need to keep abreast of the latest down-in-the-weeds tools and technologies that can benefit their organization’s security posture, as well as those tools that are widely available which could be misused by malicious actors to identify and exploit network security weaknesses.

ToolsWatch is a free interactive service designed to help auditors, penetration testers, and other security professionals keep their ethical hacking toolbox up to date with the latest and greatest resources.

ARMITAGE

Metasploit has become over the years the best framework to conduct penetration testing on network systems and IT infrastructure. Nevertheless, Armitage an open source effort to bring user-friendly interface to Metasploit.

Armitage demonstrations are very convincing and allow you to analyze weak and vulnerable machines in a network in just a few clicks. This tool has brilliantly hidden the complexity of Metasploit (for a non-technical audience) in favor of usability, and is a great way to demonstrate the security in depth of an IT architecture.

HASHCAT

There is constantly a battle between security folks and users when it comes to passwords. Although it is simple to deploy a Password Policy in a company, it’s also very difficult to justify it.

Because in a perfect world from users perspective, the best password would be the name of the family cat with no expiration date, and this fact applies  to any system that requires authentication.

HashCat has shown that the selection of a strong  password must be done carefully, and this tool allows us to demonstrate the ease with which a password can be recovered.

WIFITE

You know what you have connected to when using your hardwired network, but have you ever wondered if the air is playing tricks on you? To test your WiFi security, Wifite has the simplest way.

Wifite allows the discovery of all devices that have an active wireless capability enabled by default (like some printers for example). Wifite is a very simple and convincing way to validate the security of wireless networks.

WIRESHARK

Known for many years as Ethereal, WireShark is probably the best tool when it comes to sniffing for and collecting data over a network.

On the one hand, WireShark has boosted its capabilities with the support of several types of networks (Ethernet, 802.11, etc.) and also in the simplicity of its use through a very friendly user interface.

WireShark allows to demonstrate that outdated protocols such as Telnet / FTP should be banned from a corporate network, and that sensitive information should be encrypted to avoid being captured by a malicious user

SOCIAL ENGINEERING TOOLKIT (SET)

SET is a framework that helps the in creation of sophisticated technical attacks which operated using the credulity of the human. It can be used in the process of preparing a phishing attack mimicking a known website or trapping PDF files with the appropriate payload. The simplicity of use via an intuitive menu makes it an even more attractive tool.

It is the dream of every CISO to drive security awareness campaigns without ruining the security budget. With SET, the team in charge of security audits can design attacks scenarios and distribute them internally to the targeted users.

Steve Jobs Movie Trailer Released

Jobs Official Trailer

Earlier this month we heard that the Ashton Kutcher Steve Jobs movie, which is called Jobs, would launch in the US on the 16th of August, and now the first trailer for the movie has been released.

The Jobs movie was originally scheduled to launch back in April, but after a few delays it will launch in August, have a look at the trailer below.

Sex Matters: Men & Women differ on data security

Surprise: Women are also more likely to take steps to control what's visible to strangers on social media although they take less security precautions online!

Two Microsoft studies have found that when it comes to technology, men and women may have different priorities when it comes to staying safe and secure.

The first study, which surveyed more than 10,000 mobile and desktop users worldwide, found that 35 percent of men kept their mobile devices protected behind a passcode and used secured wireless networks to go online.

Women, the study found, took those same security precautions at a slightly lower rate of 32 percent.

Following that trend, 32 percent of men kept the software on their mobile devices up-to-date, an important defense against malware attacks. Only 25 percent of women did.

The numbers seem to show that men take mobile security slightly more serious than their female counterparts, but also that both sexes adopt these common-sense security precautions at an abysmally low rate.

Jacqueline Beauchere, chief online safety officer at Microsoft, said in a statement. "We know from earlier research that men and women practice mobile safety very differently."

Despite their slight edge in security, men appear to fall victim to mobile-based attacks more frequently than women. They receive slightly more phishing emails, intrusive pop-ups and messages from impostors.

When it comes to defending their reputations, women tend to be more cautious than men about what they're willing to share online, the study found.

Women are also more likely to take steps to control what's visible to strangers on social media. The study also found that women are less cavalier than men when it comes to the content of their text messages.

A different Microsoft survey, this one conducted on Facebook, asked more than 800 people about their mobile pet peeves.

Many respondents cited loud talkers, constant phone checking and socially inappropriate use of mobile phones as among their top annoyances.

NIST Glossary of Infosec Terms

Looking for a gift for your boss who doesn't quite understand information security lingo?

The National Institute of Standards and Technology has one you can give, and it's free. NIST has issued a draft of Interagency Report 7298 Revision 2: NIST Glossary of Key Information Security Terms.

As we are continuously refreshing our publication suite, terms included in the glossary come from our more recent publications. The NIST publications referenced are the most recent versions of those publications. It is our intention to keep the glossary current by providing updates online.

New definitions will be added to the glossary as required, and updated versions will be posted on the Computer Security Resource Center website.

The glossary includes most of the terms found in NIST publications. It also contains nearly all of the terms and definitions from CNSSI-4009, an information assurance glossary issued by the Defense Department's Committee on National Security Systems, a forum that helps set the US federal government's information assurance policy.

NIST is seeking comments and suggestions on the revised glossary, and they should be sent by Jan. 15 to secglossary@nist.gov.

NIST Drafting Guide on Media Sanitization

Evolving Storage Environment Creates Need for Revised Guidance

The National Institute of Standards and Technology is revising guidance aimed to help organizations sanitize data based on the confidentiality of stored information. Draft NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization discusses methods, techniques and best practices for the sanitization of data on different types of media, employing risk-based approaches to establish and maintain a media sanitization program.

The revised guidance doesn't specifically address all known types of media, but it does describe a sanitization decision process that can be applied universally. NIST is seeking public comment on the draft guidance to consider before issuing a final report.

Comments should be submitted to 800-88r1Comments@nist.gov by Nov. 30.

Simply, sanitization makes accessing data on media unfeasible. The proposed guidance identifies three sanitization models:

Clear: Applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. It's typically applied through the standard read and write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state, where rewriting is not supported.

Purge: Prescribes physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques.

Destroy: Renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for storage of data.

Download: Qualification Requirements for Smart Grid Roles

Exact requirements for those interested in pursuing Smart Grid roles

Smart Grid Careers recently conducted a research in conjunction with Zpryme's Smart Grid Insights, a secondary report was released today outlining the experience, skills and academic requirements for candidates seeking to secure a position in the coveted Smart Grid industry.

Based on feedback from 184 executives responsible for recruiting candidates to fill Smart Grid roles, this new report features the following key data points for both new and experienced job seekers:

• Required and preferred degrees and certifications
• Needed skill sets
• Length and type of work experience require

Access the detailed findings of this new release by downloading a FREE copy of the detailed report here (registration maybe required).

This research underscores the exacting requirements for those interested in pursuing Smart Grid roles. Potential candidates can leverage this data to guide their academic and initial career choices to ensure it leads to a path in the Smart Grid.

SAP Audit Guide for Expenditure

Download the Ultimate Guide to Auditing and Securing Procure-to-Pay Controls in SAP

The third installment of Layer Seven Security’s SAP Audit Guide was released today and can be downloaded at http://bit.ly/SvG956. The series has proven to be a popular resource for audit and security professionals with over 10,000 downloads to date.

The latest Guide focuses upon expenditure-related controls in areas such as vendor master data, purchasing, invoice processing and payment processing. Forthcoming volumes of the Guide will deal with areas related to inventory, human resource management and Basis.

Although the Guide was originally intended to the cover ERP-related modules most commonly implemented by SAP clients, Layer Seven Security will develop and issue similar guides for components such as Customer Relationship Management (CRM), Supplier Relationship Management (SRM) and the Enterprise Portal (EP).

An easy way to defeat a “Keylogger”

How to defeat a "Keylogger" without any software/hardware


There are several ways to defeat a keylogger. Here is an easy way which does not need any software or hardware. It is not a revolutionary but quite an useful technique.


Some of you may already be practicing the same. Keyloggers and Trojans can steal you passwords, credit card details or important information while you type them on your system. We are sometimes bound to use third party systems or even our own systems may be compromised (of which we may not be aware of). 


How do we defeat a "Keylogger"?


Let’s assume your password is “savemefromkeyloggers”.


When you type the password you need to ensure that you type the above password in a different obfuscated scheme. Here is an explanation through an example.


Step 1: Type “veme”


Step 2: Use your mouse pointer to bring the cursor just before “veme” and type “sa”. So what you see is “saveme” but the keylogger log would read as “vemesa”


Step 3: Use your mouse pointer to bring the cursor just after “saveme” and type “ggers”. So what you see is “savemeggers” but the keylogger log would read as “vemesaggers”


Step 4: Use your mouse pointer to bring cursor before “ggers” and type “fromkeylo”.


So what you see is “savemefromkeyloggers” but the keylogger log would read as “vemesaggersfromkeylo”


Please note that you do not use the “arrow keys” to move the cursor. Use the mouse to click at the right place so that the password key strokes are jumbled up and the keylogger owner would not be able to understand your real password.


So you can create your own method to jumble up/obfuscate your “credit card number”, “CSV”, “passwords” or anything that is critical.


It is a good practice to always use the same pattern to obfuscate the same data since it would make it more difficult for anybody to decode the real password from a single sample of obfuscated password.


It becomes easier to decode when there is a sample of several obfuscated forms of the same password. This technique is quite useful if you are using a shared computer such as cyber cafes, etc.

Why Business Continuity is Critical For Your Business?

4 Tips to Gain Upper Management Attention


Companies often make many strategic decisions such as outsourcing, off-shoring and long supply chains without full consideration of the consequence of business interruption.


They primarily focus in adding short-term value to the bottom-line, but when these strategies fail to deliver, reputation and brand image are compromised. Short-term financial losses might be containable, but long-term loss of market share is often much more damaging.


By implementing effective business continuity plans, businesses can increase their recovery capabilities dramatically. And that means they can make the right decisions quickly, cut downtime and minimize financial losses. So, getting buy-in at the top is crucial. It requires professionals to have better understanding of the concerns of top management and an ability to communicate risk issues in a common language.


Here are a few ways business continuity practitioners can seek upper management attention.


Emphasize business consequences: Many leaders were shaken by the corporate impact that the Gulf of Mexico oil spill incident had on the finances, share-price and reputation of British Petroleum.


Business continuity managers need to bring these real-life cases in their presentation to management and further use their skills to identify their own organization's potential high consequence events. 


Implement innovative tests and exercises: A traditional difficulty is that BCM practitioners do not report at a high enough level to affect decisions. Although often true, they are not without influence, and one way to use it is in developing an innovative testing and exercising program.


In the past, too many exercises have concentrated on evacuation, safety and emergency response. Although these are required, top management employs specific specialists to handle safety and security on their behalf. 


What BC practitioners need to do is choose scenarios and techniques in their exercises that really interest the leadership team. Using scenarios that highlight fundamental business threats and challenging top management to respond can be scary, but it also can raise the profile of BCM rapidly.


Techniques such as war games, stress testing, scenario planning and horizon scanning are becoming important to business continuity tests. These are areas in which the BCM professional could and (in the future) really should take a leading role.


Be more assertive: BCM professionals can get top level attention by taking a more assertive position to organizational change. Clearly, there are limits to which individuals can become involved in strategic decisions, but by producing a well considered analysis of the consequences of change, they can often get senior management interest.


Decisions can be reviewed or modified if consequential risks are better articulated. BCM professionals can do this through a risk management organizational framework and can make their voice heard.


Communicate BCM benefits: Practitioners must concentrate on finding value and benefits for BCM and promoting them.


For example, if having proper BCM in place helps the organization get on the approved supplier list for a major customer, it's the BC professional's job to ensure that everyone knows about it. If it were a key deciding factor that actually won a big contract, make sure that sales, marketing and finance recognize and publicize that fact.


If BCM helps procurement eliminate high-risk suppliers, again getting that message out through whatever communication vehicles is key.

Facebook Email: What You Need to Know!

Facebook Knocks Your Email off the Podium


Facebook is receiving a decent amount of backlash from its most recent privacy misstep. The social media giant recently forced their @facebook.com email addresses upon all users who had not previously signed up to use it - and did so without their permission.


If you don't want this default email used by your Facebook friends, read this article to learn how to change your email back to the preferred address.


From a privacy standpoint, I'd recommend you not use the @facebook.com email address at all. That is unless you want to give everyone at Facebook (and possibly their third parties) access to your email messages.

Nigerian Scams Deliberately Designed To Target Stupid People

Why email scammers say they're from Nigeria?

A recent study found that email scammers really aren't interested in appearing believable because it would just be too expensive if everyone fell for it.

The research conducted by Microsoft’s Machine Learning Department, titled Why do Nigerian scammers say they are from Nigeria? found that the OTT scam email, complete with typos is a simple, cost effective way of weeding out intelligent people, leaving only the most gullible to hit.

"Far-fetched tales of West African riches strike as comical," wrote principal researcher, Cormac Herley in the study. "Our analysis suggests that is an advantage to the attacker, not a disadvantage.

“Since his attack has a low density of victims, the Nigerian scammer has an over-riding need to reduce the false positives. By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select, and tilts the true to false positive ration in his favour.”

It seems to work. Just last year a Nigerian man was jailed for 12 years after scamming US$1.3 million. In 2008 an Oregon woman lost $400k to a similar scam.

So next time you open a scam email and think to yourself: "Why bother?" live happy in the knowledge you're not the target market.

Password-Strength Checker

Check your password—is it strong?


Learn how to use the Password Strength Calculator to test the strength of your password security. Online password strength checker for secure passwords from Microsoft.


What is a strong password?


The strength of a password depends on the different types of characters that you use, the overall length of the password, and whether the password can be found in a dictionary. It should be 8 or more characters long.


For tips about how to create passwords that are easy for you to remember but difficult for others to guess, read Create strong passwords.


Refer here.

The evolving role of the CISO

New study by IBM

A study by IBM’s Center for Applied Insights concludes that there are now three ‘types’ of CISO: influencers, protectors and responders. Evolution towards the ‘influencer’ role is necessary, and happening.

Security is now seen as a vital aspect of business, and the role and influence of the chief information security officer is correspondingly rising, concludes Finding a strategic voice, a new study from IBM.


The primary driver, suggests IBM, is that security is now recognised as a business rather than just a technology imperative. “In today’s hyper-connected world,” states the report, “information security is expanding beyond its technical silo into a strategic, enterprise-wide priority,” driven by the increasing number of high profile attacks.


The result is that while “many organizations remain in crisis response mode, some have moved beyond a reactive stance and are taking steps to reduce future risk.” Key to this is that business is beginning to understand what security experts have been saying for years: security is not a thing or a product that can be bought and installed – it is a continuous process at the heart of the business itself.

“The Influencers have the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. These leaders understand the need for more pervasive risk awareness.” Influencers have a strategic role on business security. “Responders,” says the report, “are more tactically oriented.

They are concentrating on foundational building blocks: incorporating new security technology to close security gaps, redesigning business processes and hiring new staff. While technology and business processes are still important to Influencers, they are in the mode of continuously innovating and improving rather than establishing basic capabilities.”


In reality, the clear implication here is that business either needs both an influencer and a responder, or that the influencer needs also to be a responder: strategy needs implementation tactics. But what of the protectors? This is the traditional view of security. Almost half of the report’s respondents take this role, a role that is likely to be the most prevalent in smaller companies.

“These security leaders,” says IBM, “recognize the importance of information security as a strategic priority. However, they lack important measurement insight and the necessary budget authority to fully transform their enterprises’ security approach.” “This data painted a profile of a new class of CISO leaders who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security,” said David Jarvis, IBM’s author of the report.

“We see the path of the CISO is now maturing in a similar pattern to the CFO from the 1970s, the CIO from the 1980s – from a technical one to a strategic business enabler. This demonstrates how integral IT security has become to organizations.”

In short, this IBM study demonstrates that security and the role of the CISO is evolving from a reactive stance to a proactive stance, both within security itself and the wider business – but there is still a long way to go from protector to influencer.


To read further please refer here.

5 Common Types of Security Professionals

Information Security is all about managing risk not scaring people!


Information Security Profession is a fascinating and an interesting field but we do have some interesting characters!


Today, I'll be presenting 5 most common types of security professional you will see/meet in your career. 


5 – The NO-MASTER


Have you ever been to a meeting that goes where security professional instead of listening to the business requirements and trying to meet their expectations with reasonable security controls, he/she cans the idea straight off the bat.


What happens next is simple: business escalating to the Executives who basically mandate/bypass all the policies(because they can). The NO-master just missed a great opportunity to make a difference, and position himself/ herself as a contributor, rather than a roadblock! 


Example:


So as part of our growth strategy, we are planning to have a company presence on Facebook, and also advertise on Twitter.


so… - No way! - Sorry Jimmy, did you say something? - Yes, I said no way we are opening Facebook for employees, nor publishing any company related information in it. But all the other companies out there are already.


What do you prefer? Being on Facebook or being hacked?


Ok, Security didn’t approve it, we are not going to use Facebook then.


4 – The By-The-Book Preacher


Here is another truth, if it’s written, it’s right! A typical scenario:


This machine needs to be patched right now! I know that this machine is not sitting in our external DMZ, but patching best-practice/our policy says that critical patches must be installed X hours after being released!


You will find hundreds of Information Security Professionals like this. There is no context applied, there is no risk profiling, it needs to be done because the book/policy say so. 


As a security professional, you are not paid to stick to a manual. You are paid to help the business to understand what the risks are, and the consequences of their (lack of) actions. 


Information Security is all about managing risk. In the real world, some rules need to be bent occasionally provided that you know what the risk is to satisfy an SLA or to meet a business requirement.


Asking your support team to bring down the whole payroll system on the 30th of the month because a critical Microsoft patch was released is not the way to manage risk in efficient manner.


This type of security professional goes hand in hand with the NO-Master. All those security professionals who fit in this type should apply your knowledge and use the policies and books and procedures as a reference.


They should understand business comes first and if a decision has to be made between security and being available, you going to lose credibility. 


3 – The Dinosaur


There is nothing he/she hasn’t seen before, there will always be a real life FUD story to back up their claims.


The dinosaurs are one of the hardest to fight against because they know it all. 


Their philosophy is simple: 


Everything boils down to access control. If people are not allowed to do something, you have nothing to worry about. I have to say I agree with this person to an extent, but to dismiss the fact that there are exploits out there that could give unauthorized user super privileges goes beyond access control. 


2 – The Technology-Solves-It-All


Setting up a firewall might take you a couple of hours, but teaching someone why they cannot download uTorrent takes years. And sometimes not even years will do.


But it doesn’t necessarily mean that technology will substitute the need to have well trained human beings with well-defined processes in place. The tool should exist to make the process viable, and not vice-versa.


Example:


Hey Adri, we have antivirus installed, the scan is set to run on a weekly basis, the signature files are being updated on a daily basis, why do we need to implement monitoring of our antivirus console?


You will notice, conversations like this happens every day


1 – The paranoid


These ones are the most dangerous and insecure professionals.


The paranoid sends you SMS at 3 in the morning about an article they read about a just-disclosed compromise in company X. They also call you to make sure you got the SMS. The paranoid asks you to send emails from your work e-mail, they don’t trust Hotmail accounts.


You could have met someone who is a little bit of all of the above, "NO COMMENT"!

How can a person remove personal information from the Internet?

A Concerned Reader Wants to Know...

First, the bad news. As soon as any kind of information, including personal information, is online, anyone can copy and store or post it elsewhere. What's worse, there are tools that are constantly searching the Internet for specific types of data.

Once they find it, they can grab it, copy it, post it and store it - for any number of purposes.

4 steps you can take if something gets online that you don't want:

1. Delete what you can yourself as soon as possible.
2. Contact the website(s) where it is located and ask them to remove it.
3. Enlist the help of a lawyer or online data removal service (e.g. Reputation Defender, Reputation Changer) to remove what you can't, or what the website won't.
4. Remain diligent and check often (for instance, by setting a Google Alert) to ensure you catch any reposting of the information.

Taking-control of People's Webcams

Computer genius jailed for hacking webcams

A computer hacker who used his technological-know how to take control of people’s webcams was sentenced to 18 months in prison today.

Matthew Anderson, aged 33, was an important member of a globally-running gang who abused the skills he picked up from his role as an expert in computer security in order to target both businesses and members of the public with spam that contained hidden viruses.

As well as this, he accessed personal data such as photographs in a highly sophisticated email scam run from his the front room of his mother’s house, and took control of random internet users’ webcams in an attempt to see inside their houses and appointments.

While also boasting at one point to a colleague that he had had a teenage girl in tears with his acts, Anderson also saved webcam images of girls in school uniforms, a newborn baby with its mother in hospital and other intimate pictures, some of which were of a sexual nature.