Connect Smart: Don’t wait until it’s too late!

A phone call to NetSafe this morning from a PC user facing the loss of a year’s worth of data serves as a timely reminder that taking a proactive approach to computer security is essential when ransomware gangs and other cybercrimials are actively targeted out of date software or unpatched computers.

The computer owner had actually taken the time to back up important business files, but sadly found the USB backup had also been encrypted with CryptoWall ransomware as it was still attached to the infected machine.

With complex malware being able to ‘jump across’ to back up locations – including cloud based services like Dropbox – the onus is on every computer user to protect themselves online and store several copies of essential data, ideally in separate locations.

Last week, international law enforcement agencies took down the network behind CryptoLocker ransomware but it would appear other malware writers are moving in to grab a share of the market.

Connect Smart Week is coming

Next week marks the start of the new government initiative, Connect Smart. This rebranded Cyber Security Awareness Week for 2014 will highlight ways home internet users and SMEs can protect themselves from phishing attacks and malware infections and will be launched in Wellington.

TechSecurity-2NetSafe will be promoting the week and my colleague Lee will be speaking at a free to attend cybercrime event in Wellington on 18 June along with other computer security experts.

The Institution of Professional Engineers New Zealand (IPENZ) is hosting the event which starts at 6pm at Queen Margaret College, 53 Hobson Street, Thorndon, Wellington. More information can be found on the IPENZ website.

Protect yourself online: secure all devices

The recent high profile ‘hack’ of some iPhone owners’ iCloud accounts by ‘Oleg Pliss’ is another reminder of how essential it is to apply good computers security practices to all your connected devices.

NetSafe recently published guidance on smartphone security with 12 Tips for Protecting Your Digital Device as evidence is emerging of new variants of ransom malware now being developed for Android smartphones and tablets.

Whilst news media reported yesterday that Russian authorities may have caught the ransom gang behind the Apple ID hack, it’s essential that New Zealanders use Connect Smart Week as an opportunity to review their online safety and security.

Teach a man to phish and…

Tax Refund Ray
Tax-refund Ray – watch out for unexpected phishing emails around tax time suggesting a large cheque can be claimed from IRD or other companies.
Click on the links and you may suffer a nasty sting. Grant payments and bank fee refunds are increasingly being offered by telephone cold callers too.

Phishing has been in the news again this week with the high profile attacks on Apple IDs as one plucky cybercriminal named Oleg Pliss developed a new way to hold iDevices to ransom.

The continuing success of phishing attacks remains a concern that individuals and small businesses need to address:

  • training staff to recognise strange looking emails and not opening attachments trying to masquerade as invoices, delivery notes and tax refund alerts
  • and putting in place email filtering and spam detection that can lessen the impact of unwanted messages.

A report out today suggest phishing attacks on PayPal users is on the rise in 2014, with researchers observing a 73 percent increase in the number of phishing websites targeting PayPal login information.

The report even suggests a growing army of phishermen are taking the time to hone their skills, downloading code to build fake login pages and tweaking the look and feel to improve their ‘conversion metrics’ – an online marketing standard normally associated with more legitimate commerce operators.

PayPal is owned by eBay, the US auction giant which has suffered its own mega breach recently and was subsequently criticised by security professionals for taking a long time to warn customers that account data was at risk.

Identifying genuine threats

Yesterday I spent some time trying to work out if an email supposedly sent from eBay post-breach was a genuine request for users to reset their passwords.

Interestingly, the message spoke of the attack and suggested securing accounts was essential but provided no link in the body of the text to visit a webpage, no doubt an intentional step to reassure those receiving it this really was from the company and not cybercriminals trying to exploit the well publicised event.

Check out the screenshot below – would you have been able to decide if the email was real?

eBay-Password-Reset-Email
Click on the picture to view the email full-size

Both eBay and PayPal have comparatively low user numbers in New Zealand – the auction company was seen off by local operator Trade Me some time back. But both companies are more widely known across the Tasman in Australia where Kiwis are likely to have been buying goods on the .com.au site.

As we approach tax time, phishing gangs will no doubt step up their efforts against our own IRD. Take the time to read guidance on the organisation’s own website and report phishing emails to them so they can be taken down before personal information is passed over or logins compromised.

More resources:

Don’t want your iPhone or iPad ‘hacked’? Why unique passwords are so important for online security

Screenshot of affected Apple device
This screenshot was being used by many online media outlets yesterday showing a Find my iPhone style alert suggesting a ransom needed to be paid.

I was sitting down last night for a little light TV watching when I first read the story about ‘iPhones being hacked’ by a mysterious “Oleg Pliss”.

Hacked is a generic term often misused when it comes to device and online security and to date the evidence on web forums and in the security press seems to suggest that Apple’s consumer device has not been affected by ransomware – malicious software demanding a payment for a unique unlock key.

So far (on Wednesday morning, NZ time) it would appear that Apple ID owners have found their devices locked remotely after their login details have been used to block their devices using Apple’s own Find My iPhone service.

The current theory is a wave of phishing emails targeting Apple IDs or recent high profile data breaches at eBay and elsewhere have let cyber criminals amass a huge pile of email addresses matched with working passwords.

Use a different password for every online service

Do you daisy chain your passwords and online life?
Using the same password everywhere online lets bad guys ‘daisy chain’ your online accounts and services, hopping from system to the next hoping the same login details will give access to other systems and even let them hold your iPhone or iPad to ransom. (Daisy chain image used under CC by Flickr’s ‘benbawden’).

UK media regulator Ofcom recently published a report on attitudes to online life and buried in the depths of this statistical mass is the startling figure that 57% of Brits “use the same passwords for most if not all websites”.

I can’t help but wonder what the equivalent NZ figure would be? We know many folk find it hard to remember multiple logins and thus ease of use trumps a sense of security when it comes to passwords.

This latest Apple ‘hack’ would seem to confirm NetSafe’s belief that using strong passwords, changed regularly and with at least your most ‘valuable’ services protected by a unique string of letters, numbers and symbols is essential computer security best practice.

The risk is that should one database be breached and your usual login info be compromised, it doesn’t take much for the bad guys to start probing other online services, including it would seem your Apple ID, a centralised service that can control so much of your Apple-related life.

If your iPhone or iPad is locked report it to NetSafe on the ORB website. To date we’ve taken one report from a Kiwi iPhone owner suffering this issue.

Dealing with Apple ID hacks

“Change your password for your Apple ID. You can use your Apple ID to recover your device(s) if it has been locked by the hacker”

We’ve published links below to the current best practice when it comes to securing your Apple ID and recommend you review the security of your Apple login ASAP:

    1. Change your Apple ID password now!
      - Manage your Apple ID online at appleid.apple.com
      - Set up 2 factor authentication for your Apple ID and check recovery phone numbers and email addresses associated with your account
    2. Back-up your Apple devices should you need to wipe them and restore later
      - If your device has been disabled read Apple’s guide to using iTunes, Find my iPhone or recovery mode to wipe the device and install your data and settings from a recent backup.
    3. Be alert to Apple ID phishing emails that target your login details
      - Apple will not email you to request you restore access to your account. Always login at the apple.com website.

Graham Cluley at Intego Security has written an FAQ for iPhone and iPad users and we will update NetSafe advice as we learn more about the situation.

Watch our video from Cyber Security Awareness Week 2013 to learn more about strong passwords:

If “antivirus is dead” what next for computer security?

Tight-5-Tall-Banner-PNGSymantec, the pioneers behind Norton anti-virus software, have made a bold statement this week in the Wall Street Journal declaring the scanning software to be “doomed to failure”, only successfully catching around 45% of cyberattacks.

Despite internet security software suites now adding password managers, heuristic algorithms to detect new viruses and tools to identify spam and phishing emails, the company is to now sell intelligence briefings to larger customers on specific threats to help them take preventative action to protect hardware and networks based on other breaches.

What can home internet and small business owners do?

If anti-virus security software is not the magic ‘forcefield’ previously thought to protect you against all digital challenges, what can the average internet user do then to stay safe and secure online?

Intelligence gathering is something NetSafe has increasingly utilised to provide timely actionable advice to Kiwis – reports to our ORB cybercrime reporting website are analysed monthly with summary reports produced for partners to identify patterns of offending.

The top 5 issues reported each month – based on incident volumes and dollar losses – are sent to subscribers of our computer security email newsletter on a regular basis.

The report -> analyse -> educate cycle is NetSafe’s key to producing relevant information and guidance to New Zealanders so they can take steps to protect themselves online against newly emerging challenges.

You can sign up for free alerts and advice online now and stay tuned for the May issue which will look at the results of our 2014 Smartphone Security Survey.

AV is still relevant but so is knowing about the threats

Our Tight 5 cyber security guides produced last year focused on five keys issues for computer security:

  1. Think before you click
  2. Update everything
  3. Backup your files
  4. Secure your wireless network
  5. Use strong passwords

Whilst we skipped explicitly advising users to install, activate and pay for AV subscriptions – and despite the recent Symantec statement – we still believe a working and up to date anti-virus package is one worthwhile line in your cyber defences, and that includes on mobile devices.

If 45% of threats can be detected and blocked that gives you a good step up before considering other issues like software and operating system patches, using unique passwords to avoid ‘daisy chaining’ exploits against all your online accounts and social engineering threats via email and popular websites.

All internet users need to take preventative steps to secure their devices before they face a digital disaster. ‘Be Prepared’ (the Boy Scout motto) remains just as relevant today as it did a century ago, long before we spent so long staring into screens.

Upcoming events we’re attending

The Easter bunny has been and gone, the long nights are drawing in and the weather’s getting colder. But fear not, event season is kicking off and there are some startlingly good reasons to fill your social/work calendar with some upcoming sessions on issues connected to the Digital Challenges.

Here are a selection of events over the next few months that NetSafe staff will be attending, presenting at, taking part in or supporting with a variety of stakeholder or partner organisations. We’d love to see you there.

2014 Event Calendar

APRIL

Youth, Technology and Virtual Communities Conference (YTVC) 2014
Bond University, Gold Coast, Australia – 28-30th April

Aimed at practitioners in the fields of law enforcement, prosecution, education, child protective services, social work, children’s advocacy and therapy who work directly with child victims of crime.

Web Rangers NZ
Wellington – Tuesday 29th April / Christchurch – Wednesday, 30th April / Auckland – Thursday, 1st May

Google and NetSafe workshops for Kiwi teenagers between 14 and 17 years old to learn about online safety and get practical tips on creating campaigns to spread the word about safer Internet use.

MAY

2014 Gibbons Lecture 1: What does Privacy Mean to New Zealanders in the Internet Age?
Auckland – 6pm, Thursday 1st May

We highly recommend the full range of 2014 Gibbons Lectures taking place over May.

Privacy Week 4 – 10 May 2014:

Information security: what does ‘reasonable’ look like?
Auckland – 1pm, Tuesday 6th May

David Shaw of Symantec speaks as part of Privacy Week’s T&P forums.

Privacy Forum 2014
Wellington – 9am, Wednesday 7th May

A range of speakers including NetSafe’s Martin Cocker will discuss information sharing and data privacy, social networking and online behaviour, and managing information security and privacy.

IITP Event: iBeacon and the Internet of Things
Auckland – 6pm, Wednesday 21st May

3Months Director Mark Pascall will explain how the new Bluetooth technology works and explore some of the ways it is being used around the world.

INTERFACExpo
Wellington – Thursday 22 May / Taupo – Monday 26th May / Auckland – Wednesday 28 May

NetSafe will be attending the 2014 Xpo where visitors can explore teaching trends in ICT through presentations, workshops, an exhibition, and networking opportunities.

JUNE

Fraud Awareness Week 2 – 6 June:

Details TBC

Connect Smart Week 16 – 22 June:

Details TBC

Advice and guidance for dealing with digital challenges