Australian Plumbing Industry magazine’s roving reporter Matt Reynolds recently sat down with digital and cyber security expert Tom Crampton, to talk about protecting both business and personal information online. For the past decade his company, Trusted Impact, has been helping both the Australian Government and some of Australia’s biggest and most well-known companies protect themselves and guard their most valuable digital information. As part of our health & wellbeing issue, we can all learn something from these tips on how to keep your cyber usage safe.
MATT REYNOLDS Does the average person, someone like me, a plumber, who’s just going about my own business day-to-day, really need to worry about cybercrime?
TOM CRAMPTON There’s a broad range of skill and cyber risk. On one hand you have large scale crime, when nations try to steal each other’s information, or take control of things like the power grid. That level of hacking is very advanced, and most individuals like you and me, or even small businesses shouldn’t be too worried about it. What we are concerned about are the criminals of much less skill who hack into personal computers, encrypt the data and will hold individuals to ransom. In the last few months alone there has been waves of this activity that has spread across the world via the internet, and they require payment for the unlocking your data to be paid by Bitcoin.
MR How does it spread?
TC Normally by email. You get something in your inbox that looks like it could be legitimate, possibly from a big retailer with a familiar name, maybe a small local business. The email address the communication arrives from is, using yourself as an example, not [email protected] but something very similar like [email protected], so it looks genuine. The email contains an attachment that when clicked will unlock an invisible virus that can do harm to your computer.
MR And there is nothing to stop anyone sending you these messages, if they know or can guess your email address, right?
TC No, there’s not. You have to look at every email and ask yourself if it is legitimate. Ask “Does it make sense this person would send me this email and ask me to click on this link, open this attachment or make this request?”
MR How do you know if you have been hacked?
TC If they’ve locked up your computer, it’s pretty easy. But often it’s not always that straight forward. In large businesses, there are two types of companies, those who have been hacked and those who don’t know they have been hacked. For example, we had a case where a CEO of a big company would stop using his computer but the mouse curser would continue to move around the screen.
A long story short, we investigated it and worked out that we could sit in the car park of one of their factories, connect to the factory’s wi-fi and in no time at all, we had open access to the company’s shared file drives and all their sensitive information. They were wide open, and someone was inside hacking their systems – quietly watching, and waiting for the time and information to exploit it.
MR Scary stuff. How do we protect ourselves?
TC You need to maintain your system and update your software regularly. Many of these global viruses thrive because systems are old and outdated. There is a local hospital whose system basically fell over because a virus that took advantage of their outdated software. When something is that old, the risks are much higher. Vulnerabilities to old systems are well-known and published across the world and are easy for the wrong people to exploit. We helped the health industry lift their game from a security aspect because health technology has become so much of a part of patient care. Ultimately it was beginning to affect their ability to provide care to their patients. Unfortunately, it will get worse before it gets better.
MR Can we trust public wi-fi enough to surrender our passwords and personal details to it?
TC No, but there’s a problem because we all live on it so it’s impractical not to use it. Just in this last week it has come out that what we thought of as secure wi-fi is, in fact, not so secure. There is a difference between open and password protected wi-fi systems too. For $99 on the internet you can buy yourself a device called a wi-fi Pineapple. It’s a small tool that is no bigger than an iPhone. It’s used to intercept and capture the information sent between your phone and the web application you’re accessing. When wi-fi networks aren’t password protected security risks obviously increase. So, simple rules of thumb are:
1) Don’t do banking over open wi-fi
2) When you are asked to submit an important user name and password, use the cellular connection that operates over the 3G or 4G network as it’s a much more secure option.
MR Do you own a wi-fi Pineapple?
MR Should we be covering webcams up?
TC I learn from the smart people we have working here, and when I see these people with tape over their webcams, I put tape over mine.
MR Tape is really cheap insurance, right?
TC It certainly is. These cameras are easily hacked. It’s a common trick and very basic thing to do.
MR What about voice? Should we be worried about our phones recording everything we say?
TC It depends. If the conversations you are having are highly confidential and you don’t want others to know about them, then you should be worried about that and also think about any other device that could also be recording you. I know for myself and for most normal people, if someone recorded everything I said, they’d quickly fall asleep before they got anything even interesting. You don’t want to become overly paranoid about any of this. Remember, it’s much easier to go after a database of 50,000 credit cards, than to listen to you and me for weeks on end, hoping to get something of value. 50,000 credit cards are also much easier to turn into real money.
MR So, on a basic personal level, if you use reasonably modern equipment, keep your software up-to-date, don’t reuse important passwords (banking, for example), are careful using cloud storage systems like Dropbox and Google Drive, particularly when sharing folders, and remain somewhat suspicious about every email you open and your general online activity, you are a lot less likely to be targeted.
TC Exactly. It’s that old joke about being in the forest with a group of your mates when a bear comes running after you. You don’t have to be the fastest in the group, you just don’t want to be the slowest.
The full audio version of my interview with Tom can be found at xrm.com.au/podcast