Safer Internet Day partners work to combat rising internet harms in New Zealand

New Zealand kicks off Safer Internet Day 2015 - 10th February
New Zealand kicks off Safer Internet Day 2015 – 10th February

19 organisations are joining forces to mark 2015’s Safer Internet Day (10th February 2015) in New Zealand as Kiwis report an increasing array of internet harms.

Safer Internet Day is celebrated worldwide to encourage the safe and positive use of the internet and digital technologies, especially among families and young people. New Zealand’s Safer Internet Day is being coordinated by NetSafe, the online safety and security organisation.

In 2015, 19 organisations that work with Kiwi internet users across the country are coming together to celebrate the day, promoting digital safety and security messages to customers, staff and stakeholders. The full list of supporting organisations can be viewed online and are included below.

“Safer Internet Day is about pausing to celebrate the positive work that is going on every day all around New Zealand. This global initiative highlights how creating a safer internet is a shared responsibility and we’re pleased to have so many organisations supporting the event in New Zealand,” said Martin Cocker, NetSafe’s Executive Director.

Digital Challenges Report

To mark Safer Internet Day, NetSafe has published a report on the full range of online challenges that New Zealanders faced in 2014 (PDF). The report can be downloaded from http://www.netsafe.org.nz/safer-internet-day/.

The Auckland-based non-profit handled over 8000 incidents in 2014 and recorded almost $8m lost to a wide variety of online scams and computer security issues. The report also looks at other harms that Kiwi internet users can suffer including the emotional impact of online harassment and bullying and privacy concerns around the loss of data and identity information.

Highlights from the report include:

  • More than one in ten of the incidents that NetSafe handled in 2014 involved bullying or online harassment and reports were received from young people and adults alike;
  • NetSafe recorded over 1000 privacy related reports during the year;
  • The average financial loss reached $9300 and more than 30 losses greater than $50,000 were recorded.

NZ Partners working towards a safer internet

Examples of activities that participants have planned for Safer Internet Day 2015 include:

Education sector:

Ministry of Education
The Ministry of Education is promoting Safer Internet Day on its websites

The Online Safety Advisory Group
This cross-sector group is releasing guidance for schools on how to prevent and respond to incidents involving digital technology including mobile phones. This will published on NetSafe and Ministry of Education websites.

CORE Education
CORE Education has developed a resource that will help teachers focus their professional conversations about internet safety. CORE is also planning to use their web channels to promote this and other resources across their educator networks.

Post Primary Teachers’ Association
The PPTA has developed resources designed to support teachers model positive online behaviours and the teaching of digital citizenship concepts. These will be made available to its 17,000 members.

Enabling e-Learning
The Enabling e-Learning website is an information hub for teachers developing the use of digital technology in the classroom. The Enabling e-Learning team are delivering a range of different professional development activities for teachers to mark SID 2015. Enabling e-Learning is managed by CORE Education on behalf of the Ministry of Education.

New Zealand Catholic Education Office
The NZCEO is marking the day by writing to all 244 of New Zealand’s Catholic schools to highlight key messages about online safety.

Network for Learning
N4L are writing a themed blog post which will look at issues related to content filtering.

Te Toi Tupu
Te Toi Tupu provides professional development to schools across New Zealand about using digital technology for learning. For SID 2015 they have planned a special focus on internet safety issues for schools including online professional discussions about issues schools are managing. Te Toi Tupu will be promoting SID 2015 via its website and social media.

Industry:

Google
Google NZ is launching a phishing awareness initiative asking users if they can spot the tell-tale signs of an online scam.

Trade Me
Trade Me will be using a special SID 2015 Kevin the Kiwi logo for the day that connects members back to the Safer Internet Day website.

Vodafone
Vodafone is bringing The Parenting Place in to their offices to provide training for staff.

Facebook
Facebook is promoting the day through its New Zealand pages.

Twitter
Twitter will be promoting the day by amplifying tweets related to Safer Internet Day (@netsafeNZ #SID2015))

Co-operative Bank
Co-operative Bank will be encouraging customers and staff to do a ‘sense check’ on how they use digital banking technology to keep their money and their personal information safe.

Other government agencies:

Department of Internal Affairs
The RealMe programme will be promoting the day on their website, via social media and to all DIA staff.

Department of Prime Minister and Cabinet – Connect Smart
The Connect Smart programme will be promoting the day to its partners and on its website.

NZ Police
Police are developing a sample cybersafety intervention plan that schools can use to support their work.

Office of the Children’s Commissioner
The Children’s Commissioner is promoting discussion about SID 2015 and internet safety issues throughout the day.

2015 Safer Internet Day Supporters:

  • Co-operative Bank
  • CORE Education
  • Department of Internal Affairs – RealMe programme
  • Department of Prime Minister and Cabinet – Connect Smart programme
  • Enabling e-Learning programme
  • Facebook
  • Google
  • Ministry of Education
  • NetSafe
  • Network for Learning (N4L)
  • NZ Police
  • NZ Catholic Education Office
  • NZ Principals’ Federation
  • Office of the Children’s Commissioner
  • Post Primary Teachers’ Association
  • Te Toi Tupu
  • Trade Me
  • Twitter
  • Vodafone

NetSafe warns New Zealand charity websites are being targeted by credit card fraudsters

NetSafe is warning New Zealand charities taking online donations to be on the alert after receiving two reports this week of cyber criminals launching automated attacks that attempt to validate large numbers of stolen credit cards.

In the first incident, almost 50,000 attempts were made to rapidly submit fake donations through a website form with the aim being to test which credit cards could be used for subsequent online fraud or sold on to other internet scammers.

More than 2000 successful donations were made resulting in the charity having to enlist the help of their bank and merchant account provider to refund the fraudulent payments. They also spent time dealing with enquiries from cardholders around the world questioning the transactions.

A second incident yesterday saw another charity website hit with 11,000 payment requests resulting in more than 250 donations to their bank account.

In both cases, the automated attacks had been launched from a Brazilian IP address and NetSafe is encouraging charities and other small businesses that take payments online to take steps to secure their websites and contact their bank or payment provider about ways to prevent online fraud.

Online fraud a global problem

“Credit card fraud is an ongoing issue for any organisation that takes payments over the internet,” said NetSafe’s Digital Project Manager Chris Hails.

“The American security company PhishLabs warned that charity websites were being targeted by cyber criminals to validate stolen cards in November last year[1] and they believe that these smaller organisations have fewer internet defenses in place than larger retailers and are thus an easy target.”

“Being the target of such an attack can mean hours of staff time cleaning up afterwards and could potentially cost your organisation money or find you blocked from taking future donations online,” said Hails.

The warning comes just a week after New Zealand’s Banking Ombudsman predicted that complaints to her office about scams would increase in 2015[2]. Auckland-based NetSafe recorded more than 8000 incidents in 2014 including a wide range of cyber security issues ranging from phishing attempts to ransomware.

Protect your business online

NetSafe offers the following advice for charities and website owners:

  • Talk to your bank or merchant provider about how their payment systems can be used to protect against online fraud
    Enquire about options for monitoring payments and blocking such large scale automated attacks. If you can, consider using third party card verification services from Visa and MasterCard to add a second layer of protection.
  • Talk to your website developer, IT staff or a security specialist about ways to protect your site and any payment forms you host
    Using SSL to encrypt information submitted is essential so that forms operate at an https:// address. Discuss testing your systems for signs of common vulnerabilities and your options for fixing them.
  • Use a CAPTCHA on your web form or require an account be created
    Technical solutions like these can potentially slow down automated software ‘bots’ that are designed to validate card numbers in quick succession.
  • Limit transaction volumes or website sessions by IP address or pre-screen payments from high risk countries if you are seeing fraudulent attempts to donate
    Many New Zealand charities may only wish to accept donations from Kiwis using credit cards issued by NZ banks. Ask if you can filter payments by Bank Identification Number (BIN) to prevent overseas cards being accepted.
  • Consider monitoring traffic volumes to your website
    Talk with your website host about establishing an alerts services so that you’re aware if you receive a sudden unexpected spike in visitors.
  • Investigate using a specialist online fraud management service
    Sift Science offer an online service to assess transactions before handing them on to your merchant provider and may be an additional way to reduce fake donations.
  • Weigh up the benefits of outsourcing your online donation process
    Explore options from third parties with secure systems and dedicated resources to manage fraud such as PayPal or Givealittle. Givealittle.co.nz allows NZ charities and schools to register for a free fundraising page.

“Monitoring any payments received is an important way to detect fraud on your website. Be on the lookout for a series of small donations for odd values or random amounts. Real people tend to donate whole dollars – $20 rather than $4.73,” said Hails.

If your website has been targeted by credit card fraudsters speak with your bank or merchant provider. You can also contact NetSafe via their freephone telephone number 0508 NETSAFE or report an incident online at www.theorb.org.nz.

Notes:

[1] Cybercriminals abuse charities to verify stolen credit card data

[2] Scam-related bank complaints on the upBanking Ombudsman

2014: An online year reviewed at NetSafe HQ

550023_10151198124371945_425821055_nChristmas 2014 is rapidly approaching and that means it’s time for us to review the year almost gone and identify the (anonymous) visitor trends and traffic patterns to our three most popular websites again.

Unsurprisingly – and perhaps somewhat depressingly – many of the common concerns from 2012 and 2013 are still making the top ten charts at NetSafe this year: ransomware, phishing attacks and comprised email and social networking accounts still make it to the top of the most visited pages on NetSafe.org.nz, Security Central and our blog.

2014 in numbers

We’ll publish a more in-depth, full year review in early 2015 but looking at data for the year to date, more than 230,000 people have visited these three websites so far this year.

We’ve also logged almost 8000 incidents via all our communication channels and recorded close to $7.5m lost by Kiwis to a wide range of digital challenges across the realms of cyber safety, cyber security and cyber crime.

Read on for an insight into NetSafe visitor trends for 2014:

NetSafe.org.nz

Just over 200,000 people visited the main NetSafe website during 2014 from an amazing 215 countries, states and territories. As the mobile internet revolution roars on, 1 in 3 visitors were using a mobile or tablet device to access our online content. We plan to release a new NetSafe site on Safer Internet Day 2015 (10 February) to make the mobile experience more fulfilling and hope to source funding to revisit some of our older resources next year too.

Talking of mobiles, interest in parental controls for phones being used by young people remains strong. Concerns about fake profiles on Facebook moved up 4 spots suggesting use of the social network remains strong (despite new challengers ) and as a result, the bad guys continue to develop ways to exploit trusted network connections.

The most obvious new entry to the NetSafe top ten is interest in securing Mac and iOS devices – the Californian company has seen some major media stories this year around iCloud hacks and other security concerns and with the company’s products selling well this makes these operating systems a more high profile target.

NetSafe’s Top Ten Website Pages for 2014:

  1. How can I put parental controls on my child’s mobile phone?
  2. Can I download music and videos from YouTube? Am I breaking copyright law?
  3. Facebook: reporting fake and imposter profiles
  4. Cyberbullying: advice for young people, parents and teachers
  5. How can I complain about ask.fm?
  6. The Copyright (Infringing File Sharing) Amendment Act: What schools should know
  7. How do I protect my Apple Mac or iOS devices?
  8. How can I security check my computer?
  9. What does anti-virus and anti-spyware software do?
  10. Help! My email account has been hacked

Visitor technology explored

Our anonymous statistics service helps identify what browsers and operating systems visitors are using offering us an important insight into current tech being used by consumers.

Overall, Windows powered PCs remain the computer of choice for NetSafe visitors. But challengers including iOS, Android, Macintosh and even Linux are now making up 42% of market share.

What computer operating system do NetSafe visitors use?

  1. Windows – 55%
  2. iOS – 16%
  3. Android – 13%
  4. Macintosh – 10%
  5. Linux – 3%

It was reassuring to see that 87% of Windows users were running a supported version of Microsoft’s operating system. Encouraging the remaining one in ten to make the jump to a newer OS will be a challenge for 2015

  1. Windows 7 – 68%
  2. Windows 8.1 – 12%
  3. Windows XP – 10%
  4. Windows 8 – 7%
  5. Windows Vista – 3%

Drilling down into the data shows some different numbers for New Zealanders when it comes to their operating system of choice.

What computer operating system do Kiwi NetSafe visitors use?

  1. Windows – 63% (55% globally)
  2. iOS – 12% (16% globally)
  3. Macintosh – 12% (10% globally)
  4. Android – 7% (13% globally)
  5. Linux – 5% (3% globally)

Interestingly, Chrome OS is the system of choice for 1% of Kiwis, perhaps reflecting the use of Chromebooks in NZ schools.

When it comes to web browser use, the duopoly days of the 90s browser wars are long gone and Google’s Chrome takes a large chunk of the pie:

  1. Chrome – 40%
  2. Safari – 20%
  3. Internet Explorer – 18%
  4. Firefox- 12%
  5. Android Browser – 6%

Internet Explorer use has declined over the years but we still counted 100+ stalwarts using the ancient IE6 browser. Support for IE8 will continue until early 2016 but we’d still encourage all web users to improve their computer security by upgrading to a modern browser in this age of drive by downloads and malicious malvertising.

Security Central Top Ten

Visits to our computer security site continued to focus on the ongoing threats around ransomware, and Adobe Flash and Reader vulnerabilities. Our cyber security advice will be migrating to the main NetSafe site in 2015.

  1. Dealing with CryptoLocker ransomware
  2. How to check and update Adobe Flash
  3. Dealing with ransomware
  4. Dealing with ransomware and remote access hacking
  5. How to check and update Adobe Reader
  6. An Introduction to Cybersecurity
  7. Phishing, social engineering and online scams
  8. NetSafe Computer Security Checklist
  9. Reporting cybercrime in New Zealand
  10. Phishing and social engineering

The NetSafe Blog Top Ten

.nz websites continue to be cloned and 2014 saw some nasty employment scams enacted against both job seekers and Kiwi businesses. And again, advice for securing Mac devices made it into the charts:

  1. Help my website has been cloned – Bad robot! Defeating website scrapers
  2. Is Jenny Wilson from Reclaim Expert calling you?
  3. How to spot a suspicious email attachment
  4. I’m the king of the castle, get down you dirty rascal – Defence in Depth explained
  5. Anti-Child Porn Ransomware hits New Zealand businesses
  6. Don’t want your iPhone or iPad ‘hacked’? Why unique passwords are so important for online security
  7. Scamwatch reports bring total losses reported to NetSafe’s Orb website to $4.4m in third year of operation
  8. Phishing, smishing and how a casual click can deliver a nasty surprise
  9. Smartphones and public wi-fi ‘Evil Twin’ attacks
  10. Going Phishing: how to spot a fake banking website

The NetSafe office and telephone helpline will be closed between 24 December and 12 January but we will continue to triage reports made to our cyber incident site over this period. Stay safe and secure in 2015 and enjoy the Christmas break.

Kiwis, what floats your digital boat?

I was lucky enough to spend some time in Sydney this week attending a Google for Non Profits training day and catching up with a range of cyber safety organisations in Australia who are looking to take advantage of a whole host of Google tools to help their organisations tackle digital challenges affecting a wide range of audiences.

In between coping with the muggy Australian weather (an impressive lightning storm shut Sydney airport briefly last night) and taking in the beautiful surroundings of Darling Harbour, I couldn’t help but be amazed by the resources the Californian company is making  available for non-profits.

NetSafe has been lucky enough to receive a Google AdWords grant that will seriously improve the way we market our educational services to New Zealanders in 2015. We already have pretty good organic search engine optimisation and some highly ranked pages on popular online issues, but a monthly grant of $10,000 to spend on Pay Per Click advertising couldn’t have come at a more exciting time as we refine our content marketing strategy for the next twelve months.

I’ve used the PPC AdWords system for several years and am qualified to boot. Revising our website and the content within to cover new and evolving cyber safety, cyber security and cyber crime topics to assist New Zealanders is going to be a priority for 2015.

NetSafe’s Communications Survey

Over the last few weeks we’ve been asking Kiwis to review how NetSafe communicates and the responses to date have been interesting. If you want to take the brief survey, it’s not too late to respond.

Although the total number of responses to date have been small when compared with the volume of people we speak with each year, the results have been positive – more than 4 out of 5 of those taking the survey have taken action to improve their online safety and security based on NetSafe email newsletters, Facebook posts and tweets.

When we asked what issues Kiwis are interested in keeping up to date with, the graph below shows the response to the limited range of choices we originally suggested. We didn’t even touch on emerging threats such as the spying dangers of wearable technology:

Click to see a larger image

One survey taker said: “IT is such an integral part of our lives that it benefits all of us to stay ahead of the game.

What were the top five topics?

  1.  Computer security
  2. Online scams and fraud
  3. Online safety
  4. Microsoft Windows
  5. Malware

I’d somewhat assumed that specific topics such as BYOD and Android would rise to the top, especially when so many of us are now using mobile devices to connect online. It turns out there are still plenty of NZ PC users wanting up to date advice and guidance.

What areas are you interested in when it comes to tech challenges? Take the brief NetSafe survey and give us your feedback.

Meet the NetSafe Team: Stephen Denniston

Stephen Denniston is almost at the end of a three year degree course studying cybersecurity at Unitec in Auckland and will graduate in 2015 with a qualification that will increasingly be in demand by both New Zealand and overseas employers. As part of his course he is studying operating system vulnerabilities and malicious software designed to infiltrate networks and devices.

He joined NetSafe in October on a part time basis to work in our contact centre team. NetSafe handles an average of 700 incident reports each month submitted by home internet users and small businesses alike. The non-profit records upwards of $500,000 lost each month to online scams and fraud and cyber security threats ranging from phishing emails to ransomware.

Stephen tells us about his experience to date and offers his opinions on the digital challenges that affect so many New Zealanders:

  1. Why did you want to study cybersecurity?

It is a completely, utterly, fascinating field. In effect I get to break down computer systems, the hardware, the software and the network communications into their smallest parts. Dissect each seeing how they work and fit together in the system as a whole, look for gaps where vulnerabilities may exist and speculate on ways in which they may be used.

It’s like Lego with electrons.

But that’s only part of the equation, people are the oft forgotten computer component, not to gloss over the complexity of computers. But I challenge you to find a computer that doesn’t need a human to interact with it in some way, people are an important component in the computer systems feedback loop.

This is where social engineering comes into play, with the view to leverage people’s instincts to gain advantage counter to their beliefs or expectations. No matter how secure or how much money you spend on a system’s security, response teams, penetration testers, red-teams, if the users aren’t aware of the implications of their actions, it only takes a single USB stick, a single unfiltered link, a single attachment and it all comes crumbling down.

  1. Which areas of study are you particularly interested in?

Malware analysis for the insight it gives into the minds of the malware authors, the tactics and ideology of their pursuit. These guys are the foundation that the deep-web black-markets are built on and around.

Although malware is largely aimed and involved in financial crime, when an Advanced Persistent Threat (APT) comes along, the insights gleamed off of nation states is of the highest interest and typically yields new or unknown zero-day vulnerabilities as well as new coding and obfuscation patterns.

Although these things tend to be in an evolving pattern themselves, it piques my interest to see what or if government funding can have an impact on the nature of malware. As the turnaround from reverse engineering the APT wares to seeing them used by non-APT entities (deep-web black-market types) is shrinking at a rate something akin to Moore’s Law.

Social engineering for my interest in people and understanding what makes them tick, although we are all individuals with our own hopes and dreams. We all fall into patterns of behaviour and as with any pattern, if observed for long enough weaknesses can be exploited for malicious purposes. The taken for granted fact about all the internet enabled devices we carry with us, without thought, is the ease of which we can be observed but take minimal or non-existent measures to mitigate or prevent.

  1. Do you have a background in computing?

I’ve had a long held interest in computer security, cryptography, social engineering and malware. In one of my part time jobs I worked as a technician/diagnostician and system builder.

Having studied computers one way or another at various levels, I initially started studying with the intent of being a programmer, as I found networking too easy and less dynamic, but found my interest in operating systems a larger pull.

I ended up playing with Linux and the various distributions and flavours that it comes in. Which in-turn lead me into security as this is the middle ground between hardware, software and networking and human intent which allows me to push and test my knowledge. The best way of learning how something works, is to break it apart and put it back together.

  1. What previous work experience or life skills do you think add to what you study at Unitec?

I have a background in customer service from the retail sector mainly through part time jobs working while studying. I tried my hand at sales, and have limited exposure to marketing in that I ran a research project for a client into bottled water, created surveys and ran focus groups.

Which all feeds into my interest in social-engineering. But also puts me in a unique position in that I understand computers and am not afraid to communicate about them. When giving a presentation or talk with a group I’m the one who ends up doing all the talking, switching between fine technical detail and sounding like a sales pitch for the fountain of youth.

  1. Do friends and family expect you to be able to fix their printer?

I worked previously in a hardware diagnostic role so I get that lot, their Wi-Fi, the internet, the printer, you name it.

When I login to their router without looking up the password (admin:admin) to fix the Wi-Fi, instantly I’m labelled a hacker and quizzed on my hacker knowledge and if the neighbour can do the same to the house phone.

95% of the time I’m turning it off then on again. The 5% of the time that doesn’t work then I become interested. Friends and family are split into two groups, techies and non-techies. If a techie has a problem it’s either really interesting or endlessly frustrating. Else if a non-techie has a problem it’s usually down to neglect and their computer is about to (or has already) died.

  1. What kind of work would you like to do once you graduate?

Penetration tester. To me this sounds like an endlessly evolving, challenging role where you’re paid to hack, what’s not to love.

  1. What have been your first impressions of working at NetSafe?

Gob-smacked. The variety and quality of the work created by such a small team to encapsulate the breadth of the country is astounding.

But also a growing awareness of a triple disconnect

  • a disconnect between legislation and malicious users – what can be done to punish/pursue online criminals, particularly across state lines.
  • a disconnect between the public and malicious users – a lacking of awareness of how criminals operate and how to protect the legitimate users from the malicious users (hackers/scammers), and;
  • a disconnect between legislation and the public - what protections can, should and do the public expect from their protectors.
  1. After talking with people on the phone and answering a wide variety of email queries and ORB reports what would be your ‘top tips’ for Kiwis wanting to protect themselves online?
  • Keep your anti-virus updated and scheduled to run when you’re not using the computer (i.e. when you’re asleep).
  • Keep your computer updated, allow it to download and install updates automatically, it’s not worth having an unpatched system connected to the net.
  • Get street smart, keep up to date on how hackers and scammers operate.
  • Don’t run your PC in administrator mode, create a separate user in user mode and use that day to day.
  • Change any default passwords, especially ones for administrator, such as those found on routers.
  • Macs aren’t safe anymore, treat them like a PC and install an anti-virus software.
  • Don’t click on unknown links. Especially from email. Especially when you’re not expecting them.
  • Don’t open attachments you’re not expecting (or disable JavaScript in Adobe Acrobat if you’re intent on opening them)
  • Install a browser extension that disables JavaScript on all sites except the ones you choose [NetSafe suggests NoScript for FireFox users].
  • Install a browser extension that blocks advertisements as this is a popular way of distributing malware [NetSafe suggests Adblock Plus or Disconnect].

Advice and guidance for dealing with digital challenges