New Zealanders are only fooling themselves if they think our geographic isolation and small population make us less attractive to cybercriminals. We’re a significant hub for internet traffic, and as we get better connected within our borders, we’re also likely to be more at risk.
Those warnings come from Greg Singh, a specialist at security solutions provider RSA. He told NetGuide that externally at least, New Zealand is well connected – major internet infrastructure runs through this country to and from Australia and the USA. Therefore a lot of internet traffic passes through here courtesy of our major telcos, and that’s where the bad guys hang out.
“People living in isolated places like New Zealand tend to feel they’re safe because they’re far away from the rest of the world,” he said. “But when you look at the way that networking runs these days, you’re really only milliseconds away. In terms of malware and botnets this means a lot; there’s obviously good connectivity into New Zealand, which is one of the key attributes that people who want to commit crime are looking for.”
As we’ve reported before, cybercrime is massive and well organised these days. Malware is manufactured with the aim of stealing people’s online identities – passwords or bank account and credit card details. Criminal enterprises operate in very businesslike fashion, not only creating malware to infect computers, but selling it to other criminals, saving them the task of writing such programs themselves. RSA calls it “Fraud-as-a-Service”.
What’s worse, conventional anti-virus tools are becoming less capable of detecting the sophisticated malware that’s circulating on the web these days. Criminals can now buy ‘malware kits’ for around $US700, then make them invisible to anti-virus software by changing the internal code ‘signature’ used by most widely sold anti-virus products to identify malware and keep it out of your computer. Creating a new signature is simple enough, but producers of anti-virus software don’t have the resources to identify every new signature that is created.
“A number of anti-virus products that work on signature-based technology have reached the edge of their capability to deal with the malware problem,” said Singh.
Social networking is one of the fastest growing threats to online security, and the problems are largely caused by people’s own stupidity. Hackers look to capture users’ login credentials from sites like Facebook, MySpace and Bebo. This information can allow them to pose as someone else. A user is more likely to click on a link to malware if they’re invited by a ‘friend’ to look at a cool new video or read some hot gossip. The trouble is, we’re posting too much information about ourselves.
“I really think that information about yourself, especially things like birthdays, should remain private,” said Singh. “People tend to put up everything about themselves – phone numbers, addresses, details of every job they’ve worked in – this is a breeding ground for identity theft.”
Using such stolen information, a thief can create an identity that allows them to open a back account or a line of credit – and authorities looking for the fraudster end up following a false trail towards an innocent person. Singh says you should keep your personal and business networking separate: use Facebook for private things, and a network such as LinkedIn for business.
“People will generally get stung by some sort of social networking posting and realise they shouldn’t mix their work and home communities,” he said. “You need to be reasonably ruthless with people who want to connect to your community or social networking application, and I think people need to understand that it’s okay to say no.”
And if we’re stupid about networking, when it comes to passwords we’re just plain lazy. We devise one that’s easy for us to remember (and just as easy for a hacker to crack), we use it for multiple logins on different sites, and we seldom bother to change it. Singh’s advice: passwords should be a mix of upper/lower case, numbers and other special characters (?,# etc) – you’ll be told if any characters are unacceptable. Also never use a word that’s available in the English language; a hacker can run the whole dictionary across a password in seconds to see if they can get a match. Avoid proper nouns as well, and obvious things like your spouse’s or your pet’s name. There’s another handy tip for creating passwords on page 54 of this issue.
For online banking, you’ll probably be told to change your password regularly (sometimes every 30 days). To make this easier, there are applications called Password Safes (you’ll find them by typing those words into Google). You create your online ‘safe’ which only you can access with a strong password (write it down and keep it somewhere away from the computer). When you need a new password, it generates one for you. You lock it away in your ‘safe’, then copy and paste it in when required.
This is all sensible advice, and it’ll become even more important as our local connectivity improves, with the old copper wires being replaced by fibre optic. “You’ll be looking at a much more capable network for the nation, but also the viability to run malware infrastructure from the country suddenly becomes a lot more attractive to the fraudsters,” said Singh.