“We are at war already … we are under attack … we need to defend ourselves … and accept the internet is a dangerous place,” says Hawke’s Bay-based security expert Tony Krzyzewski.
Krzyzewski, a pioneer in IT networking and security, says, “We are fighting for our businesses, our economy, our privacy and in some cases for our democracy.”
The digital world, he says, touches everything and the internet is no longer the great leveller many thought it was. “It’s the dystopian future” where “information or data is the new gold”.
In May, Krzyzewski became one of eight Global Cyber Alliance (GCA) ambassadors promoting cybersecurity awareness and a new generation of tools that identify bad websites, filter internet domains and flush out and remove illegitimate emails.
He challenged the New Zealand Defence Forum in 2017 with his warfare wake-up and repeated his concerns at GCA/Verizon Cyber Trends 2018 in London earlier this year.
The Government Communications Security Bureau’s (GCSB) CORTEX cyber security system claims to have protected government agencies and crucial national infrastructure from $39.47 million of potential harm in the 2016-17 year.
In the same period its National Cyber Security Centre (NCSC) – which built CORTEX and provides hands-on incident response – reported 396 incidents: 31 serious and 122 from “state-sponsored computer network exploitation groups”.
Foreign state attacks
In April, New Zealand joined in denouncing ‘foreign state’ attacks and in October, specifically condemned attacks by Russian military intelligence. We weren’t hit directly but the GCSB observed “a range of activity in New Zealand” and was “very concerned”.
Krzyzewski says the White House confirms it’ll use the internet as an attack system in cyberwarfare and “if every other country is under attack why would New Zealand be an exception?”
International hits like the Russian ransomware attack against the Ukrainian banking system create a ripple effect. “The Maersk Shipping Company was collateral damage; it was crippled and it cost US$320 million to resolve”.
Getting Maersk container ships in and out of New Zealand ports meant reverting to manual processing.
Ransomware nearly crippled the British National Health Service. “Hospitals were running a very old operating system and it went from hospital to hospital encrypting hard drives. They said give us the money or you won’t be able to use your computers. They were locked out.”
Krzyzewski says New Zealand is very lax on protection against cyber-attacks because we’re still self-regulating with no “mandated cybersecurity set of controls for critical infrastructure”.
He warns of “pinch points throughout our power distribution systems” mainly because of the geographical lie of the country with Hawke’s Bay particularly vulnerable.
The power industry is working on new standards of protection, but he says we’re still behind many countries in building up our defences.
The biggest danger is compromised gas or fuel supply, waste water treatment systems, the ability to pump water, and anything to do with the economy, such as banking systems.
Broken encryption risks
InternetNZ chief executive, Jordan Carter, warns a proposal to give law enforcement agencies access to encrypted devices and communications places all New Zealanders at risk.
A recommendation to force vendors and service providers to give up encryption details to help track child sex offenders, terrorists and organised crime was leaked from the ‘Five Eyes’ joint spy agency (New Zealand, Canada, Australia, US and UK) August conference.
End-to-end encryption also protects online banking and travel bookings. “Without it no-one will have trust in the Internet.”
Krzyzewski says Australia’s recent support for encryption breaking underlines those concerns. “It’s not a good look for what Five Eyes claims to stand for as it threatens the very thing that keeps financial and other transactions safe from prying eyes.”
Ironically the GCSB is investing $120 million strengthening Government encryption for internal and international communication.
Regardless of those who are critical or paranoid, Krzyzewski says the GCSB is essential for NZ Inc. “Every nation has a department tasked with protection against foreign government and criminal attacks.” Being at the edge of the world makes no difference. “On the internet you are just a number waiting to become a statistic, distance doesn’t matter.”
He rejects assertions we’re not pulling our weight in Five Eyes: “We have very good and knowledgeable people…we may be small but we’re not weak.”
You are the product
Krzyzewski says the social media revolution has seduced us into giving away personal information with little apparent concern for what happens to it.
On the internet, “If it’s free, you are the product and you are being sold”. And we shouldn’t be surprised, “it’s there in the small print, your information is not yours”.
At the end of August, a Facebook security breach exposed nearly 50 million user accounts, with an admission the site’s under constant attack from those wanting to clone accounts and steal information.
In early October the Google+ consumer social network was shut down after a two-year-old bug potentially exposed the data of up to 500,000 users.
Government-led cyber security agency CERT NZ reported 736 cyber security incidents between April and June, more than double the 2017 figures.
The majority were phishing and credential harvesting; attempts to obtain user names, passwords and credit card details. Most came through emails and links appearing to be from legitimate financial or commercial brands. Direct financial losses were $2.2 million with most amounts under $500.
Hawke’s Bay internet provider NOW has seen an increase in phishing attempts using its logo and trying to steal customer information through a variety of means.
It’s concerned at how convincing these attempts are becoming and has moved from “a reactive to a proactive mindset” educating customers to be more suspicious of contacts they weren’t expecting. “Do your research and be aware that responding to an offer could result in your being caught in a scam,” says the company.
AI fuelled attacks
Once a machine is compromised it can be joined to a network and used to attack other machines or it may monitor for logins and passwords.
Rather than someone tapping away at the keyboard trying to hack an account it’s mostly likely a bank of computers fuelled by artificial intelligence (AI) running thousands of combinations.
The problem, says Krzyzewski, is the inherently insecure 46-year old email and transport mechanisms undergirding the internet, cybercriminals using smarter technology to exploit loopholes, and the fact that businesses and individuals aren’t taking threats seriously enough.
Having a firewall protecting from external attack is no longer sufficient as many criminals know how to get inside and work their way out whether that’s at individual, commercial or central or local government level.
Krzyzewski says many organisations are way overdue for an audit of their vulnerabilities. He has “every Microsoft Windows password pre-cracked in a look up table” and when he’s on-site won’t have a coffee until he’s found a loophole.
“I usually don’t wait more than half an hour. I’ve been doing this for 25 years and I’m seeing exactly the same vulnerabilities I saw in the mid-90s.”
When asked ‘What should we do?’, his typical response is the CEO should write a press release explaining what the organisation plans to do when key information gets leaked or they can no longer service their customers. “From that point on everything you do is to prevent that ever having to be sent.”
True losses concealed
Krzyzewski says the US and UK claim 50% under-reporting of cybercrime and suggests our local numbers are likely to be very conservative, largely because people don’t like to admit they’ve been vulnerable or gullible.
He’s aware 50% of crime investigated in the UK and 25% in NY’s Manhattan is now cyber-related. “The criminals have changed tack, they don’t need to raid the bank mechanically anymore, they raid electronically.”
He cites a New Zealand case where $238,000 was invested in shares that weren’t real and another example where a financial controller sent $74,000, overseas, allegedly on instruction from the chief executive.
“Fortunately, we caught it and got the money back but in a lot of cases you never do. This was a very specific ‘whaling attack’; they knew how the organisation worked and compromised the system by registering a domain that only had one letter different.”
Krzyzewski says a lot of useful data about cybercrime in New Zealand isn’t being captured, because of the silo approach between government departments and agencies. “We’re too decentralised and not even having the conversation.”
Meanwhile, the fallout continues from the 2013 breach of three billion Yahoo accounts and the 2012 LinkedIn hack.
Those login and password details are still helping compromise other accounts and behind the recent “sextortian scandal”, blackmailing recipients in exchange for not sharing alleged videos of them viewing porn.
Currently there’s no local law requiring companies to report breaches, although an urgent revision of the 25-year old Privacy Act has been waiting in the wings for five years, proposing fines of up to $10,000 for failure to report compromised data.
CERT and Netsafe offer online ability to report attacks and breaches and a new Cyberstrategy is about to be adopted with a focus on education and protection.
Meanwhile, Kyzyzewski, InternetNZ and others are calling for a much broader debate on achieving a more cohesive and tactical response to cyberthreats.
Resources:
InternetNZ: encryption concerns: https://internetnz.nz/encryption
CERT: Threat landscape reports and reporting: www.cert.govt.nz/
NetSafe: cyberbully, scams and reporting: www.netsafe.org.nz
