News Stories

Cyber Security

content by Timothy Strachan, TPG and Daniel Borin, StrataMax

Share:
Cyber Security

“ The Australian Crime Commission estimates put the annual cost of cybercrime to Australia at $1Billion a year. But the strategy’s report factors worldwide losses from such attacks to be at 1% of GDP. With that reckoning, the real impact on Australia is more likely $17Billion annually”.

Fighting Back from Cyber Attack – Chris Johnson
Sydney Morning Herald: 23-24 April 2016

Background

Historically there has been less investment in security as a whole in Australia than in Europe and North America from a consumer perspective. In typical laid-back Australian fashion, Australians often see themselves as ‘too far away’ to be concerned. Of course in the ‘internet era’, this could not be further from the truth. We are also experiencing an increase in attacks sent within Australia. It’s a lot easier to trust an online entity masquerading as a major Australian bank than a Nigerian prince.

A lack of awareness of security at all levels, underinvestment in security, and a shortage of skills have all contributed to making Australia, and the Asia Pacific region, a relatively easy target. 

So what does this mean to us in strata? Considering the billions of dollars of transactions online which occur in managing strata, this is definitely an industry which should be concerned.

The Internet at Work

In our business world the internet is used every day. Websites and social media are important vehicles for reaching customers but they’re also potentially risky places. We are now actively embracing ‘The Cloud’ although it should be noted in larger organisations there’s a significant degree of caution in using internet-based systems due to concern for hacking, losing data and downtime.

In recent statistics from the Australian Bureau of Statics, of the 757,000 businesses in Australia, 95% are connected to the internet, 47% have a web presence, 31% have a social media presence, 69% communicate with customers through the web and 19% use ‘paid’ Cloud Computing. 

the cloudSo what is ‘The Cloud’?  Not a heavenly, floating mist of computer data in the sky, but a network of computers distributed around the world and connected by the internet. It is computer programs and data being stored on a computer in a remote location. This is where the trouble can start with so many connections for the hackers and cyber-criminals to gain access to your computer and company systems.

With the internet being always on, workers find themselves spending more than twice as much time using the Internet in the office, than when they’re at home. Notably, the primary work task on the internet is related to the company’s financial activities – banking, invoicing and bill payments but money is a magnet for criminals and it’s our familiarity with conducting financial transactions online that makes us vulnerable which can lead to letting our guard down. 

Apart from business-specific use, people use work computers for personal use especially with the temptation of always being on. People average 21 hours per week online at work versus 9.5 hours per week at home.  30 to 40% of internet use is not related to business and 60% of all online purchases are made during working hours with 64% of employees admitting they use the internet for personal interest during working hours. 

Having the internet always on makes it easy for workers to lose focus and get distracted, and/or to specifically conduct personal activities over the company’s internet connection – it’s free and often faster than what may be at home. 

So what are some of the implications of the time people spend online? These are some of the concerns: 

  • 86% of all email is Spam and approximately 50% has illegal content 
  • file-sharing/peer-to-peer is a conduit for viruses and malware 
  • 60% of security breaches occur within a company - behind the firewall 
  • 58% of industrial espionage is perpetrated by current or former employees 
  • 48% of large companies blame their worst security breaches on employees.

Sometimes it’s accidental, but the malicious activities of disgruntled employees can have a dramatic effect on a company’s security because these people are inside the network – on the ‘safe’ side of the security systems.

Cybercrime and cybersecurity issues are not rare or isolated - they are a real and expensive problems.

“Financially motivated criminals that exploit and access systems for financial gain are a substantial threat to Australia. Transnational serious and organised cybercrime syndicates are of most concern, specifically those which develop, share, sell and use sophisticated tools and techniques to access networks and systems impacting Australia’s interests”.
    
Australian Government’s Australian Cyber Security Centre 2015 Threat Report 

These are the facts:

  • In 2015, 25% of Australians reported as being victims of Identity Theft at some time - up 7% from the previous year.
  • Fraudulent credit applications involving identity takeovers in Australia rose 59% in the past two years and 17% in the past 12 months.
  • In a recent case a company whose employee system was breached received reports from over 20% of their employees that they had false tax returns filed in their name with funds being placed into a bank account unknown to them. 

Protecting Your Business against Cyber Crime

So how can you make sure your business is not affected and what are some of the safeguards in protecting your data? 
    
Following we will cover four main areas of concern, WiFi attacks, mobile hacks, email hacks including spoofing, social engineering and ransomware and finally identity theft.

WiFi Attacks

Challenges faced with Wi-Fi include difficulty in verifying who the WiFi belongs to and not being able to put a boundary on a Wi-Fi network. While public networks are the most risky office Wi-Fi can also be a serious area of vulnerability as detailed below.

wi-fi hacksWhen you are in public you have no way of knowing who is actually broadcasting a Wi-Fi signal so when you connect to a network you could inadvertently be sending all of you network traffic to a Cyber Criminal. Security experts would strongly recommend that you don’t use them under any circumstances. Solutions around this include using your phone as a hotspot, bringing your own mobile Wi-Fi router or potentially even buying a data roaming pack from your mobile phone provider when you travel.

Your internal office WiFi network is also one you should be aware. There is currently a product on the market called WiFi Pinapple which is designed to penetrate WiFi networks. 

This little device although legal and available freely becomes an intermediary between your office WiFi and your computer without you knowing so instead of messages and data going between your computer and your WiFi network it goes from your computer, to the pineapple, to the WiFi and the same in reverse. The way this works is that the Pineapple broadcasts itself as your office network while simultaneously bridging a connection through your office Wi-Fi router with its second aerial.  The owner of the WiFi Pineapple now has all of your data which you have sent online. This may be sensitive information including passwords, credit card numbers and bank accounts.

The WiFi Pineapple also strips the SSLS security essentially taking the padlock off and making websites unsecure.

To defend yourself from being hacked using an office network the following recommendations are important: 

  • avoid Wi-Fi within your office 
  • always use a VPN 
  • check for the padlock SSL

Mobile Hacks

Mobile phones are often neglected from a security standpoint but they represent one of the fastest growing targets for cybercrime. Skycure Research Monitoring report that 25% of all devices are exposed to a network hack in the first month of use.

These are some steps to take to ensure your mobile phone remains secure:

  • do not jailbreak your phone 
  • do not install apps outside of the iTunes or Google Play stores 
  • do not click on suspect links and 
  • use virus/malware protection

Email Hacks

One type of email hack is called email spoofing. This is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Distributors of spam often use spoofing in an attempt to get recipients to open, and possibly even respond to their solicitations. Spoofing can be used legitimately and you will often see it when a company will use a third-party supplier for their email marketing but it looks like the message has come directly from the company.

Although most spoofed email falls into the ‘nuisance’ category and require little action other than deletion, the more malicious varieties can cause serious problems and security risks. For example, a spoofed email may purport to be from someone in a position of authority, asking for sensitive data such as passwords, credit card numbers or other personal information, any of which can be used for a variety of criminal purposes.

Following are some tips for defending yourself against email hackers

  • never open non-PDF attachments on email unless you know the source and are expecting them
  • don’t enable Macros
  • don’t click links in emails – use google instead or paste into a link analyser such as virustotal.com
  • use a secure email gateway
  • use a web proxy
  • backup regularly, store offsite, and test regularly
  • segment your network and give as little access as needed

Another common threat is social engineering. These are techniques employed by cybercriminals designed to lure unsuspecting users into sending them their confidential data, infecting their computers with malware or opening links to infected sites. Hackers may try to exploit a user's lack of knowledge. Thanks to the speed of technology, many consumers and employees don't realise the full value of personal data and are unsure how to best protect this information.

Protection against social engineering needs to start with education. Users must be trained to never click on suspicious links and always guard their log-in credentials, at the office and at home. In the event that social tactics are successful, however, the likely result is a malware infection. To combat rootkits, Trojans and other bots, it's critical to employ a high-quality internet security solution that can both eliminate infections and help track their source.

Highly sophisticated social engineering attacks use advanced scraping software to scan social media profiles. They then send customised emails with names, locations, job title and more to dupe a recipient into thinking it is real. They typically come via a spoofed email purporting to be an official email

Ransomware

ransomwareCyber criminals are scraping personal information from thousands of Australians' social media profiles and using it to trap victims with ransomware, a type of malware that freezes computer files and demands money to unlock them.

The ransomware — appropriately titled 'Locky' — is spreading quickly on the web in various guises, including the well-known Australia Post email scam. What makes the scam so dangerous is that it addresses the recipient with personal information such as their full name, location, workplace and job description — all gleaned from their social media profile and designed to dupe them into thinking the email is legitimate. 

MailGuard, the anti-virus and security company which discovered the scam, said hackers were using ‘highly advanced’ scraping software to scan social media profiles and automatically deliver the malicious email to tens of thousands of victims. The email, which looks like it's from Australia Post, tells the recipient to print an attached ‘shipment confirmation’ and bring it into an AusPost store, along with ID, to collect a parcel. Once the victim downloads and opens the attachment, it runs a simple JavaScript code that locks their computer files and demands a ransom fee in bitcoins usually worth hundreds of dollars.

The ransomware encrypts files on your PCs, networks and servers. As you probably know encryption is great for privacy and security when you hold the encryption keys. When someone maliciously encrypts your files they hold the keys. It’s like having a squatter change the locks on your house. You know all your stuff is in there you just can’t access it.

As with kidnapping then comes the ransom. Pay up and we’ll unlock your files. This is big business so it usually comes complete with call centres and support staff.

There are three main options you have with ransomware:

  • use security software to try to unencrypt everything 
  • pay the ransom 
  • restore from last clean backup

Using security software to try and unencrypt is a good option but you then need to use some anti-virus software to identify and clean the malicious files that caused the damage. There are no guarantees that you will 100% clean the infection.

You can pay the ransom (which could be as low as a few hundred dollars and as high as tens of thousands) and hope that they give you the correct files to unencrypt your system.  You also have to hope that nothing nasty was left behind. The problem with this approach however is that it encourages more ransomware.

The last and probably the best option is to restore your system to a point before the ransomware hit. 

To defend yourself against these social media hacks there are some simple things you can do

  • review your privacy settings in your social media accounts 
  • don’t connect to strangers 
  • be suspicious 
  • if you have any doubt at all, make a call to your IT experts

Identify Theft

identity theft

What do these companies have in common?

  • LinkedIn 
  • Adobe 
  • Ebay 
  • JP Morgan Chase 
  • Sony 
  • Target 

Each of them have had more than 50 million user accounts breached

Over the past 10 years, there have been almost 2 billion user accounts breached worldwide:
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 

You can check for yourself to see if you have been one
www.haveibeenpwned.com 

Here are some tips to protect yourself from identity theft

  • only use complex passwords with numbers, upper/lower case and punctuation
  • never re-use passwords
  • don’t iterate passwords
  • use a good password manager
  • use 2-Factor Authentication where possible

Cybercrime is real and not to be ignored. Staying well informed and taking the appropriate actions to protect yourself are the best ways to start. Don’t ever think it couldn't happen to you.

Article written based on a presentation for the SCA National Convention 2016, presented by Timothy Strachan - Special Projects, TPG and Daniel Borin - Director, StrataMax on Cyber Security

Return to News Home

Posted

Thursday, June 2, 2016