2015: An online year reviewed at NetSafe HQ

Christmas is coming and that means it’s time for us to publish our annual review looking at the (anonymous) visitor trends and traffic patterns to our three most popular websites.

Many of the common concerns from 20122013 and 2014 are still making the top ten charts at NetSafe in 2015: ransomware, phishing attacks and safety issues around mobile phones for young people feature in the most visited pages on NetSafe.org.nz, Security Central and our blog.

The cold calling PC Doctors again feature in the top ten lists – sadly, it’s a scam that just won’t die – whilst new in the charts is our advice for people receiving Ashley Madison blackmail threats, reflecting another year of high profile data breaches and the increasing use of extortion, blackmail and ransom demands to deliver financial gains.

2015 in Numbers

This year we published our first annual review of cyber safety, cyber security and cyber crime issues entitled Digital Challenge and New Zealanders (PDF, 2.2MB)NetSafe will publish a follow up review of reported incidents on Safer Internet Day 2016 – 9 February.

So far this year, New Zealanders have reported $12,801,042 lost to a range of digital challenges. With almost 218,000 visitors to our three main websites, read on for an insight into NetSafe visitor trends for 2015.

NetSafe.org.nz

Just over 180,000 people visited the main NetSafe website during 2015 from a diverse 213 countries, states and territories.

More than one in three visitors were using a mobile or tablet device to access our online content and we took the plunge at the end of September to release a new www.netsafe.org.nz website, the fifth iteration of our public facing site. Our intention is to provide website visitors with detailed guidance that more rapidly reflects emerging incident patterns with the aim of reducing all forms of online harm.

NetSafe’s Top Ten Website Pages

To reflect our updated website, this year we’re listing the most popular pages by visitor traffic over the last two months.

It’s great to see that interest remains strong in our ‘NetSafe Kit’ resource for New Zealand schools –  the fourth version of the NetSafe Kit details seven steps required to produce a cybersafe learning environment.

  1. How can I put parental controls on my child’s mobile phone?
  2. Safer Internet Day 2015: Let’s Create A Better Internet Together
  3. The NetSafe Kit for Schools
  4. Harassment and Abuse on Phones and Mobiles
  5. Legal And Illegal Content
  6. What can I do about Ashley Madison blackmail emails
  7. Cyberbullying and Online Harassment
  8. A Parents’ Guide to Instagram
  9. What anti-virus software should I use?
  10. Harmful Content Online

Visitor technology explored

Our anonymous statistics helps identify what browsers and operating systems visitors are using offering us an important insight into current technology.

We noted a small increase in smartphone use over the year and a slight decline in Windows market share. The most startling change was the number of visitors using Google’s Chrome OS.

What computer operating system do NetSafe visitors use?

Operating System 2015 Share 2014 Share
Windows 52% 55%
iOS 17% 16%
Android 16% 13%
Macintosh 10% 10%

In 2014, 3% of visitors were running on Linux (3%). In 2015, the fifth most popular operating system changed to Chrome OS with a 2% share.

It was reassuring to see that 92% of Windows users were running a supported version of Microsoft’s operating system. The number of Windows XP users halved (and Vista all but disappeared) but we’d still strongly encourage those holding out to invest the time and resources to upgrade to a safer system.

2014 Windows breakdown:

  • Windows 7 – 68%
  • Windows 8.1 – 12%
  • Windows XP – 10%
  • Windows 8 – 7%
  • Windows Vista – 3%

2015 Windows breakdown:

  • Windows 7 – 63%
  • Windows 8.1 – 22%
  • Windows XP – 5%
  • Windows 10 – 4%
  • Windows 8 – 3%

Drilling down into the data shows some different numbers for New Zealanders when it comes to their operating system of choice.

What computer operating system do Kiwi NetSafe visitors use?

In 2015, the number of Chrome OS users quadrupled, perhaps reflecting the increasing use of Chromebooks in NZ schools:

  1. Windows 60% (52% globally)
  2. iOS – 14% (17% globally)
  3. Macintosh – 13% (10% globally)
  4. Android – 9% (16% globally)
  5. Chrome OS – 4% (2% globally)

What web browsers are popular?

Visitors to NetSafe websites are firmly favouring Google’s Chrome browser:

  • Chrome – 50% (up by 10% on 2014 numbers)
  • Safari – 20% (no change)
  • Internet Explorer – 14% (down 4%)
  • Firefox – 10% (down 2%)
  • Android Browser – 3% (down 3%)

 

Security Central Top Ten

Ransomware continues to be the number one concern for visitors to our cyber security website.

This year we’ve seen various ‘flavours’ targeting Windows users and we’d strongly encourage anyone storing anything of value on a computer to back up important personal and business data regularly.

With increasing reports of Android ransomware, mobile device users should also be alert to demands for ‘fines’ to be paid or browser lockscreens that try to trick or scare you into calling a technical support hotline that then demands hundreds of dollars to ‘clean up’ your phone or tablet.

  1. Dealing with CryptoLocker ransomware
  2. Dealing with ‘Police’ ransomware on your Android device
  3. How to check and update Adobe Flash
  4. Dealing with ransomware
  5. How to check and update Adobe Reader
  6. Dealing with ransomware and remote access hacking
  7. Reporting cybercrime in New Zealand
  8. An Introduction to Cybersecurity
  9. Phishing, social engineering and online scams
  10. NetSafe Computer Security Checklist

The NetSafe Blog Top Ten

Kiwis have made the most of the strong dollar over the last few years and have turned to ecommerce retailers offering bargain prices. There’s no doubt that millions of transactions go smoothly, but NetSafe increasingly takes reports of new websites and traders on social media platforms failing to deliver items or sending fake products or locked up phones.

  1. Buying super cheap trainers online? Just don’t do it
  2. Help my website has been cloned – Bad robot! Defeating website scrapers
  3. Beware the PC doctor
  4. Going Phishing: how to spot a fake banking website
  5. Digital Citizenship. Are we literate online?
  6. Safer Internet Day partners work to combat rising internet harms in New Zealand
  7. Being proficient with technology versus being proficient about technology
  8. The top 3 cyber security threats for NZ small businesses: #ConnectSmart
  9. Identifying the real cost of cyber crime to New Zealand
  10. How to spot a suspicious email attachment

Stay safe and secure in 2016 and enjoy the Christmas break.

Where can I study cybersecurity in New Zealand?

With corporate data breaches making the news most weeks, cyber security skills are increasingly being seen as a hot commodity for workers in the IT sector and for business owners and managers too.

Jump to the cyber security course map
How do I choose a good course?

As New Zealanders rely more and more on digital technology and online ‘cloud’ services around the globe, understanding emerging cyber risks and best practices for improving information security at all levels of the New Zealand economy is essential.

The American National Initiative for Cybersecurity Education publishes a map showing US education options – we thought it would be handy to publish a Kiwi version and so the map and listings below detail a range of online, short/professional and tertiary level course options for increasing your knowledge of cyber or information security in New Zealand.

We’ll be updating this post with further study options as we discover them, including short courses around the country, executive level training and professional ‘infosec’ certifications from bodies like ISACA, ISC2 and SANS.

If your course isn’t listed below please do get in touch with Chris Hails at NetSafe.

How do I select a good information security course?

Computer security is a wide ranging field and there many be one or more areas you are most interested in. Review the guidance on these US and UK sites about getting into the ‘cyber’ industry’ and gaining practical experience that employers will look for:

How to Get Into Cyber Security From a General IT Career

Cyber Security Challenge UK FAQs

Then take a look at the various NZ study options. Costs may come into play regarding course fees, accommodation if living away from home, etc. You may also want to contact each provider and ask them some questions or visit their facilities in person. There are plenty of opportunities to build cyber security knowledge outside of a formal study environment but a specialised degree can add to your credentials.

Lastly, you could review online adverts for security roles or approach NZ employers and ask what they look for when hiring new talent.

Information security training courses in NZ

Tertiary Courses (Bachelors, Masters, Doctorate):

AUT University
Master of Information Security and Digital Forensics

Massey University
Bachelor of Arts (Security Studies)

Unitec
Bachelor of Computing Systems (Cyber Security)

Unitec offers cybersecurity as a specialisation at Masters and Doctoral level including a double doctorate in cybersecurity with Nara Institute of Science and Technology. Unitec also offers a number of specialised short courses – see below – and has previously run a Capture the Flag (CTF) contest to identify talented high schoolers.

University of Auckland
Master of Professional Studies in Digital Security (MProfStuds)

University of Waikato
Master of Cyber Security

The Cyber Security Researchers of Waikato (CROW) focus on research addressing data security as cyber security moves away from the diminishing effectiveness of traditional approaches such as perimeter defence, intrusion detection and infrastructure hardening.

The University also ran their first Cyber Security Challenge event in 2015

Wellington Institute of Technology
Graduate Diploma in Information Assurance and Security

Short Courses:

Victoria Professional and Executive Development
Cyber Security short courses in association with Total Risk

Total Risk offers a range of specialist cyber security training courses relating to information security, IT security, handling of computer security incidents and risk assessment. Courses are offered at Victoria University in both Auckland and Wellington and are SEI accredited.

Unitec
Short courses in cyber security for managers and business owners.

Unitec courses are offered as three-hour blocks during daytimes, evenings and weekends and cover subjects ranging from incident handling, protecting information, networks and cryptography.

Online Courses and MOOCs

Introduction to Cyber Security
A free online course provided by FutureLearn, a private company owned by UK’s Open University with UK and international university partners from around the world. The guide for the course is Cory Doctorow.

MIT Computer Science courses
MIT’s OpenCourseWare platform provides free and open online access to Massachusetts Institute of Technology courses covering Network and Computer Security and Cryptography and Cryptanalysis amongst many other technical subjects.

SANS Cyber Aces Online
An entry-level open course programme from information security industry certification group SANS. Online learning focuses on the fundamentals of cyber security covering three important modules: Networking, Operating Systems, and System Administration.

Security Engineering – Applied Cyber Security
Free course on the openlearning.com platform. SEC.EDU is a partnership between the University of New South Wales and Commonwealth Bank. Lead by Richard Buckland, an Associate Professor in Computer Security, Cybercrime, and Cyberterror at UNSW.

Buying super cheap trainers online? Just don’t do it

buying cheap nikes onlineThere’s no doubt the internet has revolutionised shopping in New Zealand: more choice and cheaper prices. The Dom Post believes that “the internet has brought the markets of the world into New Zealand houses.

According to Statistics NZ data, the value of goods and services purchased online has been rising at more than 20% a year for some years and the internet’s growing slice of the retail pie has now got the government interested in taxing online sales with GST.

BNZ’s Online Retail Sales Index showed total online retail spending in June 2015 was up 19% compared to June 2014 levels and that’s despite the weakening dollar.

BAG A BARGAIN?

Nearly 2 million New Zealanders now shop online with 40% looking for a bargain. But our obsession with cheap prices can often end in a digital disaster.

In 2014, NetSafe recorded almost $8m lost to online scams and frauds (PDF) with more than 800 reports of online trades going bad and almost $400,000 lost when buying on websites, buy and sell pages and online auctions.

Yes, that’s a tiny percentage of online spending, but with the average sum lost standing at $801, bargain hunting can sometimes catch you out.

SUSPICIOUS SNEAKER SELLERS

A growing trend in 2015 is the non delivery of bargain priced footwear, often well known brand running shoes purchased through .nz websites that present themselves as Kiwi businesses but are actually located in China or Russia.

Nike buyers have been hit particularly hard in recent months with ecommerce sites shipping fake goods or failing to deliver on the orders made. And the concern is that some of these sites are simply harvesting credit card accounts or personal data – including home addresses and emails – for future scams.

So what can bargain conscious Kiwis do to shop safely online?

  • Buy online using a credit card
    Buying with a credit card gives shoppers better protection than a debit card – if a deal goes bad you can try to get a bank chargeback.

    You can also investigate other payment options such as a Prezzy card which expires and offers an extra level of anonymity.If you think your credit card has been compromised, report it to your bank immediately.

  • Do some due diligence before you press buy
    First off, check how much of a bargain you’re being offered – compare the price of the item in an NZ store and see just how cheap the deal is. There’s a reason the old proverb “if it seems too good to be true, it probably is” still applies in the 21st century.

    Still keen for that bargain? If you’re shopping on an online site that you haven’t used previously, Google the name of the site with the word “scam” or “review” after it. If a website has tricked other shoppers before, there’s a good chance that disgruntled customers will have posted warnings online.

    If you’ve been ripped off then report to NetSafe so we can keep track of the dodgy dealers and work with Consumers Affairs who issue Scam Alerts online.

  • Dig deeper: who really runs that online store?
    Well known Kiwis brands often operate ecommerce sites and will prominently list a contact phone number, address and policies about returning goods.

    If you’re thinking of buying from a less well known website, check if the company lists a telephone number and try calling it. Many of the scam sites reported to NetSafe can only be reached through an online feedback form and this can often be a red flag.

    To check the provenance of a company selling online, search the domain ownership information and the registration date. The ‘whois’ record – easily searched at  whois.domaintools.com or dnc.org.nz for .nz domains – will show you contact information and how long the website has been operating. If the site was set-up very recently or is hidden behind a private domain registration, be very cautious about placing an order.

    A final check to consider is locating where the site is hosted. www.infosniper.net is a great way to check where the computer powering the website is based. If a .nz website is based offshore – or in a high fraud risk country like Russia – this should make you think twice about buying.

Picture credit: Flickr user Don Hankins, used under Creative Commons licensing.

How to assess the cyber security of your business #ConnectSmart

Operating a small business is hard work. You pour blood, sweat and tears into making it a success so surely you want to do everything to protect it?

With the average computer security incident reported to NetSafe in 2014 costing $10,700, taking care of your hardware, software and information security is a must for every small business owner or manager.

security-2
$8m was reported lost to NetSafe in 2014 from a range of digital challenges – 520 out of the 8121 reports involved a variety of computer security threats

Solo or micro Kiwi companies with less than 5 staff make up a large part of the New Zealand economy and as the owner or operator of a small company you can often find yourself wearing many hats on a daily basis covering sales, marketing, accounts, customer service and  actually delivering the product or service that keeps the business going.

Ensuring the security of your business assets is also a very important part of keeping your company operating, whether it be the vehicles you use to deliver goods, the property you operate from, the customer database you work with and the IT systems you use to communicate with suppliers.

With IT playing an central role in so many companies these days, it’s essential that you undertake a cyber security assessment to keep track of your important information assets and protect them.

What is information or cyber security?

The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability

When we think about information and information systems we’re covering people, processes and technology.

This can include email, invoices, payroll, employee and client data, intellectual property and the computer systems that staff use to collect, store, process and deliver information.

Using the Connect Smart SME Toolkit can help you uncover precisely what business information and systems could be a target for cyber criminals. And assessing your cyber security risks can help identify what are the critical financial and information assets in your own business that need to be protected.

Conducting a simple risk assessment


By not protecting your small business information and systems you risk:

  • Decreased productivity
  • Legal liability
  • Loss of confidence
  • Loss of reputation
  • Loss of business

An assessment or audit of your business can identify:

  • Threats
  • Vulnerabilities
  • Risks

Here’s how these interact:

A THREAT acting on a VULNERABILITY produces a RISK and probable bad consequences

A simple, real world example for a small NZ business would be:

Threat: Spam email with malicious attachment delivering ransomware

Vulnerability: Employees not trained to identify or delete spam emails

Risk: Network is compromised and hardware infected

Consequences -> Business data encrypted, records lost

Conducting a risk assessment can highlight these kinds of weaknesses in your business.

Ideally, for the example above, you’d have several protective measures in place to tackle the malicious email risk that could include anti-virus software that automatically updates on all computers and a data backup regime that keeps regular, incremental copies of essential business data that can be easily accessed to recover from an infection.

Taking the time to review your company’s critical information and systems can help kick start the process of protecting it.

Step One

12 Questions that can help identify risks

Step one of the Connect Smart toolkit poses the following questions:

  1. Do you have an overall security policy?
  2. Do you and / or your employees access business emails on mobile devices (including phones and tablets)?
  3. Do you train your staff about using mobile, the internet and email securely?
  4. Do you back up your critical business data regularly?
  5. Do you have a firewall installed on the computer(s)/servers used for your business?
  6. Do you use security software (such as anti-virus and anti spyware) and up-to-date operating software?
  7. Do you connect any of the computers or mobile devices in your business to the internet using a wireless network?
  8. Do you know how to prevent data theft?
  9. Do you know how to reduce and manage spam?
  10. Do you store business critical information on mobile devices?
  11. Do you educate your staff not to give out confidential information that could compromise your company’s cyber security, either over the phone or online?
  12. Do you delete or disable your staff’s IT accounts when they leave the company?

Answering these questions gives you the ability to score your business on how prepared you are to face the kinds of cybersecurity threats that NZ SMEs are experiencing everyday.

Spot some gaps? Then it’s a good opportunity to address these risks and talk with your own IT staff or your IT contractors on what to do next. Perhaps you need to upgrade those old Windows XP computers? Maybe staff all use one shared password to login? Or you may suddenly realise that the information you need every day to keep your company going has never been backed up and one virus infection could put you out of business for good.

Keep it simple

Drawing up an information asset register is one simple step to help you record exactly what information your business uses and relies on to keep bringing cash through the door.

We’ve listed some other useful guides below that may assist you:

Richard Kissel from the American National Institute of Science and Technology’s Computer Security Division offers some great exercise templates for identifying and prioritising information types and ways to estimate the costs involved should bad things happen to your business data.

  • Cloud computing guidance for NZ

The Office of the Privacy Commissioner has several useful guides for SMEs around moving IT and information to the cloud, good data practices and dealing with security breaches:

Using the Cloud

Cloud Computing Checklist for Small Business

Data Safety Toolkit

What can Samsung’s ‘Safety Truck’ teach internet users?

There’s been a lot of coverage this week of Samsung’s efforts to keep Argentinian road users safe when overtaking:

head-on collisions caused by people trying to overtake slow-moving vehicles is one of the biggest causes of road deaths.

The Korean manufacturer has come up with a simple tech solution to an age old problem – looking before you leap – and created a way for drivers to see ‘through’ a lumbering lorry with a front facing video camera displaying the road ahead on screens fitted to the back of their large delivery trucks.

Drivers no longer have to risk a blind overtaking manoeuvre, swinging out into traffic to check the road ahead before hitting the gas to pass the truck that’s slowing their journey.

An age old proverb is just as relevant today

Looking before you leap taken literally means it’s wise to check the path ahead before making a decision that you may regret or before you take an action that you cannot go back on.

The proverb is believed to date from 1546 and was originally a warning about marrying the wrong partner:

In wedding and all things to looke ere ye leaped

Almost 500 years on, it’s still a useful part of any safety campaign and NetSafe regularly speaks with internet users who wished – with the benefit of hindsight – that they’d better researched an online offer or virus scanned an email attachment before finding themselves out of pocket or paying out for a computer clean-up.

Ways to look before you leap online

“Knowledge is power” is another old proverb worth remembering. When it comes to internet scams and frauds and computer security best practice, there are several ways to look before you leap into disaster:

1. Spend 5 minutes Googling

Seen a bargain offer online? Received a promising email about a work from home job? Thinking of sending your savings to an offshore broker? Do your due diligence before parting with cash or personal information.

It’s highly likely that another internet user has already fallen victim to the website you’ve spotted selling bargain electronics or offering a rate of return that’s too good to be true.

The internet has enabled scam victims and folks with a grievance to publish their own horror stories from anywhere in the world and doing a quick Google search with the URL of the site or name of the company plus the word scam afterwards can often uncover stories that may save you from a nasty mistake.

PLUS:

-> Looking to invest? Check the FMA’s lists of alerts, warning and firms to be wary of.

-> Think it’s a scam? Check Consumer Affairs’s Scam Alerts for the latest advisories

2. Check if a website is dodgy

A company may claim to have been in business for 20 years but has it really? A quick ‘whois’ search of the website address can often highlight some oddities worth thinking about.

The whois record shows information about the domain name’s owner, their place of business and when the website name was established.

Scammers often register new website names just days before starting up a new scam so looking at the ‘Creation Date’ on file to see if the company has really been trading for as long as they claim on their website.

If the ‘Registrant’ details are hidden behind a domain privacy service operated out of Arizona or Panama then that’s a huge red flag – legitimate companies have few reasons to hide where they’re really based or want to stop people from finding out the real ownership details.

PLUS:

-> Worried the URL might infect your computer? Use the website urlquery.net to scan a website before you go there on your own computer and risk a drive by download.

The site returns intrusion detection system alerts and popular blacklisting records to provide a visual warning even if you’re not familiar with the technical specifics as this example shows below with red and yellow warning flags:

urlquery.net warnings

3. Check with NetSafe

NetSafe staff handle 5-600 enquiries each month from people across New Zealand who are concerned about an array of ‘digital challenges’ that includes the safety of young people, online scams and cyber security threats.

Our experienced staff can help with anything from identifying scam operators to assisting with ransomware infections and website defacements. We can also connect you to a network of partner organisations that specialise in online issues involving child exploitation, objectionable content and extortion.

Want to look before you leap online? Contact NetSafe for advice.

Advice and guidance for dealing with digital challenges