hackers - thegoodwills.com

Cybersecurity, scams and data breaches

cybersecurity-scams-databreaches — Image of programming code by Lorenzo Cafara www.pixabay.com

Call it coincidence, but I was in the midst of a domestic internet security overhaul when news of the Optus hack broke. As we know, what the press is calling the biggest hack in Australian history left the private information of up to 10 million Optus customers open to potential abuse. Optus customers are clamouring to have their drivers’ licences and passports re-issued and there is talk of class actions.

Like most of us whose lives are largely lived online, we are, or should be, aware of the threat posed by scammers. Any day of the week you will hear of pensioners who lost their life savings, falling for some elaborate call centre scam. The sophisticated level of social engineering being employed by scammers is such that even savvy older people are falling victim to seemingly plausible communications via mobile phone, social media apps and email.

Just as we all lock doors and windows and turn on security systems before going on holidays, we should all be thinking about security for our electronic communications. My IT adviser swears by password managers – that is, subscribing to a company that will encrypt all of your online logins and passwords. You manage things at your end with a master password. But wait, I ask, isn’t this putting all of your eggs in one basket? If someone nabs your master password you’re screwed, right?

The best protection against electronic fraud is to use a two-step authentication system. This may be as simple as: login, password (now enter the four-digit code we just sent to your mobile phone).

Last time I went to do some internet banking, I was informed that my security token would soon expire. This is a small gadget (most people call them dongles) which display six constantly changing numbers). The process is: logon, password (dongle code).

In theory it is unhackable, as the security codes are constantly changing. I decided to order another ‘dongle’, only to be told that the bank preferred me to use their secure phone app. Send me a dongle, I replied, via secure email. After jumping through a few security hoops, I ordered a new physical dongle. The bank employee I dealt with (online) said the bank would waive the $20 fee as I had been a valued customer for many years (Melbourne Cup, here I come).

As a result of increasing data breaches and scams, we can expect government organisations and others to tighten security. After thoroughly checking it out first, I found that the Australian Securities and Investment Commission (ASIC) now requires all company directors to apply for a ‘digital security ID number’.

The recommended method for applying for a director identification number is by using the MyGovID phone app. The app requires you to scan identification documents into a mobile phone app. They also want your date of birth, physical address, email address and mobile phone number. Then you have to scan any unique identifying marks (moles, birthmarks, tattoos) – no wait, I made that bit up.

It’s quite an exercise.

But what if some enterprising Black Hat (master hacker) breaks into MyGovId? In theory this will create a lot of work for people whose professions involves producing ID documents. Just as we are seeing now with the Optus hack, everyone who uses MyGovID would need to replace their ID documents,

This new requirement by ASIC (which only applies to company directors), will, as they say, “help prevent the use of false or fraudulent director identities”. Directors who were appointed prior to November 2021 have until November 30, 2022 to apply. ASIC adds, “it is a criminal offence if you do not apply on time”.

If you think about it, multiple government and non-government organisations hold all manner of confidential information on us. At the very least, many of them already have our date of birth, passport and driver’s licence numbers, credit card details, direct debit for bank accounts and so on. When was the last time you booked online for a concert? Credit card?

In August, I was required to fill in an online hospital admission form when signing up for elective surgery. They wanted to know everything about me – even my BMI. I had to ask Sister Dee to explain that one. It’s a number arrived at by squaring your weight with your height. Anaesthetists need to know.

“They’ve got my height and weight,” I said to the admitting nurse. “He can work it out.” (Ed: It’s 23.6)

Then they wanted a copy of my power of attorney. I didn’t have a copy so had to ask our lawyer to send me one, post haste. Now that’s online too.

But methinks I doth protest too much – I did after all wake up.

It’s a good thing I decided to sign up for the now-obligatory company director security number. In the process, I discovered my passport will expire next year. Since we have plans to go to New Zealand, Canada and maybe Japan, I’d best get on my bike and order a new one. I suppose how long it takes depends on the Optus backlog, eh?

In the meantime, everyone who reads this column on a regular basis should know about the Scamwatch website. The Australian Competition and Consumer Commission (ACCC) keeps a running tally of internet scams, pesky robot phone calls and phishing scams (someone pretending to be your internet service provider, bank, tax office – whatever). Currently Scamwatch is alerting Australians that fraudsters will seek to exploit the Optus data breach. Last month the ACCC warned people who use WhatsApp to watch out for the ‘Hello Mum’ scam. Briefly, someone who apparently knows you have a son or daughter overseas will start a text conversation.

“Hi Mum, it’s me. I lost my phone and got locked out of my bank. Can you help?”

The correct answer should be something like – “If you are my daughter, what was the name of our cat when you were 12 and what was her favourite food?”

It’s no laughing matter. On August 3 Scamwatch reported that consumers lost $20 million to imposter bond investment scams. These scams impersonate real financial companies or banks and claim to offer government/Treasury bonds or fixed term deposits. People often fall victim after searching online for investment opportunities. Watch out for fake third-party comparison sites and too-good-to-be-true returns.

I have had a few interactions with our internet service provider over the years about phishing emails. They would often arrive in my inbox on iiNet letterhead (the sender’s email address is always dodgy). The gist is usually, “There is a problem with your invoice (which I just paid). Please click on this link and update your credit card details.” My arse!

The last time I complained, I forwarded the fake email to iiNet as requested. iiNet (second largest ISP in Australia), must have had some success since, as these rogue messages appear to have stopped. Their customers are not the only target. There are myriad instances of bogus emails purporting to be from banks, finance companies, telcos, e-commerce companies etc. The best response is block/blacklist/delete and keep doing it until they move on. And always report it to the company being impersonated. Oh, and always log out of Facebook and Messenger. But you knew that.

Cyber attacks and the Faraday cage

cyber-attacks-hackers — Image: Antoine Tevaneaux, Wikipedia CC: these women are protected from the electric arc by the Faraday Cage. (Palais de la Découverte in Paris.)

Just as I was thinking about the unexpected email from the Australian Taxation Office, She Who Mocks ScoMo called me in to watch a live press conference about cyber attacks.

Beware of State-based actors with sophisticated means to hack Australian infrastructure, began the Prime Minister, Scott Morrison (ScoMo).

“He’s dog-whistling,” interjected SWMS. This of course sent me off to google what ‘dog-whistling’ meant. After discounting a video of a wizened old Kiwi farmer in gumboots and a Swanndri using two-fingered whistling to direct his sheep dogs, I alighted upon this:

dog–whistle: a type of doublespeak used in political messaging. Dog whistles work by employing language that has normal meanings to the majority, but can be implied or loaded to mean very specific things to intended recipients.

In this context, there were several observations to be made – what was the government seeking to do by causing fear and trembling in a community already alarmed about the coronavirus? What news did the government not want to get out, hiding behind the ‘cyber-attack’ smokescreen?

I asked a couple of IT gurus I know what they made of it all.

“Whatever it is, just sandbox it,” said one (which means isolating the malicious email/code and testing it in a non-network environment).

“Well if Scotty from marketing says there are more state actors right now. you gotta believe him,” said our resident geek boy.

“I might even quit my day job and go after my real dream as a state actor. Hopefully they do the Scottish play. .. I know that one well.”

Chin up Scotty, they’re not taking you seriously – should they?

After analysing the press conference on Friday morning, I tend to agree with ScoMo’s “it hasn’t just started” caveat. The controversy over Russia’s involvement in social media manipulation of the 2016 US election is one example alone. CSO Australia recently listed the top 15 cyber security breaches of the last 20 years, ranked by the number of people whose personal data was stolen. Data belonging to 3.5 billion people was compromised in the top two alone (Adobe and Adult Friend Finder). Well-known names on the list include LinkedIn, Yahoo, eBay and Marriott International.

The PM refused to be drawn on which ‘State-based actor’ was the villain of the piece but journalists have, of course, made much of the role of China as the state power with the ability and the motive.

If there is anything useful to be drawn from ScoMo’s cyber attacks warning, it is perhaps to remind computer and smart phone users to do a regular Wi-Fi security audit.

The growing popularity of smart devices (Wi-Fi speakers, smart TVs, household appliances that take verbal orders and Bluetooth-enabled devices has just added new vulnerabilities to the wired household.

I use Bluetooth to hook up my phone in the car but I also to stream music to wireless speakers. No problem, you’d think.

Technology writer Dave Johnson says, rather colourfully in this article for howtogeek.com, that “Bluetooth is about as secure as a padlock sculpted from fusilli pasta.”

Johnson recently attended the Def Con 27 security conference where the first order of business was to ask delegates to disable Bluetooth while attending the conference.

Tyler Moffitt, a senior threat research analyst at Webroot, says there are “zero regulations or guidelines” as to how Bluetooth vendors should implement security. He also warned that smart phone users might not know that using Bluetooth with earbuds disables the smart lock, leaving the phone open to abuse.

Moving right along, the other security threat which bothers experts is the proportion of social media users who do not use or understand privacy settings. Password manager LastPass revealed in a recent blog how careless people are with their private information. A survey showed that 52% of respondents set their social media profiles to ‘public’ (open to FB’s 1.7 billion account holders!) The survey showed that 51% of social media users had shared vacation photos, an open invitation to burglars who troll social media. About 20% shared pictures of their house or neighbourhood and 25% shared pictures of their pets or kids).

The government’s over-kill way of bringing cyber security to ‘front of mind’ was timely, in that June and July are the peak scam months.

Our end of financial year reminder from the ATO did seem genuine, given it was addressed to the recipient by name. We became suspicious in that the email encouraged clicking on links to ‘learn more’ – something the ATO says it never does.

That is an example of the common email scam known as ‘phishing’, an attempt by someone posing as a legitimate institution to trick individuals into providing sensitive data. An article from The Conversation, titled “Don’t be phish food!” cited below, summarises why you should be suspicious of bogus emails. Phishing scammers are not afraid to impersonate government agencies, banks or large institutions – even your own ISP!

If it looks real but you were not expecting it – be wary.

The very least you can do to avoid cyber attacks is change your computer logon passwords. This was one of the key messages from The Australian Cyber Security Centre. ACSC’s website advisory says the attackers are primarily using “remote code execution vulnerability” to target Australian networks and systems. That is, the attacker attempts to insert their own software codes into a vulnerable system such as a server or database, thus taking control. That, folks, is why Windows 10 keeps updating your operating system.

While you are at it, change all of the passwords you use for social media, web-based email and any website which holds your financial information. Make them complex passwords of at least 8 and preferably 10 characters. Check your social media settings and ensure that you are set to private and friends only (or at worst, friends of friends). If you are on the Facebook app Messenger, don’t open videos, even if they are sent by your lover or maiden aunt. Much-circulated ‘joke’ videos containing malicious code are often used to hack someone’s Facebook account. (What – you didn’t know that?)

If all else fails, you could purchase a Faraday Cage, invented in the late 1800s by an English scientist (Faraday). The cage is an enclosed space made of conductive material that blocks electromagnetic signals. Wi-Fi and cellular signals are rendered useless inside the cage.Any spy worth his 2020 clearances would have mini-Faraday cages at home and work in which to keep smart phones and other hackable devices safe from cyber attacks.

Coincidentally, this week we just started watching season five of the quality French spy thriller, The Bureau*, where the Faraday Cage got a mention in episode one or two. This up to the minute drama, while fictional, nonetheless references present day political pariahs including Trump, Putin and Assad.

In the early episodes we see one of the protagonists in a Russian troll factory – a vast air conditioned room where drones fly a circuit to make sure the worker bees are not eating baklava at their keyboards.

If you are really concerned about cyber attacks, you could get an engineer, an architect and a builder to collaborate on the hacker-proof house, modelled on the Faraday Cage.

Shouldn’t cost that much.

(By all means, watch ‘The Bureau’, but only if you don’t mind numerous gratuitous sex scenes. It is French, after all. And you can improve your French language skills too, if you don’t look at the sub-titles. Ed.)

Friday on My Mind – Technology And Our Private Lives

technology-privacy — “Hacker’ image by www.pixabay.com

“Och*, technology – it’s the Deil’s work,” my Scottish Dad said in 1964, when I bought one of the early transistor radios.

Dad died in 1991, so he missed the Internet (and Windows 98, the best version). He also missed WIFI, smart phones, internet banking, Facebook, Twitter, Skype, Bluetooth, video and music streaming and that nemesis of 21^st century parents − Facetime. I’m not sure what he’d make of hackers, spammers, viruses, malware, or dealing with glitch-prone software and untimely computer crashes.

As we all should know privacy risks for internet and mobile phone users include data harvesting, web tracking and government spying. Many internet security companies are now advocating the use of a virtual private network (VPN) which encrypts your data and hides your internet address. And, as this article reveals, the Internet of Things poses new cyber threats, as security is often lax or absent in domestic items like smart TVs, fridges and microwaves and other connected devices.

This week I conducted an IT security review after a sudden flood of spam emails jammed up one of our addresses (not this one). She Who Goes By Various Acronyms was extremely pinged off with the 200 dodgy emails that came several nights in succession. They were dressed up to look like emails we’d sent but had been ‘rejected by sender’.

I can’t say our Internet Service Provider (iinet) was overly helpful. They insisted that the email address had not been hacked or compromised. The support team advised me to change my password (duh) and later referred me to a service where you can report ‘new’ spam. That didn’t really help much, so I spent a good few hours doing my own troubleshooting.

As part of a usor emptor security review, I reset my WIFI router to its default settings, and then re-installed it with a complex admin password and a new WIFI password. Tedious, yes, and the tediousness extended to relaying the new WIFI password to every device that shares the same router. As a result, we slowed the spam to a trickle and now it has stopped altogether. (Yay, techy Bob-Ed)

In the early days of starting a WordPress website, my weekly posts were inundated by what is known in blogger world as ‘comment spam’ – most of it from Russia. We slowed the onslaught by installing an effective anti-spam plugin (Akismet) and stopped it by limiting post comments to 14 days.

I began to wonder about spam; who distributes it and why. Do they want to sell you stuff or are they just creating mischief? What they want more than anything is for you to click on the inevitable malware-ridden attachments. Do so at your peril.

I discovered that a sudden flood of spam can (a) bury messages you did need to find and (b) sometimes they are phishing emails. These are emails that purport to be from one of your legitimate service providers. You can usually detect them by the stilted use of English and also by the fake email address

Later, I forwarded the bogus email to iinet support and complained. Since then, I have had other attempts by swindlers to milk credit card details by forging emails. It is beyond me why a large ISP (iinet, now owned by TPG), can’t put a stop to this. I’m told scams like this are commonplace, no matter which ISP you use.

There’s a lot of it about. As you may have read recently, cyber crooks impudently set up a facsimile of the MyGov website, which holds an enormous database of tax, medical and social security detail.

Many of my Facebook friends are currently complaining about nuisance calls, phishing emails, spam or hacking of their ‘Messenger’ app. These scams are becoming so prevalent it behoves us all to put another layer of security in place. Many banks and institutions (including MyGov), use a ‘dongle’ or some form of two-step verification (a time-sensitive pin sent to your mobile).

There is a certain amount of sales-driven hysteria promulgated about the ability of ‘Russian hackers’ to covertly take control of your computer and start delving into your private details. Some swear by online password managers, but I favour an in-house, two-step method. It is tedious but safe, provided you don’t fall into the trap of allowing your web browser to save logins and passwords. Surely you don’t do that?

The anti-virus programme I uninstalled this week was quite good at doing what it is supposed to do, but it kept alerting me to potential threats and PC performance issues. Solving these supposed threats and issues meant upgrading to one or more ‘premium’ programmes.

Hassles aside, when technology works, it can be a joy to all. Last week I compiled a short video to send to my Auntie in the UK who was turning 100. My sister and her daughter sent me a video on Messenger as did my nephew. We recorded our own video greeting on the veranda at home, complete with kookaburras in the background. I called my other sister in New Zealand and recorded her audio message and then edited the clips into a 10-minute video and slideshow. I then uploaded it to YouTube with a privacy setting. My cousin in the UK said it came up great when cast to the big screen TV.

That milestone occasion got me musing about my teenage years (Auntie outlived her sister (my Mum) by 52 years. Technology sure has changed from those days as a rugby-mad teenager in New Zealand. I bought the transistor radio for one purpose; I’d set the alarm (a clock with two bells on top), and get up in the middle of the night to listen to (e.g.) the All Blacks play England at Twickenham.

Dad (left) had no interest in sport, but as a volunteer member of the St John’s Ambulance, he spent many a cold Saturday afternoon on the rugby sidelines, first-aid kit at the ready.

He’d have probably credited the ‘Deil’ with this 2019 example of electronic surveillance of professional athletes. When professional rugby players run out onto the field, a small digital gadget is tucked into a padded pouch on the back of their jumpers. The GPS tracker relays performance information to the coaching team (and, apparently, to rugby commentators). From this wafer-thin tracker they can upload data and analyse the player’s on-field movements. This is how Storm winger Josh Addo-Carr was proclaimed the fastest man in the NRL. He set a top speed of 38.5 kmh chasing a scrum kick down the left touchline in the round five match against the North Queensland Cowboys in April. He’d still get run down by a panther or a tiger, but it’s pretty darned fast.

While the top 10 stats look thoroughly impressive, I doubt the general public will get to hear about the half-fit players slacking off in the 63^rd minute.

Fair go, as we say in Australia, as if it isn’t intrusive enough going into the dressing sheds and interviewing sweaty blokes in their underwear.

*general interjection of confirmation, affirmation, and often disapproval (Scots)