Wikipedia was blacked out for a day as part of a widespread protest against the US Stop Online Piracy Act (SOPA) and Protect Intellectual Property Act (PIPA). These Acts were endorsed by the Motion Picture Association (MPA) but the technology industry was opposed to them as restricting the openness of the internet.  American politicians seemed to take notice, and these Acts were sidelined. Next, the Online Protection and Enforcement of Digital Trade (OPEN) ACT was introduced to Congress, which is supported by the tech giants but resisted by the Motion Picture Association as going to easy on piracy!

And I thought, will these two groups ever find a satisfactory comprise?

A high profile blow was struck by the anti-piracy organisations as the former Chrisco Mansion was raided, filelocker Megaupload was shut down, and Kim Dotcom and some business associates were arrested. The anti-anti-piracy groups hit back organising DDOS attacks that (at least briefly) shut down about 10 websites including the FBI, Universal Music, RIAA, and Hodopi (it’s French)

And I thought, I wonder where the Chrisco people live now.

Moving away from copyright – Research by the Ipsos Social Research Institute named Australia as having the highest levels of cyberbullying on social networking sites. New Zealand wasn’t included in the research. I suspect we’d have placed pretty well.

And I thought, we could do with some of that anti-piracy (or the anti-anti-priracy) enthusiasm in the anti-cyberbullying fight.

TVNZ CloseUp returned to air this week and its first story for 2012 was about adult men who met a 14 year old girl online (or in this case, and actor they believed to be 14) and then travelled and meet them for sex. I was surprised at the lack of caution these men showed. It never occurred to them that it might be a sting – by journalists, or the Police.

And I thought, we could really do with a few Police sting operations of this type to discourage these men.

And then I thought. It looks like 2012 will be pretty much the same as 2011.

Now is the time that many people are looking for rental accommodation to take up for 2012 whether it be for studying at Uni or other reasons.  We have noticed a spate of rental accommodation scams lately where a real bargain flat, apartment or house or flatmate situation is offered on one of a multitude of websites. Often it is advertised as central and includes great photos as well.  It will have lots of extras (like power and water included as well as internet access, dishwasher, heat pump etc).  The owner will be overseas and needs you to accept the offer without actually going through the place (which seems ok if you are in a different part of the country at the time).

So you look at the photos, email back and forth a few times and decide this will be great for you and the owner sounds really nice.  He or she may even email you a passport photo of themselves and the Title Deed to the property.

All you have to do is deposit the bond (say 4 weeks rent) and 2 weeks rent in advance into their bank account overseas or send it by Western Union because they can’t get to a bank easily, and the keys will be sent back to you as soon as the money clears so you have them well before you take up the tenancy.  The stories may vary a bit, but money first for keys second is the familiar theme – oh and along the way you will be asked to fill out an application form with a lot of personal information in included.

We have found that the photos of the rental may have been on a real estate sales site in the last few months or a different site under the actual owner’s name.  The photos have been copied and used to try to trick someone into parting with money or at the very least with personal information.

Read more about scams on www.scamwatch.govt.nz the Ministry or Consumer Affairs website and report scams to www.theorb.org.nz

A special guest blog from Jon Duffy, Head of Trust and Safety at Trade Me and NetSafe Board Member.

Trade Me is a great place to find deals on all sorts of odds and ends. I myself recently found a genuine 1980s red and white cricket vest for a staggeringly low $12.00. I am now ready to step out for summer, safe in the knowledge that sunburn is the only thing I need to worry about, because fashion has been dealt with.

Unfortunately, not everyone viewing Trade Me at this time of year is doing so with the best intentions for the Christmas period.

In the rush to secure bargains, particularly on high value electronic items, Trade Me users need to take care not to provide information that could be used by scammers to attempt fraud.

Trade Me’s Q&A section is designed to help sellers provide buyers with the information they need to decide whether they are going to buy an item (or not).  It allows anyone interested in the listing to view questions once they have been answered so these can inform other members as well. 

The Q&A section is not a forum for the exchange of contact details for two important reasons. Firstly, with auction listings, contact between sellers and potential buyers has the potential to undermine a genuine bidding process. Secondly, contact details left by buyers can be harvested by scammers and used to attempt fraud.

Trade Me takes the integrity of its marketplace and fraud prevention really seriously and we regularly warn members not to leave their contact details in Q&A.  For those members who continue to leave their details, despite our warnings, we will stop being able to access the Q & A section – this is a big restriction, but ultimately better for the member than falling victim to a scam. 

In the past year Trade Me has assisted in more than 50 successful prosecutions. A good many of these resulted from situations where members provided contact details to the scammers.

To illustrate the risks of leaving contact details, readers only need to consider recent media reports on Aaliyah Rafiee, the Auckland woman facing 57 fraud charges for various offences, including allegedly defrauding Trade Me users.  Rafiee is alleged to have harvested contact details from Trade Me to facilitate her offending.

Ultimately, Rafiee’s alleged offending was not sophisticated or particularly well thought out.  Her alleged activities online left a clear trail, were easily traced by Trade Me investigators and ultimately resulted in her very public downfall.

Nonetheless, much of her alleged offending would not have been possible in the first place if Trade Me users had not made their contact details available to her.

Top Tips to stay safe this Christmas

• Stay on the site! If you are contacted by someone in connection with a listing you have bid on or asked a question about, outside the normal listing process, do not respond. Scammers will always try and get you away from the site. You should only deal with sellers/buyers where Trade Me has supplied you their details (following the close of the listing).
• Never send money overseas! Regretably, international scammers can view Trade Me and sometimes contact our members.  They can’t scam successfully if you don’t send them money. Typically scammers will create a back story that requires you to send money overseas via Western Union. Sometimes scammers will create fake PayPal or SafeTrader receipts to trick you into thinking they have paid you money. All Trade Me members, even those based in Australia, are required to have a New Zealand bank account – if a seller does not have a New Zealand bank account, do not deal with them. If you are a seller and the buyer creates a story where you have to pay money – do not deal with them.
• Ask Questions! Legitimate use of the Q&A is a great way to work out whether you are comfortable purchasing from a seller.  If a seller refuses to answer reasonable questions – you may have reason for concern.  Feel free to ask for proof of purchase, product history (such as where the item was purchased new), or for photos to be uploaded if none are provided.
• Use Community Watch if you have concerns! Trade Me has staff monitoring Community Watch complaints 24/7.  Information provided by our members is the single best tool we have for detecting and preventing fraud on the site. If in doubt, get in touch by clicking the sheriff badge link at the bottom of every listing.

The review has two parts. The first covers the extension of the traditional media’s legal rights and responsibilities to some new media publishers. The second part of the review looks at whether the laws which deal with crimes such as harassment, intimidation, defamation, and breach of privacy are fit for purpose in the digital age.

It is really the second half of the review that most interests NetSafe, although the first half looks at a very interesting question. At what point does a blogger or a news website  access the legal privileges and exemptions currently reserved for the traditional news media? David Farrar at Kiwiblog has more readers than many newspapers in this country and often writes about political issues – so it absolutely makes sense to consider him “news media” . But what about Mods Motors? That also has a wide “circulation”. Its mostly about cars, but it does also include “news” and opinion about car and transport regulations.  What about the NetSafe blog?  The review also recommends an independent converged regulator (like the ACMA or OFCOM) to manage regulation of this space.

The second half of the review sits squarely in NetSafe territory. Information technology has been a real enabler for harassment, intimidation, defamation, and breach of privacy. The laws that deal with these issues were written pre-technology. Mostly they tend to be applicable, but accessing the remedies is comparatively prohibitive. Basically, its really easy to offend against somebody – and hard to effectively defend yourself.

The Law Commission has made a range of recommendations starting with a review of current laws to make sure they’re applicable in the digital age. There some clarifications of existing law and a handful of new offences recommended: maliciously impersonating another person, publishing intimate photos, and incitement to suicide.

The most radical of the proposals is the establishment of a Communications Tribunal that would operate at a lower level than the courts. The idea being that the tribunal would be more accessible for people who are offended against.

The Law Commission is taking submissions on this paper until March 12, 2012. I suspect there will be a number of strong voices against the recommendations – as there are against any attempts to exert control on online activities. I would encourage organisations and individuals working in the cyber safety and law enforcement space to make a submission.

In the NBR article I was asked about a “deal” that NetSafe has with RIANZ to act as an  intermediary between schools and the rights holders. NetSafe has an agreement with RIANZ (Recording Industry Association of New Zealand) that allows us to act on behalf of schools (should the school so wish) in order to try and establish how these infringements have occured, and how the situation can be resolved.

It seems that this has caused some concern, with one tweeter (eey0re) accusing NetSafe of being “morally incoherent”. I was a little taken aback by this so thought I should lay out what is involved and try to explain why we did what we did.

For us this isn’t an issue of morality. NetSafe isn’t an organisation built around moral values. I’m not suggesting we are amoral either, but NetSafe exists to build capability in New Zealanders online, creating confident and capable internet users. Part of this means that we ensure that New Zealanders are aware of and are able to act within the law as it stands. That’s part of being a successful Digital Citizen.

The introduction on September 1st of the Copyright (Infringing File Sharing) Amendment Act changed the copyright landscape for New Zealand significantly. The law states that it

provides rights owners with a special regime for taking enforcement action against people who infringe copyright through file sharing

The first time that they have been able to take action without the use of the court system. The action thay can take is to record an IP address that they believe to have infringed their copyright, contact the ISP that owns it, and instruct them to send a notice to the account holder.

It was obvious to us that somewhere in this change that schools were going to find themselves in the middle of a situation that they felt was somewhat unfair. Since part of what we do as an organisation is to provide support for New Zealand schools in matters of cyber safety and cyber security this meant that we would be dealing with schools as the notices arrived on their doorsteps.

We approached the rights holders groups to see if we could provide some room for schools to deal with infringements happening on their networks. The results of the discussions that we had is the agreement that we have with RIANZ, and an on-going dialogue with NZFACT.

No one is pushing any moral boundaries here. We are an organisation that has a contractual arrangement with the Ministry of Education to provide a service to schools. This agreement is part of that contract. Its contents aren’t any secret.

If a school contacts NetSafe and ask us to work on their behalf then we will contact RIANZ, inform them that they have sent a notice to a school, ask them to suspend that notice for a period of 8 weeks while we work with the school to look at how this breach of the law occured on their network. No judgements, no admission of guilt, no apologies, no propaganda. Schools do not give up their rights under the law by taking advantage of this agreement and no school has to work with us. The school remains in control of the process, we are simply there to assist if required.

To me this isn’t incoherent, morally or otherwise. Just a pragmatic solution for schools to a very real concern expressed by many school boards and leadership teams all across New Zealand.

What is your experience in resurrecting a compromised account?

The challenges.

The main findings are that half of NZ adults do not have the knowledge needed to keep their computers secure online and only half with a home computer meet the minimum software requirements for computer security (updated anti-virus, anti-spyware, firewall, and operating systems). However, despite this fact 78% did online banking – meaning that at least 32% do online banking on a machine that does not have the minimum requirements for security in place.

When the survey asked them about why they did not do the minimum required for computer security, the most popular responses were that they did not have the knowledge, lacked funds to pay for it, or were constrained by internet speed/data.

What can we do?

These issues are positive in as much as their are significant options available to address them.

54% of NZ computers don't meet the requirements for basic computer security - making them vulnerable to malware.

Lacking knowledge means that we need to make sure that people have trusted places available to them to receive this support. As cost is a clear issue, we need to make sure that these places are free or as cheap as possible. Given the large role that friends and family play in providing computer security advice to the majority of NZ consumers, and their ability to be free, educating as many NZers as possible about these issues seems key to getting accurate information out to people. As cost is a perceived limitation, we need to find ways to make sure people know how to do computer security at low cost (e.g., how to shop around for anti-virus, what things they need to buy (if any) on top of their operating system, how much each costs and how good they are).

As more vulnerable machines are infected more and more vulnerable machines become infected.

Further Implications

Finally, people also reported a lack of imperative to sorting out computer security. My previous post highlighted that a significant amount of kiwis have compromised computers (e.g., Hamilton city). These machines were often infected with BotNets that go on to infect other computers. As more of these machines target the internet, more of those home computers that are not adequately secured are placed at risk. This then has the potential to set up a nasty cycle where more and more machines become compromised and this increases the chances of other machines being infected, which then infect other computers (kind of like what happens with viruses in the wild).

We need to help people understand that if the basics are not in place then their financial activity online may not be safe, and that they may not only become infected with malware, but inadvertently assist cyberciminals to infect others and swindle them out of their hard earned cash too!

The other thing I think about this is that idea of what this means for virus epidemics. What if this is just the beginning stages of an epidemic, that with the fertile ground gathers steam, and becomes more and more out of control.I suppose this is when we’d start to see a major tipping point. I wonder what that might look like and if we’re on the way there – or how high speed broadband roll outs will affect the issue?

- – -

The detailed findings of the Research (warning – detail attack)

Conducted via UMR with 500 NZ participants over the age of 18. This study weighted participants according to NZ census data to get a more representative view of the issues.

• When asked how serious you think the issue of online security is for New Zealand, 50% reported that they felt that it was a very serious or serious issue.

Interestingly, participants on higher incomes (household income greater than $100,000, personal income greater then $70,000) were less likely to view it as a serious issue (38% and 35% respectively).

• When asked about how concerned they were about a range of online challenges, the following percentages reported being very concerned or concerned about:

Identity theft (66%) – Higher concern more likely to be aged 45-59 years.

Loss of privacy (64%).

Online scams (61%) – Higher concern more likely to be aged 45-59 years.

Computer security (61%) – Higher concern more likely to have non-degree qualification.

• Participants were also asked to rank nine online challenges in order, most most to least important.

Combining the results, 35% of the participants said that identity theft (18%) and online security (17%) were the most important online challenges. Again, those on mid-high household incomes ($70-100,000 per annum) (8%) were less concerned about computer security

• The survey also asked people about why these were their biggest concerns.

The main reasons respondents were most concerned about identity theft were concerns that they would lose personal information and privacy, the harm it can cause and the risk that criminals could access financial information.

The main reasons respondents were most concerned about computer security were a general awareness of the risks and the importance of their computers, concern that they might lose personal information and privacy, and that they might get a computer virus.

The main reasons respondents were most concerned about loss of privacy (9%) were the risk of losing personal information and privacy, concerns that someone could access their computer and the need to protect children.

The main reasons respondents were most concerned about online scams were the prevalence of attempts, the number of people instigating these scams and the risk of losing financial information.

• The survey also explored how much participants felt they knew about computer security risks and solutions? – a lot, a fair amount, not that much or nothing at all?

Declared knowledge of computer security risks and solutions was only moderate with 52% of the sample with a computer at home (n = 425) saying they knew ‘a lot’ or ‘a fair amount’, while 48% said they did not know ‘not that much’ or ‘nothing at all’.

Males (52%) were more knowledgeable than females (41%).

Those on low household incomes were less knowledgeable ($30,000 or less per annum) (29%).

Tertiary educated were more knowledgeable (56%) while those with no qualifications(28%) or non-degree qualification (38%) were less knowledgeable.

• Participants reported what they did on their home computers (n=425). Of relevance to this is the numbers that used their machines for financial activity:

78% did online banking (More likely to be aged 18-44 years, higher income, in full or part-time work, have dependent children, more knowledgeable about online security)

73% bought things online (More likely to be aged 30-44 years, higher income, in full-time work, have dependent children, tertiary educated, more knowledgeable about online security)

71% paid bills online (More likely to be aged 30-44 years,higher income, have dependent children, tertiary educated, more knowledgeable about online security)

35% conducted business, like doing accounts or updating records (More likely to be higher income, in full-time work, have dependent children, more knowledgeable about online security)

• When asked to list the products or functions that should be enabled to secure a home computer, 42% were unable suggest anything. Of the remaining 58% of participants responded that the following were required:

Antivirus software 48.8
Firewall software 24.8
Antispyware software 10.0
Password protect it 3.5
Anti malware software 2.3
Anti spam software 2.1
Automatic updates 1.8

• Helpfully the participants were also asked if they believed that their home computer was protected from online threats

A large majority (87%) believed that their home computer was protected from online threats.

However, only 46% (n=197) of home computer users had all four critical security products and functions enabled simultaneously (the absolute minimum for basic computer security).

• Participants were asked about their use of individual computer security software.

89% claimed to use antivirus software (usage was lower among those on mid-level personal incomes ($40-50,000 per annum) (78%) and those
with lower knowledge of online security risks (83%).

84% automatic updates (Usage was lower among those on mid-level personal incomes ($40-50,000 per annum) (63%), those aged
between 18-29 years (73%), Aucklanders (78%) and those with lower knowledge of online security risks(75%).

75% firewall software (usage was lower among those with lower knowledge of online security risks (62%).

60% anti spyware software (usage was lower among those aged between 18-29 years (53%), those with no qualifications (46%) and those with lower knowledge of online security risks (40%).

Interestingly the research also asked people about which products they used. Often people were unable to nominate the brand of computer security software they used, leading the research team to suggest the above figures may over represent the numbers actually using computer security software.

• The research also explore where people got advice about security, with the following sources used:

Family and friends (52%).

Consultants or technicians (33%)

The internet (16%)

Software/ hardware providers (12%).

• Participants were also asked if they had ever had an online security problem.

27% of home computer users claimed to have experienced a problem with online security.

Less educated (no qualifications) were less likely to declare having encountered a problem (17%) while those with a non-degree trade or technical qualification were more likely (39%).

Similarly, those with lower knowledge of online security risks were less likely to declare having encountered a problem (21%) while those with greater knowledge were more likely (32%).

The researchers consider that this maybe an indication that some are unaware that their security has been breached.

• The barriers to taking appropriate security measures were also explored

Across the barriers identified, the main barriers were lack of knowledge (14%) and lack of affordability (11%),  impact on internet speed (6%), the lack of time (4%) and lack of imperative (4%).

It’s not the red carpet, it’s not what [or rather who] people are wearing, because I don’t enjoy all the other celebrity at home or in rehab programmes that are available, its something else. I think its the bits where they talk about what it was like to make the movie/album/website that I like. You get a sense of something else behind the “thing” that your familiar with. You get a feeling that it took more than just the artist with his tools, that it didn’t just happen in 5 minutes, and that those that were involved actually stuggled to achieve the output. I like that feeling.

The 2002 The International Law Enforcement Cybercrime Award

NetSafe have won a few awards in our time. Awards for the schools programme, awards for our websites, we even got The International Law Enforcement Cybercrime Award in 2002 from the Mounties……well actually it was from The Society for the Policing of Cyberspace, but they are based in Canada and I always called it the Mounties award. It feels good to be on the receiving end of an award.

Its because of this that we have decided that its about time that we started to officially recognise some of the amazing work that goes on here in New Zealand to build confident and capable Internet users. There are so many occasions that we work with organisations and individuals that are making a real and significant difference to the cybersafety, cybersecurity or digital citizenship equations in this country where the only way we can recognise the work that they do is to write a blog, or put an article in a newsletter.

To this end, we have decided to inaugurate [a very official awards sounding kind of word] the NetSafe “Love Your Work.” awards.  Love Your Work is a chance to recognise individuals or organisations for programmes, events, ideas, products, services or just about any singular “thing” that makes a significant contribution to improving cybersafety, cybersecurity  or digital citizenship in New Zealand. We will be presenting the first of the awards at our AGM in December. You are cordially invited to come along.

We would love to hear from you if you would like to nominate someone for a Love your Work award, but there are a few rules that we should set out;

• You can’t nominate yourself.
• A nomination should be in the form of a name (Individual or organisation) with a brief summary of why you are making the nomination, and what contribution they have made
• The judges decisions are final, no correspondence will be entered into regarding the awards.
• No cash substitutions are available
• No animals will be harmed in the making of the awards.

If you want to find out more, or you’d like to make a nomination, drop us a line at feedback@netsafe.org.nz

Are computer security experts just justifying high incomes by positioning computer security beyond the realms of the average home user, or are they fundamentally right? If consumer security products don’t work, should people even bother to purchase and install them?

There’s no point in sugar coating it. The computer security gurus are essentially correct. If you are specifically targeted by cyber criminals, and you are reliant on consumer security – you’re in trouble. The good news for most people reading this blog is that they are not “high value targets” and are not going to be targeted by dedicated cyber criminals. Simply put, they’re not worth the investment in hacking time.

All security is about risk management. The level of investment we make in security should be appropriate for the risk we face. For most consumers and small businesses, the main threats they face are from non targeted malware. So the real question is – how well do consumer security products protect you against these threats.

The answer is – surprisingly well. This US PC Mag test shows the results from a range of 2012 security products. I was surprised how well they did. The results more than justify the relatively minor investment in these products. Even some of the free products do well.

But if you follow that link, you will see that no product was 100% effective in every test.

At any given time, each product will have malware that it misses. This is why it is important for people to remain vigilant. It is possible for your computer to become infected even if you have security software. If you think this might be you, run one (or better still – more than one) of the remote scanners listed on NetSafe’s website.  

And importantly, computer security isn’t just about security software. This is another area where security experts despair – because consumers are more often tricked by simple ruses than “hacked” in traditional terms. For this reason, NetSafe developed the NetBasics which looks at both the technical and non-technical aspects of security.

Not the most interesting of topics for many people it has to be said, but think about these 3 news stories that made headlines over the last week – did you read them and stop to think about the implications?

1. A computer incident at the NZ St John’s Ambulance service – part of our critical infrastructure – that left staff relying on back up radio equipment for 2 days – the source apparently a virus laden USB stick.
2. A Russian hacker remotely accessing a US water treatment plant, a fact only picked up on when the stolen SCADA system password was used to burn out a pump onsite from 5000 miles away.
3. A vulnerability in DNS servers that was used for denial of service attacks against the essential domain name system that is necessary for routing all our internet traffic.

Do these kind of things interest you?

After my 60 hour SANS course they do me – a quick trip through such topics as wireless security, Windows networking and Defense In-Depth might not pique the interest of a lot of people but it opened my eyes to just how many fundamental computer security issues I wasn’t aware of.

Many of us have come to rely on machines during our daily lives and as technology becomes cheaper and computer chips embedded into more and more devices it’s essential we all play a part in protecting ourselves.

With skills learnt on the course I could now (in theory, if I was a ‘bad guy’ and with some time spent improving my Linux knowledge) hijack and infect computers on those free wireless access points you see nowadays; I could listen in on private conversations in modern cars equipped with Bluetooth functionality; I could capture and crack weak system passwords and lastly I could spear phish to my hearts content and exploit corporate types who might share too much information unwittingly online.

I’m not saying I would of course, but the fact there are so many widely documented attack methods out there – think scams, social engineering and malware toolkits as just 3 examples – makes me think twice about my somewhat lax approach to date to online safety and security. And I work for NetSafe!

Over the next 12 months we’ve been contracted by the Ministry of Economic Development to undertake a nationwide cyber security awareness programme to make people better aware of how to stay safe and secure online.

The last week (and instructor Bryce Galbraith in particular) has taught me all kinds of things that can be put to good use to help other New Zealanders improve their digital habits and be better equipped to battle the bad guys.

I’m going to be writing about many of the topics that featured in our NetBasics programme from 2008 and trying to come up with the kind of simple, straightforward and up to date advice that anyone and everyone can follow to keep their home computer or small business IT systems better protected.

Stay tuned!