Why you are your best cyber security
In case you have been living under a rock, online security is back on the agenda in a big way because of a little thing called Heartbleed.
It's not something you get from too much saturated fat. It's a vulnerability in the website authentication system, the mechanism that assures us we are not sending our credit card number or bank login to a clever fraud instead of who we think we are.
Heartbleed is a technology problem much smarter people than the rest of us are scrambling to patch up as we speak, but statistically, it's an anomaly.
Encryption - the technology that keeps your details secret as they travel around the internet - is already hard to break, and it's getting better all the time. As soon as new malware surfaces, cyber security companies waste no time pulling it apart to see how it works and issuing patches and updates to protect you from it.
So why did targeted cyber attacks still increase 42 per cent last year over 2012? If the technology is so hard to break, something is obviously going wrong.
Unfortunately, the most robust security infrastructure in the world cannot change user behaviour. "I don't see any sign people are better with their passwords," says Symantec's US security response director Kevin Haley. "There needs to be a technology solution because people don't change."
NATURAL DIGITAL SELECTION
Bugs have evolved along with our online behaviour. They used to be about defacing websites for bragging rights or dodgy email attachments that sent themselves to everyone else in your address book.
About 1998, according to Kevin Mandia of US security firm FireEye, cyber crooks realised they could make more money by intercepting and hijacking our financial details as we started banking and buying online.
Mandia said 998 to 2003 was the heyday. "Then there was a shift because we had so much regulation and legislation around things companies had to do to be compliant. A wall came up and servers got more secure," he said.
That prompted what Mandia calls the third wave of cybercrime - going after individual users. If the technology was getting too good to break, maybe we, the users, would be dumb enough to fool directly.
The operative term in the 42 per cent statistic above is "targeted". Also called phishing attacks, it's when the bad guys pretend to be someone they're not to try to swindle you. The email warning you to change your PayPal password is a classic example - the link takes you to a site that looks like PayPal, but actually sends your login details straight to a cybercriminal.
THE THREAT OF TOMORROW
We often laugh about the fake PayPal and Nigerian banker scams these days, but someone somewhere is still falling for them.
"The technologies we deliver only address one part of the puzzle," said security systems engineer Nick Savvides of Symantec Australia.
"We work hard to make security transparent but we'd be missing a trick if we didn't recognise some level of user awareness is important."
Such awareness becomes even more important when the bad guys take the next step up - spear phishing. Where a phishing attack is a broadcast effort that sends a slew of emails hoping to trick whoever they can, spear phishing involves what's called social engineering.
Our posts on social networks and the websites we visit leave an electronic paper trail of our interests and preferences.
If you love Facebook games, friending you and suggesting you try a new game is a good approach for a cyber crook. The game might actually be a bug that gives the bad guy unfettered access to your phone or computer.
In one recent example, more than 25,000 Instagram users willingly disclosed their login details in exchange for vague promises of "likes" for their pictures, sending them straight to an Eastern European organised crime gang.
You often hear of the security arms race - the crooks come up with sneakier approaches, and anti-virus providers have to improve in turn. It is the same for the rest of us. As we learn our lessons, so do the gangs trying to extort us - look up "ransomware" or "watering hole attacks" for some sobering reading.
But while headlines of pensioners being tricked out of their life savings can be terrifying, caution - not fear - is the answer. Sun Tzu's The Art of War urges us to know the enemy and his weapons, and keeping a few simple behaviours in mind is your best defence.
DOS AND DON'TS
- Don't click on suspicious links in emails or on social media.
- Don't email personal information.
- Don't enter personal information in a pop-up web page.
- Do use security software and install updates promptly.
- Do make sure the site is safe before you type in personal information - watch for the padlock in your browser window, https in the website address and/or the green address bar.