Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday, March 26th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
With me today to discuss some of what happened in the past seven days is Terry Cutler of Cyology Labs. But first a quick look at some of the top stories:
People in Germany are the most knowledgeable about privacy issues, if a new survey is accurate. Americans ranked fourth and Canadians ranked 14th. The unscientific survey was done by virtual private network provider NordVPN. Forty-eight thousand people around the world filled out an online questionnaire about their privacy skills and knowledge.
They were asked to do things like chose the safest password from a list of five suggestions and chose all the ways to increase the security of a home WiFi network from a list of five. Among the global findings, half of the respondents said they ignore the privacy policies, terms and conditions when signing up for services or approving apps. Only 42 per cent said the most important thing to know is whom their data is shared. And 49 per cent believe clearing their browsing history would wipe away their digital footprint entirely. That’s not true: Your internet service provider may still have a record of everywhere you’ve been on the web.
Terry and I will discuss these findings in a few minutes.
Another survey crossed my desk, this one from a British news site called Communitech, which ranked countries as the most or worst cyber-secure It looked at data from a number of public sources, such as the per cent of computers in the country infected with at least one piece of web-based malware. Its scoring system concluded the most cyber-secure country is Denmark with a score of 75, followed by Sweden, Finland and Norway. Canada scored high overall, with 63. In fact that was twice as good as the United States. Tajikistan is the least cyber-secure country in the world, followed by Bangladesh and China.
Organizations continue to be hit by ransomware and by vulnerabilities in a corporate file transfer application called Accellion FTA.
Canada’s Sierra Wireless, a big manufacturer of wireless modules that go into industrial and some consumer equipment, had its production disrupted by ransomware. Our federal government warned that an unnamed company that supplies it with some services was hit by ransomware, although no federal data was apparently affected. Corporate server manufacturer Stratus Technologies said it was hit by ransomware. And Britain’s cybersecurity agency warned it is seeing a significant increase in the number of ransomware attacks going after schools and universities.
Global energy giant Shell is the latest to acknowledge it was compromised through the Accellion FTA file transfer software.
American insurer CNA admitted it has been hit by an unspecified cyberattack.
Now I want to bring in Terry Cutler of Cyology Labs. Hi Terry.
Today’s topic is general public cybersecurity awareness and whether surveys accurately measure it. By coincidence this is Fraud Prevention Month so it works well. I’ll get to the global digital literacy test in a minute, but I want to start by recounting a scam phone call I got on Wednesday that many listeners might be familiar with: A guy with not very good English claiming to be from “the Microsoft solution provider.” He said was calling because my Windows computer services “is not automatically properly update from the Microsoft.” I played along. To make a long story short, he had me open things in Windows config that showed some services weren’t running – which, of course, is normal. Then, to convince me he was genuine, he had me call up a screen that showed what was supposedly a unique Windows serial number, a number that started with “888DCA60.” I want to tell listeners who don’t know this number is NOT a unique Windows number, and crooks like this know it. The whole idea of scams like this is to get victims to turn control over their computer to the caller, who will install malware.
After a while I asked him since he knew my phone number and had my Windows account, did he also know my name. He said, yes. Then, I asked, why do you keep calling me ‘ma’am?”
He said his name is “Jack William.” I did an internet search about Microsoft scams like this and nine years ago there was a report about a guy who phoning victims and said his name was “Michael Williams.” I guess the script is still being used. After I told him I was a cybersecurity reporter the line suddenly went dead.
My first advice to listeners is if someone calls and says they’re from Microsoft, hang up. If you have call display, write down the phone number and notify the Canadian Anti-Fraud Centre.
(The following is a condensed version of my talk with Terry Cutler)
Howard: Terry, how widespread are tech support scams?
Terry: These scams come in bursts. The scammers are going to get a bit more clever now. People are used to someone like “Jack Williams” with his thick accent calling, so they hang up. Now [scammers] are infecting legitimate websites, so as you’re browsing the internet you might come across a website where all of a sudden your computer screen locks up. It’s a blue screen that says, and you hear this voice saying ‘Alert, alert your computer has a virus. Call this number.’ It looks like you’re calling Microsoft, but you’re actually calling “Jack Williams” …
They also do search engine optimization things [to catch victims]. I’ll share a real story that happened to my mom while she was updating her antivirus software. She had bought the U.S. version instead of the Canadian version and she wanted to get a refund. So she went on to Google typed in the vendor’s contact details and called a Jack Williams kind of guy at this “AV” vendor. All of a sudden they had remote access into her computer and says, “Your computer’s infected.” The guy on the phone wanted $700.
Q: Which brings up the question of how cyber and privacy-aware are people? The Nord VPN survey I referred to earlier has some interesting results. Almost 15 per cent of Canadian respondents said they don’t manage app permissions. They allow everything the app asks to access when they install an app. One-third of Canadian respondents said that they postpone software updates rather than immediately act when an alert that says an update is available. Eighteen per cent of Canadian respondents think it’s okay to use the same or similar passwords on multiple accounts. How accurate are surveys like this? And do they tell us what the state of security awareness among the general population is?
Terry: Well, remember, this survey is taken from a very small population of folks. I think there’s a great lack of digital literacy here in Canada. I do a lot of presentations and a lot of internet safety awareness training, and most people don’t have a clue, especially when it comes to parents trying to protect their kids online.
Q: The thing is some of these studies involve scoring systems that have been invented. I realize that they’re trying to measure something that’s difficult to measure, but sometimes I wonder how much they really tell us. So for example, in the Nord VPN survey Germany was the top country with an overall score of 71. Canada was 14th with 64 points, but ahead of us were two countries with 65 points, and two more countries just ahead of them. So Canada could have been 11th. Now, I suppose 14th is better than 21st, which was Japan with 44 points.
Terry: If you fall victim to these scams a first response is I’m gonna call the police. They’re gonna help me out. But the police don’t have the time or resources to help you with your hacked accounts and all these things. My number one call last year [from clients] was “My Instagram account got hacked, or my Facebook account got hacked.” People also think, “I’m too small to get hacked. I’m not going to be a target,” but the cybercriminals know that you don’t have the time, resources or even budget to handle cybersecurity. People would rather watch The Bachelorette than learn how to protect themselves online.
Q: What do you do with this number from the global survey: From all respondents around the world who answered 49 per cent said that they believe clearing their browsing history would wipe away their digital footprint entirely. Which isn’t really true because your internet service provider probably still has a record of everywhere you’ve been on the web. So how do we change that attitude?
Terry: I get that question a lot, too: “How do I become totally anonymous online?” It’s very, very, very difficult. [Also] a lot of folks think that they have nothing to hide, but then once they get scammed and all of a sudden their social insurance number leaks or the credit card data or their tax returns. All of a sudden now they become really scared about what’s really on their computers and what needs to be protected.
Q: Here’s one of the other results: Half of the respondents said that they ignore the privacy policies, terms and conditions when they sign up for services or, or approving apps. How do we get that changed?
Terry: I think what happens is when you’re faced with a 30 or 50-page terms of conditions most people obviously don’t even read it. They glance through it. There was actually a test survey done where they wanted to see how many people will actually read one. And [it included] ‘You authorize a fleet of drones hovering over your house for the whole year.’ I think only one person caught that and they were paid like a dollar every time they would find something. But if you’re not paying for the product, you are the product. So remember as you using a free platform on the back end of these things you’re actually giving away a lot of personal data.
Q: You’ve got a learning university on a site.
Terry: When I first took my ethical hacking training was I felt it was my duty to share this information with the general public so they can keep safe online. So since 2008, I’ve been presenting in schools. But the issue I had was I couldn’t be in 50 places at once. So I did what I took everything from my head on how to protect yourself as a consumer and put into a digital product.
I launched it back in 2013. Today it’s got over 31,000 students from 150 countries in it. There’s a whole free masterclass available online at www.internetsafetyuniversity.com.
Q: The other thing that I wanted to talk about this week is an investigation Google did into one hacker’s exploitation of what are called zero day vulnerabilities. These are security holes that software developers don’t know about. To make things short, it discovered that this sophisticated packer had suckered specific people into going to infected servers that could deliver malware to Windows, Apple or Android devices. And it was done by finding and using seven zero day vulnerabilities in Windows, in the Google Chrome browser in the Apple Safari browser to get into victim systems. I thought very disturbing because it’s evidence of one very determined and also one very sophisticated attacker finding vulnerabilities.
Terry: That’s why I think bug bounty programs are going to be key. It allows cybersecurity professionals to test the vendor software and actually show them where the holes are, and they get paid for it. In this case cybercriminals can leverage that information [on vulnerabilities] for financial gain. A lot of this information is being sold and shared on the dark web as well.