Wikipedia was blacked out for a day as part of a widespread protest against the US Stop Online Piracy Act (SOPA) and Protect Intellectual Property Act (PIPA). These Acts were endorsed by the Motion Picture Association (MPA) but the technology industry was opposed to them as restricting the openness of the internet.  American politicians seemed to take notice, and these Acts were sidelined. Next, the Online Protection and Enforcement of Digital Trade (OPEN) ACT was introduced to Congress, which is supported by the tech giants but resisted by the Motion Picture Association as going to easy on piracy!

And I thought, will these two groups ever find a satisfactory comprise?

A high profile blow was struck by the anti-piracy organisations as the former Chrisco Mansion was raided, filelocker Megaupload was shut down, and Kim Dotcom and some business associates were arrested. The anti-anti-piracy groups hit back organising DDOS attacks that (at least briefly) shut down about 10 websites including the FBI, Universal Music, RIAA, and Hodopi (it’s French)

And I thought, I wonder where the Chrisco people live now.

Moving away from copyright – Research by the Ipsos Social Research Institute named Australia as having the highest levels of cyberbullying on social networking sites. New Zealand wasn’t included in the research. I suspect we’d have placed pretty well.

And I thought, we could do with some of that anti-piracy (or the anti-anti-priracy) enthusiasm in the anti-cyberbullying fight.

TVNZ CloseUp returned to air this week and its first story for 2012 was about adult men who met a 14 year old girl online (or in this case, and actor they believed to be 14) and then travelled and meet them for sex. I was surprised at the lack of caution these men showed. It never occurred to them that it might be a sting – by journalists, or the Police.

And I thought, we could really do with a few Police sting operations of this type to discourage these men.

And then I thought. It looks like 2012 will be pretty much the same as 2011.

The review has two parts. The first covers the extension of the traditional media’s legal rights and responsibilities to some new media publishers. The second part of the review looks at whether the laws which deal with crimes such as harassment, intimidation, defamation, and breach of privacy are fit for purpose in the digital age.

It is really the second half of the review that most interests NetSafe, although the first half looks at a very interesting question. At what point does a blogger or a news website  access the legal privileges and exemptions currently reserved for the traditional news media? David Farrar at Kiwiblog has more readers than many newspapers in this country and often writes about political issues – so it absolutely makes sense to consider him “news media” . But what about Mods Motors? That also has a wide “circulation”. Its mostly about cars, but it does also include “news” and opinion about car and transport regulations.  What about the NetSafe blog?  The review also recommends an independent converged regulator (like the ACMA or OFCOM) to manage regulation of this space.

The second half of the review sits squarely in NetSafe territory. Information technology has been a real enabler for harassment, intimidation, defamation, and breach of privacy. The laws that deal with these issues were written pre-technology. Mostly they tend to be applicable, but accessing the remedies is comparatively prohibitive. Basically, its really easy to offend against somebody – and hard to effectively defend yourself.

The Law Commission has made a range of recommendations starting with a review of current laws to make sure they’re applicable in the digital age. There some clarifications of existing law and a handful of new offences recommended: maliciously impersonating another person, publishing intimate photos, and incitement to suicide.

The most radical of the proposals is the establishment of a Communications Tribunal that would operate at a lower level than the courts. The idea being that the tribunal would be more accessible for people who are offended against.

The Law Commission is taking submissions on this paper until March 12, 2012. I suspect there will be a number of strong voices against the recommendations – as there are against any attempts to exert control on online activities. I would encourage organisations and individuals working in the cyber safety and law enforcement space to make a submission.

Are computer security experts just justifying high incomes by positioning computer security beyond the realms of the average home user, or are they fundamentally right? If consumer security products don’t work, should people even bother to purchase and install them?

There’s no point in sugar coating it. The computer security gurus are essentially correct. If you are specifically targeted by cyber criminals, and you are reliant on consumer security – you’re in trouble. The good news for most people reading this blog is that they are not “high value targets” and are not going to be targeted by dedicated cyber criminals. Simply put, they’re not worth the investment in hacking time.

All security is about risk management. The level of investment we make in security should be appropriate for the risk we face. For most consumers and small businesses, the main threats they face are from non targeted malware. So the real question is – how well do consumer security products protect you against these threats.

The answer is – surprisingly well. This US PC Mag test shows the results from a range of 2012 security products. I was surprised how well they did. The results more than justify the relatively minor investment in these products. Even some of the free products do well.

But if you follow that link, you will see that no product was 100% effective in every test.

At any given time, each product will have malware that it misses. This is why it is important for people to remain vigilant. It is possible for your computer to become infected even if you have security software. If you think this might be you, run one (or better still – more than one) of the remote scanners listed on NetSafe’s website.  

And importantly, computer security isn’t just about security software. This is another area where security experts despair – because consumers are more often tricked by simple ruses than “hacked” in traditional terms. For this reason, NetSafe developed the NetBasics which looks at both the technical and non-technical aspects of security.

Not the most interesting of topics for many people it has to be said, but think about these 3 news stories that made headlines over the last week – did you read them and stop to think about the implications?

1. A computer incident at the NZ St John’s Ambulance service – part of our critical infrastructure – that left staff relying on back up radio equipment for 2 days – the source apparently a virus laden USB stick.
2. A Russian hacker remotely accessing a US water treatment plant, a fact only picked up on when the stolen SCADA system password was used to burn out a pump onsite from 5000 miles away.
3. A vulnerability in DNS servers that was used for denial of service attacks against the essential domain name system that is necessary for routing all our internet traffic.

Do these kind of things interest you?

After my 60 hour SANS course they do me – a quick trip through such topics as wireless security, Windows networking and Defense In-Depth might not pique the interest of a lot of people but it opened my eyes to just how many fundamental computer security issues I wasn’t aware of.

Many of us have come to rely on machines during our daily lives and as technology becomes cheaper and computer chips embedded into more and more devices it’s essential we all play a part in protecting ourselves.

With skills learnt on the course I could now (in theory, if I was a ‘bad guy’ and with some time spent improving my Linux knowledge) hijack and infect computers on those free wireless access points you see nowadays; I could listen in on private conversations in modern cars equipped with Bluetooth functionality; I could capture and crack weak system passwords and lastly I could spear phish to my hearts content and exploit corporate types who might share too much information unwittingly online.

I’m not saying I would of course, but the fact there are so many widely documented attack methods out there – think scams, social engineering and malware toolkits as just 3 examples – makes me think twice about my somewhat lax approach to date to online safety and security. And I work for NetSafe!

Over the next 12 months we’ve been contracted by the Ministry of Economic Development to undertake a nationwide cyber security awareness programme to make people better aware of how to stay safe and secure online.

The last week (and instructor Bryce Galbraith in particular) has taught me all kinds of things that can be put to good use to help other New Zealanders improve their digital habits and be better equipped to battle the bad guys.

I’m going to be writing about many of the topics that featured in our NetBasics programme from 2008 and trying to come up with the kind of simple, straightforward and up to date advice that anyone and everyone can follow to keep their home computer or small business IT systems better protected.

Stay tuned!

Facebook have acknowledge the spam attack that apparently exploits a browser vulnerability (we are not sure at this stage which browser it is) allowing cross site scripting.  If you want a bit more background on what that means, read this Sophos article about the attack. But in short, users are tricked into pasting some  code (JavaScript) into the address bar which then allows the malicious code to run.

Next thing you know – you’re looking at pornography, and so are your Facebook friends.

Justin Bieber

As an adult, you may find this little more than a nuisance. However, despite the 13 year old age limit – there are many children that use Facebook. If you have children that use Facebook, you might want to warn them against cutting and pasting content into the address bar – and this is a timely reminder to keep a close eye on them when they are online. I’m not a child psychologist – but I’m fairly certain pornography is not the best way to introduce children to sexuality!

These sorts of attacks within Facebook should come as no real surprise. There are 900 million Facebook accounts – half of which are active every day. That’s a very juicy target. But perhaps more importantly, Facebook is a social network – so people are there for the express purpose of sharing content. There are competitions, pages to like, pictures to view. Click this, click that.  Its a social engineering opportunity like no other. As Facebook increases it capability to host different types of content – more opportunities will present themselves for criminals to try and exploit.

Most scams are designed to raise money for the scammers, and you can safely assume that the lessons being learned from these attacks will be put into practice for those sorts of attacks later.

In the meantime, NetSafe has a page of tips for staying secure on Facebook. Check them out here.

The reason for this is a combination of State sponsored cyber attacks – and computerised Industrial Control Systems (ICS). Countries have worked out that they can attack  another country using malware that targets ICS. The most publicised attack of this type was Stuxnet which targeted, and apparently damaged, the uranium enrichment infrastructure in Iran.  The Stuxnet virus was such a sophisticated attack that security specialist agreed it could only have been conducted with state level support.  It is widely speculated that Stuxnet is the work of Israel and the US. But it might not be. Countries can now hide behind the same online anonymity that has empowered criminals and offenders.

That’s right – on the internet, nobody knows you’re a dog that specialises in cyber warfare.

Stuxnet apparently has a relative – called Duqu. Duqu is a Remote Access Trojan (therefore having the fantastic acronym - RAT) that is designed to probe ICS and send data back to enable highly targeted attacks (like Stuxnet). The problem is that “highly targeted” is a phrase I’ve borrowed from traditional warfare – like “smart bombs”, and we all know how smart they are! Which brings us to another traditional warfare term – “collateral damage”. One of the amazing things about Stuxnet was how targeted it was (attacking a specific device operating in a very specific way). But what if the coders weren’t so careful, or just made a mistake?

People often tell me that in New Zealand we have no enemies, and therefore we have nothing to worry about. The problem with that logic is that with so many Industrial Control Systems using similar technologies to control the utilities upon which we depend, I don’t think it is such an outrageous prediction that we will soon see one of these state sponsored malware products create collateral damage. And there is no reason to suggest it could not be here in New Zealand.

Hopefully that won’t occur with the National Cyber Security Centre (NSCS) keeping watch. But with cyber attack malware being produced with big budget state sponsorship – they’ll have to be at the top of their game!

And that’s the first thing that should grab your attention. For somebody who has attended a number of conferences looking at ways to make the internet safer or more secure – to be surrounded by official government delegations was quite surreal. The Internet isn’t structured around countries and until now, neither have the conferences about it. But Governments increasingly feel they can not stand back and leave the internet entirely to international corporates and NGO’s. And certainly the evidence supports that hypothesis.

The problem with the internet is that it is – or at least has been until now – uncontrollable.  This is great if you’re a journalist avoiding a repressive government. However, this is not great if you’re a government trying to provide a stable and reliable environment for your citizens and businesses.

The challenge is balancing the two requirements. And at the moment – the balance is not in our favour. There is no question that the power of the internet to provide an agile anonymity favours the bad guys. This is something we’ve know in the safety space for a while. The problem for governments is that cyber crime is starting to cost big money.  The question is what to do about that. Just as in the early days of the online safety movement - some people focus their energy on trying to change the rules of the environment. And to be fair to them, the internet is something we built and maintain so it is technically possible to change the way it works. Basically if everybody wanted to use technical measures to make it safer and more secure, we could.

However, there are a couple of problems. Firstly, different countries have different views on how they would balance control vs individual freedom. And then secondly, it is widely accepted that those changes will also have a negative impact on the internet’s ability to foster innovation, which it has a pretty good record of so far.

Therefore the attention inevitably shifts to rebalancing the equation without changing the fundamentals of the internet. And this is where the London Conference got to.

William Hague addresses the London Conference on Cyberspace

In his concluding speech, British Foreign Secretary (and conference host) William Hague said “These ideas and the principles that have come out of the conference include … that we enhance cooperation and collaboration between states, that we act together to address the threat from cybercrime, and that we preserve the global interoperability and resilience … ”

Those are pretty good ideas, but tough to put together in practice. The Conference will be reconvened in Hungary in a years time, but a lot of work will be done to try and progress the conversation in between. A safer online environment requires the combined efforts of NGOs, the private sector, and Governments. Whilst I wouldn’t want to overplay how much Governments can acheive – they have been visibly absent from the conversation so far – and this conference changed that. Therefore, it is my opinion that we will look back at the London Conference as a real turning point in the fight to keep the internet a powerful platform for progress – both socially and economically.

I’m quite excited about the whole thing as it shows (quoting the words of Minister for Communications and Information Technology, Steven Joyce) that “cyber security is becoming increasingly important for New Zealanders, businesses and government” .

The staff at NetSafe would wholeheartedly agree on this point as we deal day in and day out with a whole host of support calls, emails and Orb reports from people around the country hoping for help and advice with all kinds of issues, many of them now involving  loss – loss of time, loss of data, loss of money and often loss of sleep.

The world of cybersafety has certainly evolved and matured since NetSafe was founded in 1998 (we share this teenage status with Google) and technology has improved to automatically protect computers and computer users.

That’s no reason to get complacent though as this recent report from American security company RSA on Advanced Persistent Threats makes it plain that “social engineering is now the #1 threat vector”:

Anyone can be phished given the right context – and attackers have growing access to information about would-be targets through social networking sites that help them identify the right people to go after within the organization and also personalize their attacks

In the last week or so security researchers have demonstrated a real world hack for the SSL/TLS protocol known as Browser Exploit Against SSL/TLS (BEAST) that protects online banking and e-commerce websites all round the world (note: there’s a solution from 2006 that may soon be rolled out to solve this issue).

And the US departments of Homeland Security and Commerce have issued an RFP to develop a security programme which would have major American ISPs detect and notify customers they are part of a botnet army.

The team at NetSafe is currently working on a new national education and awareness programme that should address some of these growing cyber security concerns and will be another part of the Cyber Security Strategy. Watch this space for updates and more infomation on the partners who will be guiding our efforts to protect more New Zealand consumers and small businesses when they go online.

Auckland - NetSafe, New Zealand’s internet safety and security organisation, is marking the first anniversary of their ‘Online Reporting Button’ website (www.theorb.org.nz) this week.

The site received almost 1700 reports of online incidents during the first 12 months of operation with financial losses mounting up to more than three quarters of a million dollars.

The site is run in partnership with the Police, Customs Service, Commerce Commission, Department of Internal Affairs and the Office of the Privacy Commissioner. But NetSafe has seen most activity connected with internet scams and frauds which is overseen by the Ministry of Consumer Affairs and their Scamwatch programme.

“More than 60% of cases reported to us have been classic online scams,” said Martin Cocker, NetSafe’s Executive Director. “Over half the money reported lost was by individuals falling prey to phishing attacks, advanced fee fraud and romance scams.”

Over the course of the last year the not-for-profit has been able to use the website as an effective early warning system as new scams are reported in waves by people from all over New Zealand.

“Looking at the data involved, we’ve seen the most reports submitted by people living in the urban centres of Auckland, Canterbury and Wellington,” said Cocker. “But there have been incidents reported by people in every part of the country, particularly with cold calling computer experts looking to gain access to your PC.”

“As a result of this intelligence we’ve able to produce specific consumer advice, proactively warn people of the issues and also work with our law enforcement and government partners to try and get scammers shut down.”

Lowlights of the year

NetSafe’s analysis of the Orb reports shows patterns in the type of incidents reported:

• During the last 4 months of 2010 the main issues were advanced fee frauds targeting car sellers and rental scams affecting landlords and tenants.
• Later there was a rise in people reporting cold calling computer support companies which continued on into 2011.
• The next most common incidents reported were hacked email accounts being used to send spam and to request emergency funds from friends; phishing attacks on people using online banking plus fake IRD and bank fee refund offers.
• The largest individual losses reported were romance scams that may have taken many months to perpetrate.
• The infographic below details some further key statistics. A larger version of this image (658KB, 1024px resolution) is made available for media use and can be downloaded from http://blog.netsafe.org.nz/media/orb-infographic.12.08.11.jpg

Download the full 3.2MB version of this infographic

Report incidents and help others

NetSafe believes the incident reports made to the Orb are just tip of the iceberg when it comes to online scams.

Martin Cocker said “A Statistics New Zealand survey from 2009 put the number of individual victims of internet fraud at 56,000 – that would suggest that current reporting represents only a fraction of overall incidents.”

The Orb site lets you report incidents anonymously – almost one in four last year were made this way – and NetSafe is keen for people affected to submit their experiences so that it, and its partner organisations, can use the information to improve cyber safety and security programmes.

“The New Zealand government has recently released its cyber security strategy and that includes equipping individuals and small businesses with the skills to protect themselves” said Cocker. “The more people tell us about the problem via the Orb, the better we can work to help others stay safe online.”

Help and advice from NetSafe

You can report your concerns about online incidents in one central location at www.theorb.org.nz. NetSafe will direct your report through to the partner best able to investigate or advise you.

Visit www.netsafe.org.nz and find out how you can keep your computer secure and avoid the latest online challenges.

- ENDS -

Media contact: Martin Cocker, Executive Director of NetSafe, 021 790 369

About the Orb – http://www.theorb.org.nz

The orb website was launched by NetSafe in August 2010 to offer all New Zealanders a simple and secure way to report their concerns about online incidents. NetSafe works with partner agencies to direct reports through to the organisation best able to investigate or advise on various types of online incidents. These include scams and frauds, spam messages, objectionable material, privacy breaches and problems whilst shopping online.

About NetSafe – http://www.netsafe.org.nz

NetSafe is an independent non-profit organisation that promotes confident, safe, and responsible use of online technologies. NetSafe promotes cybersafety and security and champions digital citizenship by educating and supporting individuals, organisations and industry on a range of issues.

UPDATE:

- A great supportive comment from Detective Senior Sergeant John van den Heuvel of the Police National Cyber Crime Centre (NC3):

NZ Police supports the ORB as it provides a platform whereby the public have the ability to report crimes and other poor behaviour that occurs over the internet.

Having a central reporting point goes a long way towards helping determine the extent of online crime in NZ and is also an effective way to provide victims’ with useful online safety information.

Over the past 12 months NZP have supported Netsafe in the development and promotion of the ORB and see the potential it has to further provide a much needed service to the public.

- Many thanks to Waldo at Microsoft for bringing Zoom.it to our attention for making infographics more useable: