Securing the human: iWatches and online porn

My morning commute was made particularly exciting today by something I hate – a texting driver. As I negotiated Auckland’s ferocious rush hour traffic, it became increasingly obvious that the driver in front of me - bumbling along at 30km/h in a car with a prominent yellow P plate – was typing a lengthy reply to a friend or family member as they continually glanced up and down between the road ahead and the contents of their smartphone.

Texting whilst driving is without doubt one of the few things I can’t stand in our continuously connected world.

Ten years of motorbiking around London taught me that texting drivers are a road safety nightmare as they fail to observe fellow road users whilst updating their social status. The law, both here in New Zealand and in other countries around the world, has thankfully been updated to reflect this menace and has been matched by a range of road safety campaigns targeting texters. Even the mobile operators have tried to offer services that divert calls to voicemail to block the temptation to take a call whilst at the wheel.

It’s this combination of Engineering (voicemail services), Enforcement (fines and policing) and Education (shocking video campaigns) – the three E’s – that has shaped modern awareness programmes. When the three are combined, some good can often be seen to result.

How do you change behaviour?

Dick Tracy multi-tasks using his antique smart watch (Wikipedia)

This morning I read an interesting story in the UK media suggesting that iWatches and smartwatches may be the next range of devices to tempt us mere mortals into bad behaviour behind the wheel.

“An iWatch has the potential to be just as distracting as any other smartphone device – indeed more so if you have to take your hand off the wheel and your eyes off the road to interact with it.”

You can already hear car horns blaring when the motorist waiting for a green light at the front of a queue of traffic is too engaged with their mobile, reading the contents of their email before pulling into the work car park.

Just imagine what it will be like when we’re all wearing Dick Tracy style smart watches that are coupled to in-car entertainment set-ups rivalling the cockpit of a 747?

Stephen Turvil from motoring.co.uk makes an important point though when discussing this ‘threat’:

despite the wealth of technology at their fingertips the majority of motorists recognise it is their primary responsibility to look through the windscreen. Pressing buttons and staring at screens is secondary. To these people, smart watches and smartphones pose no threat. Okay so a device beeps and flashes. So what? Ignore it. Simply concentrate on staying safe. If a motorist lacks self control a device can be switched-off or locked in the boot. Drivers – once we exclude the actions of others and/or rotten luck – are as safe as they want to be.

Responsibility thus lies with the individual to take adequate steps to ensure their own safety and the safety of others sharing the road.

The same could be said of online safety and security – an individual’s response to digital challenge which eventually becomes the social norm could see many of the current issues affecting Kiwis resolved.

Returning to the motoring analogy, remember back to the days when nobody wore seat belts? A generation later and the three E’s have played their part in driving society’s adoption of the seat belt as a compulsory preventative measure to increase safety. Imagine then if internet users (and network owners and device manufacturers) were equally compelled to adopt similar simple and easy steps to protect computers against malware?

The Most Popular Time for Online Porn?

Mondays at NetSafe are always busy. Being a non-profit we don’t offer a 24/7 service and calls to our free helpline are diverted to voicemail over the weekend, usually resulting a large backlog by the time 8am Monday comes.

Over the last year, ransomware has always reared its ugly head on a Monday morning as many ‘recreational surfers’ browsing adult content sites find their unpatched computer is infected, locked up and/or the data encrypted after a quick visit to a decidedly dodgy website. That’s not to say, of course, that ransomware is delivered only by adult websites and putting in place security controls is key.

Downloading that video codec or browser plugin to watch the clip of your choice is always a bad idea and some adult websites can harbour nasty ‘droppers and downloaders’ (malware attack kits) just waiting to infect your computer using one of many potential security vulnerabilities.

Porn it would seem, according to statistics just released from one of America’s most popular adult video websites, is popular all year round, whatever the season.

Before giving in to that desire for 9 minutes and 53 seconds of carnal pleasure, checking your computer is secure and upgrading your browser to the latest version (never mind switching to private mode) could well pay dividends. And potentially cut the number of calls to NetSafe on a Monday too.

Using the past to predict the future: identifying vulnerable websites

If you’ve been following New Zealand media over the last week or so, you’d be forgiven for thinking that anyone and everyone was ‘hacking’ systems looking for information that could give them an advantage over their competitors.

The media spotlight on leaked emails and wide open websites has certainly brought a rise in enquiries to NetSafe about data privacy, hacking and security vulnerabilities.

Raising awareness of computer security

NetSafe has worked with the North Harbour Business Association over the last month to deliver a programme of cyber security education based on the Connect Smart Guide for SMEs, a 4 step process that looks at raising awareness of computer security issues amongst small businesses.

It’s always hard to steer clear of technical jargon and acronyms when discussing cyber security but NetSafe does have the advantage of using real life case studies to illustrate ‘bad stuff’ that happens to real New Zealanders and small Kiwi businesses.

Over the last 4 years our ORB website has taken more than 11,000 cyber incident reports  from people and businesses across New Zealand with more than $10m in losses recorded from a range of digital challenges.

Common incidents affecting SMEs:

  • Ransomware
  • Intercepted emails
  • Hacked websites
  • Employment scams
  • Spear phishing
  • Insider threats

When it comes to hacked websites, there are plenty of ways to identify threats and vulnerabilities your site may be at risk from. These range from professional security companies offering penetration testing services to reading up on industry standards and guidelines like the OWASP Top 10.

Recent academic research has highlighted the fact if you use a popular Content Management System or CMS to power your website, you’re more likely to encounter issues:

CMSes simplify configuration by reducing technical barriers, which means that they are often administered by non-experts. This could lead to a greater chance for server misconfiguration.

Second, CMS platforms are a form of software monoculture, exhibiting common vulnerabilities in both the underlying code and the default configurations.

Furthermore, we suspect that a key driving force behind the variation in compromise rates across software types is the software’s market share. When more webservers run a particular type of software, they collectively become a more attractive target for miscreants.

In short, if you’re using a popular system such as WordPress or Joomla to build the bones of your website it pays to keep the CMS patched and protected.

A tool like the Wordfence security plugin can highlight just how many automated attacks your site may face from attackers spread across the net:

Wordfence detects attackers attempting to gain access to your WordPress installation
Wordfence detects attackers attempting to gain access to your WordPress installation

Using the past to predict the future

Whilst pen testing and incident management plans can be considered reactive tools to improve security, imagine a world where data mining and software algorithms could identify threats in advance – highlighting the fact that the popularity of your website, the number of back links you have earned and the kind of content you publish and the systems you use can highlight risks before a hack takes place.

Automatically Detecting Vulnerable Websites Before They Turn Malicious, a paper by Kyle Soska and Nicolas Christin from Carnegie Mellon University, makes interesting reading when it comes to thinking about software or automated systems that could predict with some accuracy websites at risk from future attack and potentially assist web search engine companies with filtering poisoned search results before end users visit them and run the risk of a drive by download.

Some may say the criteria identified are common sense things that webmasters and IT teams can look for and protect against in advance. For smaller companies though, any assistance with protecting their websites from defacement or data breaches are well worth exploring.

Connect Smart: Don’t wait until it’s too late!

A phone call to NetSafe this morning from a PC user facing the loss of a year’s worth of data serves as a timely reminder that taking a proactive approach to computer security is essential when ransomware gangs and other cybercrimials are actively targeted out of date software or unpatched computers.

The computer owner had actually taken the time to back up important business files, but sadly found the USB backup had also been encrypted with CryptoWall ransomware as it was still attached to the infected machine.

With complex malware being able to ‘jump across’ to back up locations – including cloud based services like Dropbox – the onus is on every computer user to protect themselves online and store several copies of essential data, ideally in separate locations.

Last week, international law enforcement agencies took down the network behind CryptoLocker ransomware but it would appear other malware writers are moving in to grab a share of the market.

Connect Smart Week is coming

Next week marks the start of the new government initiative, Connect Smart. This rebranded Cyber Security Awareness Week for 2014 will highlight ways home internet users and SMEs can protect themselves from phishing attacks and malware infections and will be launched in Wellington.

TechSecurity-2NetSafe will be promoting the week and my colleague Lee will be speaking at a free to attend cybercrime event in Wellington on 18 June along with other computer security experts.

The Institution of Professional Engineers New Zealand (IPENZ) is hosting the event which starts at 6pm at Queen Margaret College, 53 Hobson Street, Thorndon, Wellington. More information can be found on the IPENZ website.

Protect yourself online: secure all devices

The recent high profile ‘hack’ of some iPhone owners’ iCloud accounts by ‘Oleg Pliss’ is another reminder of how essential it is to apply good computers security practices to all your connected devices.

NetSafe recently published guidance on smartphone security with 12 Tips for Protecting Your Digital Device as evidence is emerging of new variants of ransom malware now being developed for Android smartphones and tablets.

Whilst news media reported yesterday that Russian authorities may have caught the ransom gang behind the Apple ID hack, it’s essential that New Zealanders use Connect Smart Week as an opportunity to review their online safety and security.

Teach a man to phish and…

Tax Refund Ray
Tax-refund Ray – watch out for unexpected phishing emails around tax time suggesting a large cheque can be claimed from IRD or other companies.
Click on the links and you may suffer a nasty sting. Grant payments and bank fee refunds are increasingly being offered by telephone cold callers too.

Phishing has been in the news again this week with the high profile attacks on Apple IDs as one plucky cybercriminal named Oleg Pliss developed a new way to hold iDevices to ransom.

The continuing success of phishing attacks remains a concern that individuals and small businesses need to address:

  • training staff to recognise strange looking emails and not opening attachments trying to masquerade as invoices, delivery notes and tax refund alerts
  • and putting in place email filtering and spam detection that can lessen the impact of unwanted messages.

A report out today suggest phishing attacks on PayPal users is on the rise in 2014, with researchers observing a 73 percent increase in the number of phishing websites targeting PayPal login information.

The report even suggests a growing army of phishermen are taking the time to hone their skills, downloading code to build fake login pages and tweaking the look and feel to improve their ‘conversion metrics’ – an online marketing standard normally associated with more legitimate commerce operators.

PayPal is owned by eBay, the US auction giant which has suffered its own mega breach recently and was subsequently criticised by security professionals for taking a long time to warn customers that account data was at risk.

Identifying genuine threats

Yesterday I spent some time trying to work out if an email supposedly sent from eBay post-breach was a genuine request for users to reset their passwords.

Interestingly, the message spoke of the attack and suggested securing accounts was essential but provided no link in the body of the text to visit a webpage, no doubt an intentional step to reassure those receiving it this really was from the company and not cybercriminals trying to exploit the well publicised event.

Check out the screenshot below – would you have been able to decide if the email was real?

eBay-Password-Reset-Email
Click on the picture to view the email full-size

Both eBay and PayPal have comparatively low user numbers in New Zealand – the auction company was seen off by local operator Trade Me some time back. But both companies are more widely known across the Tasman in Australia where Kiwis are likely to have been buying goods on the .com.au site.

As we approach tax time, phishing gangs will no doubt step up their efforts against our own IRD. Take the time to read guidance on the organisation’s own website and report phishing emails to them so they can be taken down before personal information is passed over or logins compromised.

More resources:

Don’t want your iPhone or iPad ‘hacked’? Why unique passwords are so important for online security

Screenshot of affected Apple device
This screenshot was being used by many online media outlets yesterday showing a Find my iPhone style alert suggesting a ransom needed to be paid.

I was sitting down last night for a little light TV watching when I first read the story about ‘iPhones being hacked’ by a mysterious “Oleg Pliss”.

Hacked is a generic term often misused when it comes to device and online security and to date the evidence on web forums and in the security press seems to suggest that Apple’s consumer device has not been affected by ransomware – malicious software demanding a payment for a unique unlock key.

So far (on Wednesday morning, NZ time) it would appear that Apple ID owners have found their devices locked remotely after their login details have been used to block their devices using Apple’s own Find My iPhone service.

The current theory is a wave of phishing emails targeting Apple IDs or recent high profile data breaches at eBay and elsewhere have let cyber criminals amass a huge pile of email addresses matched with working passwords.

Use a different password for every online service

Do you daisy chain your passwords and online life?
Using the same password everywhere online lets bad guys ‘daisy chain’ your online accounts and services, hopping from system to the next hoping the same login details will give access to other systems and even let them hold your iPhone or iPad to ransom. (Daisy chain image used under CC by Flickr’s ‘benbawden’).

UK media regulator Ofcom recently published a report on attitudes to online life and buried in the depths of this statistical mass is the startling figure that 57% of Brits “use the same passwords for most if not all websites”.

I can’t help but wonder what the equivalent NZ figure would be? We know many folk find it hard to remember multiple logins and thus ease of use trumps a sense of security when it comes to passwords.

This latest Apple ‘hack’ would seem to confirm NetSafe’s belief that using strong passwords, changed regularly and with at least your most ‘valuable’ services protected by a unique string of letters, numbers and symbols is essential computer security best practice.

The risk is that should one database be breached and your usual login info be compromised, it doesn’t take much for the bad guys to start probing other online services, including it would seem your Apple ID, a centralised service that can control so much of your Apple-related life.

If your iPhone or iPad is locked report it to NetSafe on the ORB website. To date we’ve taken one report from a Kiwi iPhone owner suffering this issue.

Dealing with Apple ID hacks

“Change your password for your Apple ID. You can use your Apple ID to recover your device(s) if it has been locked by the hacker”

We’ve published links below to the current best practice when it comes to securing your Apple ID and recommend you review the security of your Apple login ASAP:

    1. Change your Apple ID password now!
      - Manage your Apple ID online at appleid.apple.com
      - Set up 2 factor authentication for your Apple ID and check recovery phone numbers and email addresses associated with your account
    2. Back-up your Apple devices should you need to wipe them and restore later
      - If your device has been disabled read Apple’s guide to using iTunes, Find my iPhone or recovery mode to wipe the device and install your data and settings from a recent backup.
    3. Be alert to Apple ID phishing emails that target your login details
      - Apple will not email you to request you restore access to your account. Always login at the apple.com website.

Graham Cluley at Intego Security has written an FAQ for iPhone and iPad users and we will update NetSafe advice as we learn more about the situation.

Watch our video from Cyber Security Awareness Week 2013 to learn more about strong passwords:

Advice and guidance for dealing with digital challenges