Sara Gonzalaz's profile was created for a corporate client who wanted to test the ability of employees to resist scams on social-networking sites.
Sara Gonzalaz's profile was created for a corporate client who wanted to test the ability of employees to resist scams on social-networking sites.

Dubai firm checks security with fake Facebook profiles



DUBAI // The Facebook profile of Sara Gonzalaz shows an attractive young graduate who works for Starbucks Dubai and lists Harry Potter among her interests. But Sara is a man.

Her profile is kept up by David Michaux, a director of the Dubai security company Whispering Bell, and she was created for a corporate client who wanted to test the ability of employees to resist scams on social-networking sites.

"She's completely fictional," said Mr Michaux. "We pulled a couple of pictures off the internet. This was for a specific client who wanted to see how trusting their employees would be. We got an exceptional amount of information."

The scheme was part of a wider "penetration test"his company carries out regularly for large corporations across the country.

The test involves a variety of tactics, from spamming staff with extremely credible phishing sites to leaving USBs loaded with viruses around an office or a car park.

The purpose is to test a company's defences against cybercrime.

"Companies, especially pharmaceutical firms, spend billions of dollars on research and development," said Bassam Ghellal, who is also a director at the firm.

"If someone was to steal designs or formulae and patent them, they would stand to lose huge profits. We produce a detailed report on their security vulnerabilities which they then use for training."

Several security companies carry out penetration tests in the UAE. Ira Winkler, a security expert, has travelled to the Emirates several times for consulting work.

He said it was right for companies to be concerned that social-networking sites could be used to compromise their security, but he questioned penetration tests.

"There have been cases of criminals putting up fake profiles to gain information," said Mr Winkler, president of the Internet Security Advisors Group. "There are also intelligence agencies which do it, to see if there's a susceptibility for manipulation.

"But to carry out a penetration test, it's wholly unnecessary to go into this level of detail."

Mr Michaux said that although his company was not willing to conduct "honey traps", there was a need to explore security through social-networking sites.

"If you have an organised gang trying to break in, they aren't going to stick to etiquette rules," he said. But Mr Michaux said all methods the company used had to be approved by the client.

To carry out the exercise, Whispering Bell created six fake profiles: three men, and three women. According to Mr Michaux, females do better than males.

The next step was to make the profile look credible, which involved attracting a large number of friends. The fake Sara received dozens of friend requests when she left a message on a group saying she was new to Dubai.

"She's had marriage proposals and people offering to send her plane tickets to New York," said Mr Michaux. "It was absurd. People are somewhat gullible."

Once enough friends are on a profile to make it look genuine, the team starts to add employees from the target company.

"We got an exceptional amount of information," Mr Michaux said. "We wanted things that would help us guess user credentials for logging into a system.

"We could have talked to them about their mother's maiden name and about their favourite pet, which are all things that come up in security questions."

Other questions, such as which anti-virus a company uses, are also dropped casually into conversation. That kind of information could help the company tailor a virus to avoid detection.

Mr Michaux said the moral was not to believe everything you see on social-networking sites.

"There's nothing that brings the message of security awareness home more than showing a picture of Sara and then the picture of the geek behind the laptop who's controlling her - in this case, me."

Director: Laxman Utekar

Cast: Vicky Kaushal, Akshaye Khanna, Diana Penty, Vineet Kumar Singh, Rashmika Mandanna

Rating: 1/5

THE DETAILS

Director: Milan Jhaveri
Producer: Emmay Entertainment and T-Series
Cast: John Abraham, Manoj Bajpayee
Rating: 2/5

FFP EXPLAINED

What is Financial Fair Play?
Introduced in 2011 by Uefa, European football’s governing body, it demands that clubs live within their means. Chiefly, spend within their income and not make substantial losses.

What the rules dictate?
The second phase of its implementation limits losses to €30 million (Dh136m) over three seasons. Extra expenditure is permitted for investment in sustainable areas (youth academies, stadium development, etc). Money provided by owners is not viewed as income. Revenue from “related parties” to those owners is assessed by Uefa's “financial control body” to be sure it is a fair value, or in line with market prices.

What are the penalties?
There are a number of punishments, including fines, a loss of prize money or having to reduce squad size for European competition – as happened to PSG in 2014. There is even the threat of a competition ban, which could in theory lead to PSG’s suspension from the Uefa Champions League.

COMPANY PROFILE

Name: Lamsa

Founder: Badr Ward

Launched: 2014

Employees: 60

Based: Abu Dhabi

Sector: EdTech

Funding to date: $15 million

Our family matters legal consultant

Name: Hassan Mohsen Elhais

Position: legal consultant with Al Rowaad Advocates and Legal Consultants.

Mercer, the investment consulting arm of US services company Marsh & McLennan, expects its wealth division to at least double its assets under management (AUM) in the Middle East as wealth in the region continues to grow despite economic headwinds, a company official said.

Mercer Wealth, which globally has $160 billion in AUM, plans to boost its AUM in the region to $2-$3bn in the next 2-3 years from the present $1bn, said Yasir AbuShaban, a Dubai-based principal with Mercer Wealth.

Within the next two to three years, we are looking at reaching $2 to $3 billion as a conservative estimate and we do see an opportunity to do so,” said Mr AbuShaban.

Mercer does not directly make investments, but allocates clients’ money they have discretion to, to professional asset managers. They also provide advice to clients.

“We have buying power. We can negotiate on their (client’s) behalf with asset managers to provide them lower fees than they otherwise would have to get on their own,” he added.

Mercer Wealth’s clients include sovereign wealth funds, family offices, and insurance companies among others.

From its office in Dubai, Mercer also looks after Africa, India and Turkey, where they also see opportunity for growth.

Wealth creation in Middle East and Africa (MEA) grew 8.5 per cent to $8.1 trillion last year from $7.5tn in 2015, higher than last year’s global average of 6 per cent and the second-highest growth in a region after Asia-Pacific which grew 9.9 per cent, according to consultancy Boston Consulting Group (BCG). In the region, where wealth grew just 1.9 per cent in 2015 compared with 2014, a pickup in oil prices has helped in wealth generation.

BCG is forecasting MEA wealth will rise to $12tn by 2021, growing at an annual average of 8 per cent.

Drivers of wealth generation in the region will be split evenly between new wealth creation and growth of performance of existing assets, according to BCG.

Another general trend in the region is clients’ looking for a comprehensive approach to investing, according to Mr AbuShaban.

“Institutional investors or some of the families are seeing a slowdown in the available capital they have to invest and in that sense they are looking at optimizing the way they manage their portfolios and making sure they are not investing haphazardly and different parts of their investment are working together,” said Mr AbuShaban.

Some clients also have a higher appetite for risk, given the low interest-rate environment that does not provide enough yield for some institutional investors. These clients are keen to invest in illiquid assets, such as private equity and infrastructure.

“What we have seen is a desire for higher returns in what has been a low-return environment specifically in various fixed income or bonds,” he said.

“In this environment, we have seen a de facto increase in the risk that clients are taking in things like illiquid investments, private equity investments, infrastructure and private debt, those kind of investments were higher illiquidity results in incrementally higher returns.”

The Abu Dhabi Investment Authority, one of the largest sovereign wealth funds, said in its 2016 report that has gradually increased its exposure in direct private equity and private credit transactions, mainly in Asian markets and especially in China and India. The authority’s private equity department focused on structured equities owing to “their defensive characteristics.”