“China’s size and technological weight means that it has the potential to control the global operating system”.
Fleming’s main cybersecurity concern is China, but he has strong words to say about Russia. It has sophisticated world-class state-sponsored hacking. Russia was behind the attacks on the SolarWinds software used by US government departments.
He says China is working on emerging technologies, but it has a competing vision of the future. It’s a vision that doesn’t respect liberal western thinking.
His answer is for the west to develop its own technologies. He also wants allies to work more closely to build better cyber defence networks.
Up to a point this is an extension of the earlier campaign against Huawei. That resulted in western governments banning the company from building strategic 5G cellular networks.
At the same time it reflects increased tension between China and the west.
There’s a deepening rivalry between China and America. Western nations are being asked to pick sides. This now extends beyond commerce, both sides have increased their military activity.
Russia is opportunistic and threatens Eastern European nations. That presents the rest of Europe with a security problem.
Behind these rivalries nations are fighting a tech war online. Many of the threats facing computer users come from state controlled teams.
“They’re not good in any industry they have to compete in or have to be innovative in. They can buy and they can copy, like they just did the other day, again, with another thing. What did they borrow from? From Clubhouse or whatever. They just can’t do anything innovative.”
It’s hard to like Facebook. At its worst, the company’s business model depends on manipulating emotions. At times it does this in dangerous ways. The more it seeds fear, loathing and misinformation, the richer it gets.
When it’s not undermining democracy, Facebook makes money by spying on its users. It then sells the fruits of its espionage to the highest bidder.
Facebook has no respect for its users.
Over half a billion customers have details leaked
Last week we heard the personal details of over 530 million users are circulating online. Facebook treated the issue as a public relations problem, not a security breach.
To put that leak into perspective, 530 million people is around seven percent of the world’s population.
Facebook says it has no plans to notify users of the data leak. At no point was there anything resembling an apology or an admission of guilt. So far it has focused on deflecting blame.
The leak may be old news, Facebook says it is. It says it fixed the problem. Yet it underlines the lax attitude and incompetence. A company packed with high-paid engineers should be able to protect user information.
Facebook launched an ad campaign insisting that those who will be most hurt by Apple’s changes are small and medium-size businesses, which represent the majority of the social network’s more than 10 million advertisers.
If their business depends on lying to Facebook users, that’s not a real problem.
Swisher and Galloway end their discussion acknowledging that for a potentially vulnerable business, it remains popular with investors. That’s true.
Facebook isn’t going to fall overnight. There’s enough wealth in the business for it to switch its focus and remain huge. Microsoft did this when it flipped from PC software to cloud computing.
Humans are online security’s weakest link. That’s not news. Yet New Zealand bosses will plug every other hole before they attend to the problem.
One problem is that managers have an unrealistic view of worker’s security smarts.
Aura, an Auckland-based security company is on to the problem.
From a recent Aura press release:
Businesses can have the best protection available, but if a staff member unknowingly lets a cybercriminal into the system then it won’t matter.
Independent research commissioned by Aura Information Security reveals staff are not as secure as their IT managers may think.
While 62 percent of New Zealand businesses say they carry out security training exercises with their staff, 37 percent of Kiwis say they have received training on good cyber security practices .
Good password practice
This disconnect is further emphasised by password practice. Many IT managers encourage staff to use password managers. This guards against the most common password mistakes aren’t made.
Yet, few staff take this advice. Aura says a third of employees admit to reusing the same passwords for work and personal devices and accounts.
For me, this gets to the nub of the problem. Companies are happy spending money on things. They buy security software, firewalls and even tools like password managers.
This sets up a false sense of security. It would be unfair to say they buy security products and sit back feeling safe. But there is an element of this.
In too many cases companies don’t train their staff how to use the shiny new security tools. Nor do they check on how things are working in practice. If they do any training it can be out of context. You have to explain why password hygiene is important. People need to understand the risks are and what the consequences could be.
Another problem with people not updating their software to the latest versions. Updates include fixes to security recent holes. A lot of the time you can configure software for automatic update, your employees need to know this. They may need to handle the updates themselves.
All this is harder now many people work from home. They may even use their own hardware and software.
Which is why it’s important to educate people on online security basics.
Take phishing – that’s tricking people into sharing private information. It remains the most common attempted online crime.
Phishing relies on people not being trained to recognise security threats. There will be workers who don’t know this, let alone how to respond.
Tools can help online security, but the best defence is to help people develop safe habits. If you’re spending money on online security, think of budgeting at least half of the total on education.
The report coincided with turbulent times for schools, teachers and students. Part of the period covered was when students were sent home and asked to continue studying online as the nation locked down to respond to the Covid pandemic.
Attacks peaked a week after students returned to their classrooms after the nationwide pandemic lockdown. At one point New Zealand’s schools were on the wrong end of more than 2,000 online threats a minute.
You can see how distributed denial of service attacks peaked at this time.
The report covers online safety between April and July 2020. That’s term 2 in New Zealand. It includes 22 days of remote learning when students were away from N4L’s managed network.
During this time N4L blocked more than 120 million individual threats. This represents a 13.7 percent increase on term 1.
Phishing remained the most common threat. N4L blocked more than 150 attempts per school per day during term 2. The number of attempts was 44 percent lower than in term 1.
This suggests criminals attacking school computers had moved on to fresh pastures.
Meanwhile, the number of virus and malware incidents climbed during term 2. As did unauthorised attempts to access school networks.
Schools were not alone. All forms of online crime surged as the pandemic sent students and workers home. There were more threats and the severity of threats increased. Many were designed to prey on people’s anxieties triggered by Covid. The criminals also saw opportunity with people using less secure home networks.
Online criminals tend to focus on low-hanging fruit. There are enough targets with little or inadequate security to keep many of them busy. N4L’s report doesn’t say this, but you can deduce that the crooks find easier pickings when students log on from home than when they use the internet at school.
Not all threats for school students working online are from criminals chasing money.
While N4L works to keep students safe from harm, pornography represented just 1.4 percent of blocked websites. It also works to keep students focused on learning. Two-thirds of blocked sites were file-sharing, social networking, games, online storage and free software downloads.
N4L CEO Larrie Moore says: “This year we are building our security operations capabilities, providing greater cyber security support to schools and continuing a four-year Ministry of Education programme to upgrade the wireless networks inside schools.”
The cost of crime is rising even faster than the number of incidents. Cert says people reported crimes worth $6.4 million in the quarter. Again that’s almost double the same period a year earlier.
Cert is the government agency set up to help and advise businesses, other government agencies and individuals who face online crime.
Reported crime is only part of the story
It points out the numbers reflect reported crimes, the actual level of incidents and losses incurred will be higher. It could be much higher. People aren’t willing to admit they’ve been duped. Nor are they happy being identified as victims.
While phishing and credential harvesting were the most reported incidents, distributed denial of service attacks on high profile organisations like the NZX made headlines during the quarter.
The quarter saw the emergence of Emotet, malicious software spread by email. If users click on links in the message, the software will install and steal sensitive data including passwords.
You can use security software to help guard against malware. Not everyone needs it and there is a downside to relying on technology to protect you from crime.
If you are confident and tech savvy, save the money you’d spend on malware and invest it in making better backups so you can recover faster if hit. Buy at least one local external drive and find a cloud service you can work with.
Less confident users might prefer security software. It should stop malware from infecting your computers. Keep in mind that it won’t protect you from most other online attacks. Anti-malware software can lead to a false sense of security. Fraud and phishing tend to work by convincing you to click on links or hand over information. It’s hard for software to fix that.