Second interview in the series – Digital Security

Interviewer:      I think the scary part of it in your business is the fact that you make one mistake, and it will probably be a big mistake.

Roger:                  Well, yeah. One mistake in the digital security area can lead to repercussions like you would not believe. And I don’t think really, fair enough, I’ve been accused of fear-mongering and everything else.

But I don’t think normal, everyday people, realize that the problems we’ve got is not that we’re not paying attention, it is we’re not doing anything to resolve the problems. It’s either, “It’s not my problem.” Or, “We’re too small to worry about it.” Or, “We’ve got nothing worth stealing.”

But the repercussions of just having an attacker inside your network, it doesn’t matter if it’s your home network or your work network, then you’ve got a really major problem.

Interviewer:      Well, it’s interesting. I was looking at my scan file last night.

Roger:                  Yeah?

Interviewer:      So every six months I go through that just to make certain there’s nothing in there that I need. I found a couple of things that really I needed to have in another area. But I was appalled by the number of times in that six-month period I’d been asked for money and all I had to do was contact this person, and press here, and “We’ll do this for you.” I was the beneficiary of an estate. It just goes on and on and on.

Roger:                  Or, “I’m the legal person representing x.”

Interviewer:      Right. And it struck me that without the security of a good, well-planned social media approach, you could easily have those coming directly into your inbox.

Roger:                  Yes.

Interviewer:      And by mistake, press them, or just through curiosity you’ll press them and the like, and that can be a huge issue as I have seen with a couple of my clients who have just lost everything.

Roger:                  Yeah, well there’s a new scam I’ve just noticed recently. That’s the Google Docs, or Microsoft’s One Cloud. What people are sending you is a link to a Google Doc. Okay? You don’t know the person and it may have gone into your inbox. It may go into your Spam box.

But the fact that we are now using Google online as our document repository, or we’re using Microsoft as in OneNote and all those sorts of things, there is a really big chance that you will click on that. Because A, it probably may come in from Jess Smith instead of Jessie Smith, and you may not think “Why is his name changed?”

That initial click is what’s going to happen. What we don’t see is, I suppose a lot of people don’t see, is the fact that the cyber criminals and the digital criminals are always adapting. They’re always changing their tactics. That’s why it makes it very hard for people like us to keep on top of it.

Because when the phishing scams came out, they were all low-level, bad spelling, bad grammar, probably no chance of being opened. We’ve not got to a stage where some of the scams, as I said for Google Docs comes in, and it’s good spelling. It’s targeted at someone to open it.

It may be you’re being sent an email that says “Dear Boss. I came across this last week. I thought you might need to read it.” And that’s all it takes because that’s what the criminals want you to do. They want you to make that initial, I suppose, commitment to them. And that’s really what drives them.

Interviewer:      Well, another interesting example that came up yesterday was a mutual friend of ours. And his son came to his dad and said, “What’s this about, Dad?” And Dad looked at it and it was from a person. It may have been eBay. I’m not too certain, but one—it was either from a person or eBay saying, “Just confirming you’re going to be in Toowoomba tomorrow to pick up your $28,000 Caravan.”

Roger:                  [Laughter]

Interviewer:      And the son had no idea what it was, of course. Nor did the father. But the father was smart enough to follow it through. And what had happened was that this young boy had been targeted by one of his “friends” who decided to teach him a lesson with talking about bullying at school.

And this chap had put in an order to buy this $28,000 Caravan to pick up today or tomorrow, something like that. And the child had no idea what was going on, so he got onto eBay. Then he got onto Google. Google went searching, and Google came back with a shopping lot of news to tell the parent that his son’s email account had been violated by this particular person.

And he had sent this extraordinary number of emails to his teacher, to the school, to other friends at school, in this case to girlfriends and everything else, with the most vile, terrible language you could ever imagine.

Roger:                  Yep.

Interviewer:      And the police are currently involved in solving this particular problem, and they’ll prosecute the person for doing it. But there’s a young person in a school, and I’m talking about 14 and 15 years of age, who decided to destroy somebody by doing this.

But the alert parent was onto it so quickly, and of course an immediate email was sent out by Google, and by him, so it was two separate emails, explaining what had happened. But that’s just one of the dangers we face, and people take no notice of it.

Roger:                  Well—

Interviewer:      They should.

Roger:                  Yeah. Well, the other thing is, for instance, going back to that example, is the chances are now that anything that young boy does with that email address is going to be suspect. It doesn’t matter whether it’s above board or below board. So that’s one problem.

All of the problems that email address has created now becomes a bigger problem because they can now, as you said, they bought a Caravan in his name. Have they opened accounts in his name, bank accounts? That type of thing is very important as well.

With an email account with Google, you’ve also got things like if the account has been compromised, you can actually get at all the other information that correlates to that person, where they live, date of birth, if they’ve got a driver’s license, their phone number.

So you’ve now got really a blueprint of that person which they can use for anything they want to use it for. Now it’s lucky it was only one person against one person, because if that had been a criminal gang, then they would have had even bigger problems.

Interviewer:      So a criminal gang would have had the ability and the willingness to distribute that same information to 500 other people?

Roger:                  500-10,000. Yeah. And then you can use that. See, the digital criminals not only are after the email address. If they’ve compromised your email address, there’s a really good chance that they’ve compromised the computer that that email address is on as well.

From that, because the actual technology that we use to communicate and do whatever we want to do, and play games and everything else, is a valuable commodity to the criminal enterprise. Because from that technology, they can launch other attacks.

They can use that information that is there. And they can then go from where they’re focusing on you to focusing on your friends, your family, to the next level. And that, as we all know, three levels of separation, and we’re probably closer to other people that we don’t know.

[End of transcript]

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Posted in IT Security, Managed Security Services, Managed Services and tagged , , , , , , , , .