The federal government launched Get Cyber Safe on Oct. 3, a month-long push to improve Canadians’ awareness of online security threats and of the steps they can take to protect themselves.
The public-service campaign includes a radio spot about choosing secure passwords and a video ad about deleting malevolent emails, and is tethered to a fairly comprehensive website.
In addition to raising awareness among the Canadian populace about bad surfing habits, the government is enhancing its own net safety in light of a massive attack on the Treasury Board and Finance Canada websites in February.
CBC News spoke to Toronto-based cyber security expert Dave Lewis, who has worked with a number of Canadian tech companies, runs Liquid Matrix, a blog about net safety matters, and is on the advisory board of the Security Education Conference Toronto (SECTOR), which runs Oct. 17-19. He offers insights into the latest online threats, as well as tips on how to avoid them.
CBC News: What are the most ubiquitous threats to individual users?
Dave Lewis: I would say the most ubiquitous threat to users is users themselves.
I know that may sound rather flippant, but users are their own worst enemies. They’ll get an email that says "I love you" and they’ll say, "Oh, how nice," and they’ll click on the link without asking, "OK, why is this person sending me an email saying ‘I love you?’"
Because we need that validation every day!
Yes, which is why the scammers and virus writers play on that regularly.
Besides the users themselves, what are the most ubiquitous threats?
The kinds of attacks that you see going through social networks that are made to look like one thing, but are actually something else. On Twitter up until recently — I don’t know if they fixed it yet — but you could make a link look like it actually is going somewhere else. It could look like it’s going to CBC.ca, but it’s actually going to BadGuy.com. I’m overgeneralizing, but there is a lot of that problem.
People are quite vulnerable via email, are they not?
The worst ones are when people get malicious links in emails, and if they click on them, they could have their bank accounts compromised, which is really a significant issue. It’s sort of like death by a thousand cuts. You have all of these bank accounts being compromised, to the tune of $200 here, $300 there - not enough for a major crime unit to jump in and take action. If you hit on one of these emails with a maliciously crafted link, the real unfortunate side is most of these users have no idea that something has happened to them until they get the bill later.
What are some of the newer techniques of compromising a user’s computer?
There’s a new one from an organization that’s ostensibly based out of India that used to be called Comantra. This is an organization that used to be a Microsoft Gold partner, and Microsoft took away their Gold status because they were randomly calling people saying, "You have a virus on your computer, give us your login and password so we can fix it." They called me at home a couple of times. They tried this routine on me, and I strung them along for a couple of minutes and then gave them an earful.
The problem here is you’re getting people trying to access your computer, and they’re just social-engineering you to give up your information. Once they’re in your computer, lord knows what they’re doing – installing malicious back doors, stealing information.
How many cyber attacks start with such a phone call?
That one is actually pretty brash. I have not seen this one before; I’m sure they happen. Usually, it’s the lazy man’s way of sending out a couple million spam messages and you get the 10 per cent return. This is a new one for me. We’ve seen it where [U.S. internet security company] HBGary Federal was compromised that way – they were compromised [in 2010] by the group Anonymous simply calling in and saying, "Hi, can I get my password reset?"
Low-tech works more often than not. If you want to get somebody’s password, people say, "Oh, you can compromise it this way, and this way and that way" – or you can just ask them for it nicely.
Are there attacks that don’t involve email penetration or fake URLs?
Drive-by attacks: users can go to something that looks completely normal and legitimate.
CBSNews, probably about six months, got compromised and they started [inadvertently] serving up malicious software. All the user had to do was surf to the website and they were compromised. They had no idea that it happened.
There are penetration tools for doing testing on sites, like BeEF, the Browser Exploitation Framework — you can use a browser as a pivot point and you can launch attacks as the user, using the user’s credentials. You could map an internal network, and the user has absolutely no idea that it’s happening.
Are there any other emerging threats?
I think the attacks will change month to month, year to year, but at the root of it, you’re trying to get information or money. Information is the currency of the day.
Educating the end user will help a great deal, but it’s a very, very long process. And there isn’t much financial incentive for companies to do that. They’ll say, "OK, it costs me this much to educate the user base, or we could just take the hit and absorb the cost."
Banking is a perfect example. They’ll say you have to have a [relatively low-security] six-character password, and that’s fine. Some banks have plenty of checks and balances on the back end, whereas other banks, it’s held together with baling wire and duct tape.
How useful are public awareness campaigns?
Humans are what they are – they’re creatures of habit. So you can keep bringing the message. It will get through to some. Some will listen, some will take it to heart.
Maybe you have to be compromised yourself to finally take steps to defend yourself.
Yeah. It’s sort of like if somebody breaks into your house, you feel violated. If someone breaks into your internet banking, wipes out your account, you feel violated. You will never forget that lesson.
What are some easy steps to avoiding cyber crime?
The absolutely easiest step is to take a moment and think about what you’re about to click. If you get an email and it says it’s from your bank – does your bank send you emails? Are they actually going to ask for your password? Take a moment to sit there and think – is this really what it’s supposing to be? A moment’s pause helps.
Make sure you have up-to-date anti-virus, and firewall on your local desktop.
Make sure your system is patched and up-to-date [with the latest software or operating system updates]. A lot of people buy their computer from various Future Shops and what-have-you, take it home, set it up and never apply a patch. So what happens is there are hackers out there who are constantly testing these systems – either good hackers or bad hackers, depending on what you want to be – these vulnerabilities are discovered from time to time. The results of that are published or in the worst-case scenario, a worm or virus leveraging a vulnerability could come out. And if your system is not patched and up-to-date, your system could be compromised just by being attached to the internet. You should set your computer up to automatically patch — 95 per cent of the time that works just fine.
People have cable modems coming out the wazoo now. They have high-speed access to the internet, so a lot of times there’s a direct line back to their computer if they’re not set up properly. If you have a firewall on your system – Microsoft has it built in, Linux has it built in – enabling these firewalls, if they’re not already enabled, that’s a huge win right there.
Should you have a different password for every website or application you use?
I’m going to say something that you won’t hear a lot of people say: write your passwords down. When I say that, don’t put it on a sticky note and put it in your monitor. I mean, write it down on a sheet of paper, stick it in a safe or your safety-deposit box. Realistically, you should change them on a regular basis, but people aren’t always going to remember their passwords.
Another thing they can do is use software like 1Password, which is an excellent password-encrypted container that will save all your passwords for you. You’re keeping a record, but keeping a record that is safe and they’re locked somewhere securely, so it’s not a case of the cleaning lady walking through your house and saying, ‘Ah, I’m taking this with me.’