Woman working at home on laptop with mobile phone
Consumer | Cyber Security | Small Business |

Invisible security at your fingertips

By Darren Pauli August 21, 2020

Consumer cyber security has become much more user friendly and effective in recent years with technical complexity hidden behind seamless usability and easy-to-use apps. Yet a whole suite of largely invisible cyber security defences too numerous to list are available, often for free, by applying software updates.

This week we’ve covered some of the most important defences as part of Scams Awareness Week; password managers and the adoption of passphrases instead of jumbled codes; free and easy multifactor authentication; updated advice on spotting phishing attacks, and locking down your sensitive data.

Scams Awareness Week: five ways in five days to free and easy cyber security

Set your devices to automatically update. Search online for ‘end of life’ and your device make and model to see if it is still supported and secure.

An update is available

Many modern apps and devices are set by default to automatically update. Updating can apply new features, improve stability, increase security, and close dangerous flaws.

Security researchers continually find and report vulnerabilities in hardware and software. No product is immune. Good vendors will produce fixes, or patches, for these flaws and distribute them in software updates.

Many consumer products from phones to routers and gadgets will receive updates for a period of time before the manufacturer deems them end-of-life, stops fixing security flaws, and recommends customers buy a new product.

Routers

Your router, if it is relatively new and produced by a major vendor, is likely set to automatically check, download, and install updates on a regular basis.

To check if it is, load your router’s administration page. Connect your computer via an ethernet cable to your router, likely through the socket at the back labelled WAN, and type in the router’s IP address into a web browser window.

The IP address is likely underneath your router and should look like a sequence of numbers and full stops in a sequence like 192.168.1.1. The username and password required to access the admin page (not your Wi-Fi network) may also be on the underside. If not, search online for ‘default login’ followed by the make and model of your router.

Once inside, feel free to navigate around without saving any changes. You should find your software update status under general settings or admin.

Set your updates to automatic if possible and click a button to manually check for updates if it is available.

Look for a date of the last update – this might be next to or contained inside the update (firmware) file name such as tplink_abcxyz_20.03.2020.

Your router might be end of life if that date is more than a year old. You can verify by searching the internet for ‘end of life’ and the make and model of your router.

End of life routers should be replaced to ensure security. You may wish to consider replacing the router operating system instead with supported open source firmware like OpenWrt. These systems, while popular, generally have a highly technical interface and their application is a complex process that if done incorrectly could render your router inoperable.

Mobile

Modern mobile phone operating systems such as Android and iOS, along with their apps, are set by default to automatically update.

You can check by going to settings and searching for updates. Open your app store and apply any updates and check any boxes to activate automatic updates.

Apple supports its line of iPhones for much longer than other manufacturers but most provide updates for their phones for two years or more. Some updates may occasionally be issued beyond that for highly critical security issues.

Computer

Microsoft now only supplies updates for Windows 8 and Windows 10 in its regular consumer operating systems, although it too occasionally issues updates for older platforms to fix the most pressing rare security issues.

Windows 10 contains a suite of built-in security controls that make computers significantly harder to hack than older Windows versions. It also offers well-performing built-in antivirus eliminating the general security requirement to purchase third party antivirus.

Apple will as of November no longer support macOS 10.13 High Sierra and instead cater to newer versions including macOS 10.15 Catalina which sports Activation Lock that helps prevent unauthorised use and erasure of disks in devices that have the Apple T2 security chip.

Explore

Additional security settings can be often found by looking around your settings. You may find options such as backups that help in the event of data loss or ransomware, a type of malware, and others that increase your security at the expense of some convenience. Try them out; you may find the new barriers worth the additional piece of mind.

Microsoft Office has similar security settings. Most malware utilises document macros as an initial step in attacks. These can be turned off if not needed to significantly increase security.

Consumers may also consider using a suite of tools called HardenTools, produced by Claudio Guarnieri, a highly-respected cyber security expert with Amnesty International. This Windows suite turns off many legitimate default features that cybercriminals commonly abuse to launch attacks. The process is reversible with the click of a button.

Organisations meanwhile can consider the deployment of Application Guard for Office, which protects macro use. It is in preview mode and available to customers who apply for access from Microsoft.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser

Woman on laptop
Consumer | Cyber Security | Small Business |

Secure your sensitive data for free

By Darren Pauli August 20, 2020

Open your email account and search for ‘driver licence’. Then search for ‘passport’, ‘Medicare’, and ‘payslip’. Now think about your email account password; do you use the same password for other accounts? When did you last change it? The sensitive personal information contained in your inbox is at risk if your password is used across other accounts.

That risk is higher still if you are like the 90 percent of Google users who in 2018 did not make use of a simple additional security check, known as multi-factor authentication, to protect their accounts.

Here’s how to take small steps for big security gains.

Scams Awareness Week: five ways in five days to free and easy cyber security

Start by making your email password unique, then switch on multi-factor authentication. After that, delete your attachments.

Lock shop

Your email password needs to be unique, so change it if you have reused the same one anywhere else.

The best way to do this is through a password manager. These can help you change all your passwords to long and unique combinations that you can set and forget. All you need to remember is your one master password which is the key to your password vault.

Another option is to use phrases for your passwords (also known as a passphrase). A sentence that means something to you, not taken from a book or movie, is a great choice. You’ll remember it since it is a phrase, rather than a random combination of letters and symbols, and it’ll be harder for an attacker to guess or crack. You still can’t reuse passphrases across accounts, though, so a password manager would again come in handy here.

Next, deadbolt your email account with multi-factor authentication. It is supported by most major email providers and can be usually found under your account settings within the security or privacy tab.

This security control, which requires an extra code usually when you first log in, is simple and makes hacking your email account extremely difficult. It also means an attacker will not be able to access your account if they steal your password.

Purge

Find and delete any attachments that contain your driver licence, passport, and other highly sensitive personal information you would most like to keep out of hackers’ hands.

Most email services allow you to check a box to return search results with attachments, or you may be able to search the phrase ‘hasattachment:yes’ along with any keywords like ‘driver licence’.

Your account is unlikely to be compromised when protected with both a unique password and multi-factor authentication, but there are phishing attacks that can steal both.

By deleting searchable records of your personal information in your email, you’re minimising the potential damage should it be breached.

Protect

You, like me, may choose to store a copy of your personal information (like your driver licence, passport, and Medicare info) in one easy to access location. You can do this whilst also ensuring it is secure.

I store mine within Google Drive inside of an encrypted archive file – most commonly known as a zip file – using an entirely unique password. I use the 7zip extension with powerful AES encryption, both which are set as default options within the free open source 7zip software.

This control means hackers who breach my Google account will be unable to find a copy of my sensitive documents within my thousands of emails. They will also be unable to open the archive containing my personal information because the password is different from any they have stolen.

If you need more regular digital access to things like your driver license, try an app.

Tap of an app

I have not carried a wallet since 2017. My phone is my wallet, allowing me to pay and provide proof of identity.

So making fast and easy access to my driver licence is essential. I store a second copy of my driver licence and Medicare card, two items I often need in a pinch, in the Sync.com cloud service.

This is a secure so-called ‘zero knowledge’ service which is protected with multi-factor authentication. This combination makes compromising my data very difficult, yet access convenient through an app on both Android and iOS.

Many identity providers are starting to offer identity services digitally. Apps like Australia Post’s Digital ID, Services Australia’s Express Plus Medicare mobile app, or if you’re in NSW or South Australia, your state government’s digital driver license apps, make it easy to access your identity documents quickly, backed by the government’s security chops.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser

Woman working on laptop at home
Consumer | Cyber Security | Small Business |

Make hackers give up with multi-factor authentication

By Darren Pauli August 19, 2020

Burglars and cybercriminals have the same philosophy: when a target is secure, pick a softer victim. Using multi-factor authentication is like getting a free and easy deadbolt on your online accounts to go from a soft target to a hard target.

Two in three arrested burglars told police and academics they would avoid a home with a barking dog, while half would avoid one with a working alarm system.

Cybercriminals and professional hackers paid to test defences have said accounts protected with multi-factor authentication are an obstacle they would rather avoid.

It could be said then that adequate security is a matter of being more secure than your neighbors.

Scams Awareness Week: five ways in five days to free and easy cyber security

Most hackers are after quick money. Multi-factor authentication helps protect against these attacks.

The first step to securing your online accounts is to use a password manager and change any passwords that you have reused. Start with your most valuable accounts.

Next turn on multi-factor authentication (also known as two-factor authentication and two-step authentication).

Deadbolts for your accounts

Most hackers are after quick money. They blind fire phishing emails in an all-too-successful bid to snare usernames and passwords while others feed huge lists of hacked logins published online into automated password-guessing tools to break into accounts at scale.

Multi-factor authentication helps protect against these attacks with a deadbolt in the form of a check that is required after your password.

Most of the big technology platforms from Google to Microsoft, Instagram to Reddit offer it for free under user account settings and security or privacy. A directory listing services that allow multi-factor authentication is available at twofactorauth.org.

It is often a six-digit code generated in a special app or sent over SMS. It may, in the case of Google and other services, be an easy notification that appears on your phone asking you to tap to approve access. It can also exist as fingerprint readers and special USB devices.

Attackers who have managed to steal your password must also steal these checks to gain access to your account.

But they have a short window to do it. The checks expire usually after 30 seconds to a few minutes placing a tight time window on any attempt to steal them.

It is a hurdle that for most cybercriminals proves too hard.

Multi-factor authentication is easy for you, however. It is usually only required once, provided you use the same device or web browser and remained signed in. Some sensitive services like online banking that log you out after inactivity require the code be entered on each login.

Super thief

Phishing works because people are at times inattentive and generally trust what they see.

It stands to reason that those who are willing to enter their details into a login form they believe is legitimate will also enter their multi-factor authentication codes.

Basic phishing sites store stolen passwords in databases that can be used in subsequent attacks.

Advanced phishing sites immediately send captured usernames and passwords to the legitimate services they mimic and log into the victim’s account in real-time. The sites then prompt victims to enter their multi-factor authentication codes which, when supplied, allow the criminal to access the victim’s account.

Other dedicated criminals can steal SMS-based multi-factor authentication by abusing phone porting, a feature that allows consumers to churn their mobile number to new providers.

Criminals need to have enough information on their victim to pass identity checks in order to gain control of a victim’s phone number and receive any SMS-based authentication.

New industry security controls make this attack very difficult. Pre-port verification codes must now be entered before phone porting can take place.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser

Woman on laptop computer at home
Consumer | Cyber Security | Small Business |

Super secure passwords you don’t need to remember

By Darren Pauli August 18, 2020

Passwords are a nightmare: many of us have set, forget, and reset them enough that we use the same one or two combinations for everything. Some use the same password for everyone in their family. But this practise, known as password reuse, is akin to using the same key for your house and car: criminals with your password in hand could access accounts that share the same login as much as a thief with your universal key could rob your house and drive away in your car.

Here’s how to have secure passwords that are easy to access so you never click ‘reset your password’ again.

Scams Awareness Week: five ways in five days to free and easy cyber security

Use a password manager. They are built into Apple, Google, and Samsung phones, web browsers, and are stand-alone apps. Most are free.

Huge lists published online containing millions of hacked usernames and passwords increase the chance that criminals will compromise accounts with reused passwords.

These attacks occur at scale. Criminals can automatically cycle through thousands of compromised logins until an attempt is successful.

Forget your passwords

Use a password manager. These set and store highly-complex, random passwords inside a secured service that is protected with the only password you need to remember. Set one password and forget the rest.

There are many free and easy options available, but you may find it easiest to use the built-in managers you may already have.

Apple’s iCloud keychain password manager is built into iPhones, iPads, Mac OS, and the Safari web browser. Google’s password manager is built into Android-based phones including Pixel and Samsung lines, tablets, and in the Chrome web browser.

Web browsers Firefox and Edge also contain a built-in password manager, while separate free and paid apps exist that work across all mobile devices and computer operating systems.

A good password is a Sentence1

Prevailing advice for decades has taught people to use passwords that are hard to remember and often easy for computers to break.

Requirements to set passwords with an upper and lower case letter, a number, and a special character result in people setting predictable passwords like P@ssw0rd1 or Summer2020!, and hackers know it.

Ultimately, security that comes at the expense of convenience inevitably comes at the expense of security.

So make the last password you need to remember for your password manager one that is strong but easy to remember by using a phrase that is unique to you.

Write it as a normal sentence, complete with spaces, and throw a number somewhere to make a highly original combination.

Another thing

Ensure your password manager is active whenever you wipe or buy a new phone or laptop. The software will capture your usernames and passwords as you log in to apps and sites, often a one-time requirement on mobile devices.

Your password manager can start warning you if your accounts are reusing passwords once the manager has saved a collection of them. You can use the inbuilt features to generate a new strong random password with which to replace it.

Start by changing the passwords that protect your most valuable accounts. Bank accounts, email, social media, and any associated with a business you may operate including website, email, and mailing list administration. These are popular targets with criminals.

Prioritise changing breached passwords. Many password managers alert when your passwords are found in hacked lists giving you the opportunity to change them before they are used by criminals.

You may also choose to visit haveibeenpwned.com, a legitimate security service, which collects and conceals the same hacked usernames and passwords allowing people to check if they are affected.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser

Woman on laptop with headphones
Cyber Security |

I got phished: hackers hit right note with streaming music bait

By Darren Pauli August 17, 2020

I was so confident in my ability to spot a phishing email that I told my cyber security team I’d make sure to click theirs and not instinctively report or delete it. I knew I’d been had when I saw my colleague smiling an hour later.

Even I need to remember to always be sceptical of the unexpected.

Scepticism comes instinctively after a decade in journalism and so I was confident I’d spot the phishing email the team needed me to click for testing.

Scams Awareness Week: five ways in five days to free and easy cyber security


Be sceptical of unexpected communications, regardless of the sender, and on what platform it is made and sent. Contact the sender on official sources and report any suspected phishing breach to your security or IT teams.

They sent a phishing email offering six months of free music streaming. It was perfect bait since I was deciding what service to use.

I was fully expecting free music. My face fell into my hands as realisation dawned.

Falling victim to that phishing email popped my bubble of subconscious confidence, but it doesn’t make me an idiot or even an easy mark.

Phishing emails, like any advertising, work best when their well-crafted pitch hits the right audience at the right time.

Look for tpyos typos

Phishing often contains typos and offers too good to be true, but traditional advice to look for these indicators misses the mark.

Many security practitioners, myself included, argue there are now no rules to phishing and no useful hallmarks for spotting it. Traditional indicators could even be harmful if they lull people into thinking well-written emails are more credible.

Discover for yourself and imagine the role of a criminal writing a phishing email. What lure would you write to interest your target? Could you write one free of typos? What lure would you pick if you were emailing 20,000 people?

My team wrote a good lure. It copied branding that didn’t seem out of place for my inbox. But ultimately the email’s chance timing coinciding with my hunt for a music service was so good that I probably would not have noticed typos or wonky logos.

Better advice than hallmarks of phishing is to be sceptical of unexpected communication, regardless of the sender and on what service the message appears.

An email from your bank, an SMS from your energy supplier; a phone call from your telecommunications provider; or direct message on your social platforms should be treated as untrusted.

Confirm whatever the communication claims with the entity’s official phone or email address and not those offered in the unexpected contact.

The inconvenience will go far to increase your cyber security defences.

Simple superweapon

Phishing is not going away.

It is the simple superweapon behind most successful cyberattacks from basic scammers to the most well-resourced nation-state intelligence agencies.

Technical controls can do much by blocking phishing and limiting the potential damage from successful attacks. But much comes down to your ability to detect and react.

Emotet, one of the most dangerous cyberattacks at present, spreads a variety of malicious payloads using phishing. These emails may come from people you know delivered as replies to email threads. But they may still raise some suspicion.

Always report any possible phishing to your security or IT team, even if it is days or weeks after the incident, especially if you have entered your logins or run attachments.

Security teams can utilise the window between phishing and stolen usernames and passwords being used in attacks to protect you and your organisation.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser