bc blog

Gangsters and crooks have been glamorised by big movies for many years. In recent years the computer hacker too has been given the Hollywood treatment.

You’re probably familiar with the storyline: the geeky loner that at the beginning of the movie is causing computer trouble because he’s bored, transforms into a hero whose computer infiltration skills are needed to save the day.

Unfortunately reality is different:  there is rarely anything heroic about somebody trying to break into your computer system with the aim of stealing your secret information.  Most hacking is done for criminal benefit and usually doesn’t make for make for an overly uplifting story.

However a recent article in Credit Union Magazine "Black Hats, White Collars: Cybercriminals’ Secrets Revealed", aims to counter the Hollywood glamorisation.

The article outlines what hacking is really all about. It looks at how a hacker attempts to gain entry into computer systems and what this criminal may do once on the inside. We are also given a nice introduction to what tools the hacker has at their disposal. The article is a little lengthy but it’s well worth the read and suitable for all readers.

After a rigorous selection process between six interactive agencies, IMB Building Society has confirmed the appointment of Brighton Consulting as their ebusiness partner effective immediately.

We are, of course, delighted to have this opportunity to work with Australia’s Building Society of the year (for the second consecutive time) and look forward to a long and successful relationship.

We understand that the key factors that influenced this decision included:
• Brighton’s thorough understanding of retail banking and the mutual finance sector;
• the quality of our security, hosting and monitoring solution: and
• our developed range of online systems and financial tools.

This win provides a great boost to the team and is particularly pleasing as it reaffirms the benefits of the considerable investment we have made in website security, hosting infrastructure and CMS development over recent years.

Keeping pace with the evolving social web and challenges in website security requires continual research and the adoption of new technology. Helping our clients deal with the changing marketplace and improving website security is something we enjoy doing. That’s why once a year we host a workshop to share the things we’ve recently discovered and engage with clients over strategies for the future.

Brighton Consulting’s Secure Digital Marketing Workshop was held on Monday 24 June 2010, with almost 60 participants attending from around Australia.

The workshop was an intensive one day program for mutual ADIs focussing on cost-effective, practical solutions for:

• attracting new members and generating more business;
• engaging with an existing member base; and
• protecting public websites.

This year, a large number of Brighton personnel presented and we invited some guest speakers along including:

• Charis Palmer from Online Banking Review;
• Fujitsu’s executive director Martin North;
• Branko Ninkovic from Dragonfly Technologies;
• Abacus’ Rob Crawford; and
• Steven Anderson from GBST.

Topics covered included the following.

Security

• trends in website security
• Abacus’ Website Security Project
• growing the online channel by addressing member concerns about privacy and website security

Digital

• social media trends
• mobile website developments
• content management systems
• innovations in customer acquisition from Australia and overseas
• new online lead generation and electronic identity verification systems
• lead generation options for acquiring new members
• potential new online budgeting and wealth management tools

Marketing

• innovations identified in Brighton’s retail banking benchmarking service
• improved member communications through a structured Member Contact Program
• using targeted direct mail to better engage with members

Feedback on the workshop was overwhelmingly positive. We managed to cover a huge amount of material in a very short space of time, with all speakers being asked to produce “pacy, practical, punchy presentations”. I think it’s fair to say that we succeeded in delivering this objective, with the most common feedback being appreciation for the short, focussed presentations and the relevant, practical material.

For Brighton Consulting, website security is central to our core business. Every day we continue to learn about new scams and techniques used by cyber criminals and implement changes to increase the security of our systems, and those of our clients. While it is our job to assist our clients protect themselves against cyber criminals, it is everybody’s responsibility to be smart while using the Internet. That is why Brighton Consulting enthusiastically supports the Australian Government’s National Security Awareness Week initiative.

National Cyber Security Awareness Week is an annual initiative held in partnership with industry, community and consumer groups and state and territory governments. The Week aims to help Australians understand cyber security risks and educate home and small business users on the simple steps they can take to protect their personal and financial information.

National Cyber Security Awareness Week 2010 is from 6 to 11 June and will promote six easy tips for better online security:

• Install security software and update it regularly.
• Turn on automatic updates so that all your software receives the latest fixes.
• Get a stronger password and change it at least twice a year.
• Stop and think before you click on links or attachments.
• Stop and think before you share any personal or financial information—about yourself or your friends and family.
• Know what your children are doing online. Make sure they know to stay safe and encourage them to report anything suspicious.

Visit the website at: www.staysmartonline.gov.au/news/news_articles/feature/national_cyber_security_awareness_week

PayPal has also released a YouTube clip promoting the campaign and providing some useful hints on keeping safe on the Internet:

Price Waterhouse Coopers, in conjunction with the British Department for Business, Innovation and Skills (BIS), has just released the findings of a survey on information security practices and incidents in the UK. It appears that since 2008, security incidents have increased significantly in both number and cost. The survey in general was a sobering read with the results raising some genuine concerns.

Here is a small taste of some of the findings:

• the number of small businesses (<50 staff) experiencing a security incident has increased by 50% over the past year;
• standalone serious security incidents are costing large organisations (>250 staff) between £280,000 and £690,000 each;
• three times as many respondents had infections on their computers as compared to two years ago; and
• roughly one in eight organisations indicated that their computer systems had been hacked over the two year period.

And this is just the beginning with a whole bunch of other breaches listed in the report including a surprising number of organisations not enforcing basic hard disk and USB encryption policies.

Why the sudden spike in cybercrime? Has the global financial crisis cut into the amount organisations are willing to spend on IT security systems since 2008? Surprisingly, the answer there is no. Expenditure on security systems has actually increased over recent years, with small organisations reporting record levels of security spending.

What may actually be causing the recent surge in security incidents is a combination of:

• improved identification of website vulnerabilities and malware deployment; and
• developments in online interactivity.

These days, websites are under constant attack. Purpose built software continuously probes the defences of organisations and opens doors for hackers to extract confidential data. And once the hacker has breached a system the payload they are able to deliver is now much more sophisticated than it once was. New breeds of Internet worm, such as Zeus, can infect a website and then use the site to send spam, distribute trojans and other malware.

While the sophistication of cyber crime has increased, the Internet too has evolved into a more complex social web (see related blog posting on social media). Smart phones and wireless access points mean there are many more ways for us to connect to the web. Externally-hosted software services are becoming more main stream. The rise of social media along with increasing online content distribution mean there is a lot more going on in the online world. Put simply, the days of businesses using the Internet only for emails and static web pages is quickly being left behind.

While online collaboration and interactivity offer real opportunities for business, they also give criminals many more chances to infiltrate a network via deficiencies in website security. The Price Waterhouse Coopers report gives weight to the fear that organisational security practices are struggling to keep pace with the rapidly changing social web.

No longer can organisations rely solely on isolated security controls like email security filters and firewalls. Effective website security is now fundamental to any information security plan, and requires the involvement of many people, including technology suppliers, hosting partners, developers, coders, designers and copy-writers.

Finally, the report highlights a major shift in IT security. No longer can the IT department be exclusively responsible for an organisation’s security. Everybody in a business now needs to be aware of an organisation’s security practices. And everybody needs to be involved in implementing them. Just as importantly, all staff need to be aware of the ways cyber criminals are trying to trick them.

The full report on security incidents in the UK can be found here: http://www.pwc.co.uk/eng/publications/isbs_survey_2010.html

You’ve probably heard it before, but the personal information we post on social media sites like LinkedIn or Facebook can be used by scammers to launch not just personal cyber attacks but also attacks against companies. Just as in the real world, criminals in the online world need information to exploit the weaknesses of those they are trying to swindle. It follows then that the more we share on social media sites, the more information criminals have access to.

As suggested in the recent Four Corners report on business cyber attacks a trend has been developing whereby scammers gain information from social media sites to help them exploit weaknesses in business organisations.

If an online hacker were to go after a particular company they could find out plenty of information about its employees from social media sites. Most at risk are those employees in important positions like financial executives or software engineers. It is these people who are more likely to have access to confidential information, much of which will be vital to a company’s success. Cyber criminals can use information gathered from social media sites to more effectively target these employees. For example, they could send an email that looks as though it has been sent by a professional colleague disclosed through the employee’s Linkedin profile. The email could ask the employee to check a certain document which, once opened, installs a trojan on the employee’s machine, potentially giving the criminals access to important corporate information.

We can count on cyber scammers to hunt out and exploit weaknesses like this, so it’s important that all employees within a company properly understand what information is suitable for social media sites and what is not. It is also just as important for businesses to understand how the information staff share on these social media sites can be used against them and how to take measures to mitigate these risks.

This is the kind of feedback we like to hear, and thankfully hear quite often. So what had we done to make this client so happy?

Orange Credit Union approached us very concerned that a key part of their Internet Banking upgrade, the design and design coding, would not be provided by the software supplier. They asked us to liasie with the supplier to create a design that would work for their system. When asked when they needed this work completed we were told "yesterday".

Understanding that Intenet Banking is one of the most visited areas of a financial website, our response was to create a design which not only reflected their brand but also provided plenty of opportunity for product and service promotion.

In addition, by adjusting the code slightly we were able to ensure that Orange Credit Union (rather than the software supplier) maintained complete control over the promotional areas so that they could be updated regularly at little cost… whilst of course maintaining the highest levels of security.

All this was turned around incredibly quickly and we are extremely pleased that we were able to help Orange Credit Union in a difficult situation.

With Twitter posts being constrained to 140 characters, and links becoming increasing longer, sites like bit.ly sprung up to allow users to shorten internet URLs. The shortened URLs are a jumble of letters, numbers and symbols, which unfortunately makes them the perfect mask for cyber criminals to hide virus-laden links behind.

However, after Twitter recently implemented new security measures to scan all URLs posted in tweets, security experts have been investigating just how dangerous shortened URLs are. And it transpires that they may not be as risky as we have feared.

The following news article sheds some light on the percentage of shortened URLs that link to malicious content and explores how Twitter might eventually eradicate the overall problem.

How nice would it be to only have to enter your password once to access all your different computer systems? Pretty good until that one password falls into the hands of cyber criminals. This is what apparently happened to Google’s single-password login system, Gaia, which was allegedly hacked some time ago with potentially wide-spread ramifications.

It also raises some interesting questions on password security.

See the following stories for more information:

• Google’s ‘Gaia’ password system was infiltrated during January attacks
• Hackers stole Google’s code: claim

On Monday 19th April, ABC’s Four Corners aired an important and informative report on cyber crime. The program begins by looking at the Stern Hu /Rio Tinto case before exploring how cyber crime is being increasingly used to gain access to sensitive business information. The show demonstrates how cyber criminals can easily infect computers and then explores some of the ways this stolen information can be used against a business. Alarmingly, the show also investigates the possibility of Australia’s defence forces being compromised by cyber criminals.

More than anything though the program is a good reminder of how prevalent and damaging cyber crime is becoming to businesses in the modern online world. Below is a link to the report on the Four Corners’ website.

Four Corners’ report:  www.abc.net.au/4corners/special_eds/20100419/cyber/