Are you one of the millions of Australians who have a pretty basic password? We show you how important strong passwords and other security measures are to keep you, your credit file, your business and perhaps your country safe from cyber-attack. This week is Cyber Security Awareness Week 2013, hosted by Stay Smart Online. This is an Australian Government initiative, held annually in partnership with industry, community and consumer groups and state and territory governments. As part of this week we have been fortunate to speak with online expert Daniel Smith about cyber-security. He gives us a unique insight into the importance of cyber-security awareness for every ordinary Australian.
By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.
You may have heard last month about the biggest ever global brute-force attack. You may have heard about it, but like many it may have gone straight over your head. But the ramifications of an attack like this are pretty important.
The attack was on WordPress sites, which currently powers over 60 million websites and is read by over a quarter of a billion users every month. WordPress was attacked by a botnet of tens of thousands of individual computers. The botnet targeted WordPress users with the username “admin”, trying thousands of possible passwords.
But online expert Daniel Smith warns this attack is definitely only a small taste of things to come.
“Last month’s attack was orchestrated on a large scale, but this happens continuously on an individual basis on sites like WordPress, Joomla, Drupal or similar,” Daniel says.
“I liken it to a locksmith with a whole set of generic keys – he can turn the keys in many doors until he finds one that fits. Hackers have common password ‘keys’, and they roll trials of these passwords until one unlocks the computer, and enables them to use the resources powered by the site which are far more than could be gained by a singular desktop computer,” he says.
The ramifications for individuals and businesses who become part of a botnet are loss of data, loss of secure personal information and break-down of the site.
“I know victims who have had to close their business down because they have lost so much information,” he says.
But he warns, hackers don’t always delete the information on these sites, but may leave it intact, putting in files in back doors so that they can go undetected – making use of these resources again and again.
“Hackers can on-sell information to cyber-terrorists or spammers, and can also on-sell the entire bot-net to be used in a brute-force attack that is capable of crashing a country’s economy,” he cautions.
He says individuals with a WordPress or similar blog, and small companies could be at risk.
“They don’t have the money to spend on security protection that a larger business would – and they are the ones that think their small site or blog is ineffectual, when in fact its resources make it a prime target for hackers,” he says.
So just how easy is it to find these passwords?
“I did a quick 5 minute search on the internet yesterday, and found a list of 6 million usernames and passwords that are out there. If I went searching for more in depth, there would be more there,” he says.
Daniel says what’s gone wrong, is that the way we’ve been taught to create usernames and passwords is in fact broken. He says we need to make these changes to the way we run sites like WordPress:
1. Use secure pass phrases. Come up with a unique scheme that is a minimum of 8 characters long – for example every 3rd vowel could be a number or symbol and you should always add some uppercase letters, numbers and any character that requires the shift key to type. Use multiple words in a pass phrase. You could use two unrelated words which are memorable to you.
2. Use a different password for each account.
3. Use a unique username – not the default setting. Never use ‘admin’ as a username.
4. Minimise password login attempts. Restrict the number of attempts allowed to access the site, before the user is ‘locked out’, which prevents multiple attempts to crack the password.
5. Include a 2-step verification plug-in. You can download a plug-in which requires 2-step authentification similar to bank requirements when logging in to the site. This is harder to infiltrate by hackers, but Mr Smith says many don’t use 2-step verifications because they seem inconvenient.
“We may need to get a little inconvenienced to prevent what could be a business disaster, or in worst case scenario, a future global disaster,” he says.
So where do we as credit repairers come in to cyber-security?
Stealing passwords or personal information through these channels can lead to identity theft and potentially fraud. Hackers can on-sell your personal information to fraudsters who have identity theft as part of their repertoire.
Information like dates of birth, account numbers, full names etc can be warehoused and used to steal your identity and take credit out in your name. Fraudsters have been known to go so far as to take out personal loans, credit cards and even mortgage homes in their victim’s name.
Unfortunately fraudsters are never so kind as to pay this credit back – which leads to defaults on your credit rating. Most victims are unaware of this until they apply for credit in their own right and are flat out refused.
For between 5 and 7 years you can be locked out of credit while your credit rating shows up someone else’s defaults.
Unfortunately in the past it has not been easy for identity theft victims to prove they did not initiate the credit, particularly if they have no idea how they were duped in the first place. Often this sophisticated type of fraud is instigated by overseas crime syndicates who don’t leave much of a trail, or even if they do, can’t be prosecuted easily.
To stay one step ahead of fraudsters, you can subscribe to Stay Smart Online Alerts – which let you know about security issues as soon as they unfold.
Image 1: digitalart/ www.FreeDigitalPhotos.net
Image 2: courtesy Stay Smart Online.