The next big scare
As if computer viruses and cyber theft are not enough, the threats to our information are now going mobile. And it doesn't stop there, writes ARTHUR GOLDSTUCK.
The world of hi-tech is so focused on the next big thing in gadgetry, it tends to forget that each new gadget and every new advance comes with new vulnerabilities.
These go by many names, from malware and spyware to ignorance and stupidity. The biggest and the smallest of entities fall prey. At the beginning of 2012, South Africa’s Post Bank lost R42-million to hackers using fairly basic equipment. Yet, that’s a fraction of the losses suffered by individuals.
According to the 2012/3 South African Cyber Threat Barometer released recently by Wolfpack Information Risk, a total of R2,65-billion has been stolen in cyber crimes in the past 18 months. A full three-quarters has been recovered, but that still leaves a loss of R662-million.
Clearly, it is no longer enough to install anti-virus software. As the smartphone market explodes across Africa – 2013 will for the first time see more smartphones than “ordinary” phones sold in South Africa – viruses and scams will increasingly target these devices. And being on the southern tip of the least connected continent won't protect anyone.
“The trends in Africa pretty much follow trends in the rest of the world, because it’s an online environment. It's about a global scenario rather than specific threats,” says Riaan Badenhorst, recently appointed Head of Operations for Kaspersky Lab Africa.
While low Internet penetration ironically protects Africa from much of this onslaught, the shift to mobile threats is beginning. Android devices in particular are vulnerable, as there is little filtering of apps released for the operating system. Apps for iOS, the Apple mobile operating system for the iPad and iPhone, all have to go through a strict vetting process. Even that won’t fully protect their users.
“Most of what we are seeing is phishing malware, which hunts for specific information on the devices,” says Badenhorst. “People think anything on their phone is not accessible, and they tend to lower their guard.”
The warning is underlined by the fact that the company’s latest product range includes packages entitled Kaspersky Tablet Security and Kaspersky Mobile Security.
However, it is their flagship product, Kaspersky Internet Security 2013, that offers a true insight into the range of threats facing every computer user.
Aside from the usual anti-virus and e-mail protection, it includes specific safeguards against spam and phishing, provides child security and parental control options, and something called “secure keyboard”. This protects the user from hidden software that monitors keystrokes and sends data like passwords, ID numbers and bank account details to the creators of the malware.
In the coming year, Kaspersky will build on its corporate offerings, but it is on the personal level where it has made the biggest difference.
If Kaspersky has raised the bar for consumers, companies like Symantec and EMC are doing the same for large enterprises.
“Anti-virus and anti-spam on their own are no longer enough,” says Gordon Love, Symantec regional director for Africa. “The message has evolved, and Symantec is repositioning itself from basic security to information protection.”
While the consumer is concerned with safety on a couple of devices, the enterprise has numerous areas of responsibility, from looking after customers to maintaining the confidence of investors.
“The major drivers of protecting the enterprise are around intelligence, managed security, and compliance,” says Love. “It’s driven by both existing and expected legislation on corporate governance, and focuses not only on the data, but also on how the data flows through the business. We back up 50% of the world’s data, and have to protect it when it’s at rest or on the move.”
Last year, Symantec blocked 5,5-billion malicious attacks – and that number has already increased by more than 80% this year. Symantec ranked South Africa 43rd in the world for number of attacks in 2011 – up from 46th the year before.
“Initially all this hacking and malicious activity was targeted around fame for the hacker,” says Love. “The next phase is how to extract financial benefit from it.”
One of the more sophisticated tricks is to create a virus that fools users with warnings that their systems are infected, and invites them to click through to a link that will clean their system – for a fee, payable by credit card. You can see where that story ends …
As a result, even the vendors who offer free versions of their anti-virus products have upped their game. AVG, which uses a “freemium” model – a free basic version of AVG Internet Security can be upgraded to a paid-for premium edition – says it is now “more than just an antivirus company”.
“Computers and devices have become an extension of every individual at work and at play,” says JR Smith, the company’s CEO. “In today’s world, we’re not just securing machines. We’re securing people’s digital life.”
But that may not be enough.
In a report released last week, Symantec security practices expert Grant Brown warned that a new form of scareware is emerging: “ransomware”.
“Ramsomware goes beyond attempting to fool its victims; it attempts to intimidate and bully them.”
While this “business model” has been tried before, says Brown, it suffered from the same limitations of real life kidnapping - there was never a good way to collect the money.
“Cybercriminals have now discovered a solution to this problem using online payment methods. They can now use force instead of flimflam to steal from their targets. As it is no longer necessary to con people into handing over their money, we can expect the extortion methods to get harsher and more destructive… attackers will use more professional ransom screens, up the emotional stakes to motivate their victims, and use methods that make it harder to recover once compromised.”
Brown points to the core threat facing regions like Africa, but also to the core of the solution:
“As accessibility to technology and access to internet connectivity become more affordable to previously untapped markets, security education needs to form part of any online strategy.”
* Arthur Goldstuck is managing director of World Wide Worx and editor-in-chief of Gadget.co.za. Follow him on Twitter or Pinterest on @art2gee