Just as I was thinking about the unexpected email from the Australian Taxation Office, She Who Mocks ScoMo called me in to watch a live press conference about cyber attacks.
Beware of State-based actors with sophisticated means to hack Australian infrastructure, began the Prime Minister, Scott Morrison (ScoMo).
“He’s dog-whistling,” interjected SWMS. This of course sent me off to google what ‘dog-whistling’ meant. After discounting a video of a wizened old Kiwi farmer in gumboots and a Swanndri using two-fingered whistling to direct his sheep dogs, I alighted upon this:
dog–whistle: a type of doublespeak used in political messaging. Dog whistles work by employing language that has normal meanings to the majority, but can be implied or loaded to mean very specific things to intended recipients.
In this context, there were several observations to be made – what was the government seeking to do by causing fear and trembling in a community already alarmed about the coronavirus? What news did the government not want to get out, hiding behind the ‘cyber-attack’ smokescreen?
I asked a couple of IT gurus I know what they made of it all.
“Whatever it is, just sandbox it,” said one (which means isolating the malicious email/code and testing it in a non-network environment).
“Well if Scotty from marketing says there are more state actors right now. you gotta believe him,” said our resident geek boy.
“I might even quit my day job and go after my real dream as a state actor. Hopefully they do the Scottish play. .. I know that one well.”
Chin up Scotty, they’re not taking you seriously – should they?
After analysing the press conference on Friday morning, I tend to agree with ScoMo’s “it hasn’t just started” caveat. The controversy over Russia’s involvement in social media manipulation of the 2016 US election is one example alone. CSO Australia recently listed the top 15 cyber security breaches of the last 20 years, ranked by the number of people whose personal data was stolen. Data belonging to 3.5 billion people was compromised in the top two alone (Adobe and Adult Friend Finder). Well-known names on the list include LinkedIn, Yahoo, eBay and Marriott International.
The PM refused to be drawn on which ‘State-based actor’ was the villain of the piece but journalists have, of course, made much of the role of China as the state power with the ability and the motive.
If there is anything useful to be drawn from ScoMo’s cyber attacks warning, it is perhaps to remind computer and smart phone users to do a regular Wi-Fi security audit.
The growing popularity of smart devices (Wi-Fi speakers, smart TVs, household appliances that take verbal orders and Bluetooth-enabled devices has just added new vulnerabilities to the wired household.
I use Bluetooth to hook up my phone in the car but I also to stream music to wireless speakers. No problem, you’d think.
Technology writer Dave Johnson says, rather colourfully in this article for howtogeek.com, that “Bluetooth is about as secure as a padlock sculpted from fusilli pasta.”
Johnson recently attended the Def Con 27 security conference where the first order of business was to ask delegates to disable Bluetooth while attending the conference.
Tyler Moffitt, a senior threat research analyst at Webroot, says there are “zero regulations or guidelines” as to how Bluetooth vendors should implement security. He also warned that smart phone users might not know that using Bluetooth with earbuds disables the smart lock, leaving the phone open to abuse.
Moving right along, the other security threat which bothers experts is the proportion of social media users who do not use or understand privacy settings. Password manager LastPass revealed in a recent blog how careless people are with their private information. A survey showed that 52% of respondents set their social media profiles to ‘public’ (open to FB’s 1.7 billion account holders!) The survey showed that 51% of social media users had shared vacation photos, an open invitation to burglars who troll social media. About 20% shared pictures of their house or neighbourhood and 25% shared pictures of their pets or kids).
The government’s over-kill way of bringing cyber security to ‘front of mind’ was timely, in that June and July are the peak scam months.
Our end of financial year reminder from the ATO did seem genuine, given it was addressed to the recipient by name. We became suspicious in that the email encouraged clicking on links to ‘learn more’ – something the ATO says it never does.
That is an example of the common email scam known as ‘phishing’, an attempt by someone posing as a legitimate institution to trick individuals into providing sensitive data. An article from The Conversation, titled “Don’t be phish food!” cited below, summarises why you should be suspicious of bogus emails. Phishing scammers are not afraid to impersonate government agencies, banks or large institutions – even your own ISP!
If it looks real but you were not expecting it – be wary.
The very least you can do to avoid cyber attacks is change your computer logon passwords. This was one of the key messages from The Australian Cyber Security Centre. ACSC’s website advisory says the attackers are primarily using “remote code execution vulnerability” to target Australian networks and systems. That is, the attacker attempts to insert their own software codes into a vulnerable system such as a server or database, thus taking control. That, folks, is why Windows 10 keeps updating your operating system.
While you are at it, change all of the passwords you use for social media, web-based email and any website which holds your financial information. Make them complex passwords of at least 8 and preferably 10 characters. Check your social media settings and ensure that you are set to private and friends only (or at worst, friends of friends). If you are on the Facebook app Messenger, don’t open videos, even if they are sent by your lover or maiden aunt. Much-circulated ‘joke’ videos containing malicious code are often used to hack someone’s Facebook account. (What – you didn’t know that?)
If all else fails, you could purchase a Faraday Cage, invented in the late 1800s by an English scientist (Faraday). The cage is an enclosed space made of conductive material that blocks electromagnetic signals. Wi-Fi and cellular signals are rendered useless inside the cage.Any spy worth his 2020 clearances would have mini-Faraday cages at home and work in which to keep smart phones and other hackable devices safe from cyber attacks.
Coincidentally, this week we just started watching season five of the quality French spy thriller, The Bureau*, where the Faraday Cage got a mention in episode one or two. This up to the minute drama, while fictional, nonetheless references present day political pariahs including Trump, Putin and Assad.
In the early episodes we see one of the protagonists in a Russian troll factory – a vast air conditioned room where drones fly a circuit to make sure the worker bees are not eating baklava at their keyboards.
If you are really concerned about cyber attacks, you could get an engineer, an architect and a builder to collaborate on the hacker-proof house, modelled on the Faraday Cage.
Shouldn’t cost that much.
(By all means, watch ‘The Bureau’, but only if you don’t mind numerous gratuitous sex scenes. It is French, after all. And you can improve your French language skills too, if you don’t look at the sub-titles. Ed.)