Morrison’s $1.3 billion for more ‘cyber spies’ is an incremental response to a radical problem



Mick Tsikas/AAP

Greg Austin, UNSW

The federal government has announced it will spend more than a billion dollars over the next ten years to boost Australia’s cyber defences.

This comes barely a week after Prime Minister Scott Morrison warned the country was in the grip of a “sophisticated” cyber attack by a “state-based” actor, widely reported to be China.




Read more:
Morrison announces repurposing of defence money to fight increasing cyber threats


The announcement can be seen as a mix of the right stuff and political window dressing – deflecting attention away from Australia’s underlying weaknesses when it comes to cyber security.

What is the funding for?

Morrison’s cyber announcement includes a package of measures totalling $1.35 billion over ten years.

This includes funding to disrupt offshore cyber crime, intelligence sharing between government and industry, new research labs and more than 500 “cyber spy” jobs.

As Morrison explained

This … will mean that we can identify more cyber threats, disrupt more foreign cyber criminals, build more partnerships with industry and government and protect more Australians.

They key aim is to help the country’s cyber intelligence agency, the Australian Signals Directorate (ASD), to know as soon as possible who is attacking Australia, with what, and how the attack can best be stopped.

Australia’s cyber deficiencies

Australia certainly needs to do more to defend itself against cyber attacks.

Intelligence specialists like top public servant Nick Warner have been advocating for more attention for cyber threats for years.

Concerns about Australia’s cyber defences have been raised for years.
http://www.shutterstock.com

The government is also acknowledging publicly that the threats are increasing.

Earlier this month, Morrison held an unusual press conference to announce that Australia was under cyber attack.

While he did not specify who by, government statements made plain it was the same malicious actor (a foreign government) using the same tools as an attack reported in May this year.

Related attacks on Australia using similar malware were also identified in May 2019.

This type of threat is called an “advanced persistent threat” because it is hard to get it out of a system, even if you know it is there.




Read more:
Australia is under sustained cyber attack, warns the government. What’s going on, and what should businesses do?


All countries face enormous difficulties in cyber defence, and Australia is arguably among the top states in cyber security world-wide. Yet after a decade of incremental reforms, the government has been unable to organise all of its own departments to implement more than basic mitigation strategies.

New jobs in cyber security

The biggest slice of the $1.35 billion is a “$470 million investment to expand our cyber security workforce”.

This is by any measure an essential underpinning and is to be applauded.

The Morrison government wants to recruit more than 500 new ASD employees.
http://www.shutterstock.com

But it is not yet clear how “new” these new jobs are.

The 2016 Defence White Paper announced a ten year workforce expansion of 1,700 jobs in intelligence and cyber security. This included a 900-person joint cyber unit in the Australian Defence Force, announced in 2017.

The newly mooted expansion for ASD will also need to be undertaken gradually. It will be impossible to find hundreds of additional staff with the right skills straight away.

The skills needed cut across many sub-disciplines of cyber operations, and must be fine-tuned across various roles. ASD has identified four career streams (analysis, systems architecture, operations and testing) but these do not reflect the diversity of talents needed.

It’s clear Australian universities do not currently train people at the advanced levels needed by ASD, so advanced on-the-job training is essential.

Political window dressing

The government is promoting its announcement as the “nation’s largest ever investment in cyber security”. But the seemingly generous $1.35 billion cyber initiative does not involve new money.

The package is also a pre-announcement of part of the government’s upcoming 2020 Cyber Security Strategy, expected within weeks.

This will update the 2016 strategy released under former prime minister Malcolm Turnbull and cyber elements of the 2016 Defence White Paper.




Read more:
Australia is facing a looming cyber emergency, and we don’t have the high-tech workforce to counter it


The new cyber strategy has been the subject of country-wide consultations through 2019, but few observers expect significant new funding injections.

The main exceptions which may receive a funding boost compared with 2016 are likely to be in education funding (as opposed to research), and community awareness.

With the release of the new cyber strategy understood to be imminent, it is unclear why the government chose this particular week to make the pre-announcement. It obviously will have kept some big news for the strategy release when it happens.

The federal government is expected to release a new cyber security strategy within weeks.
http://www.shutterstock.com

The government’s claim that an additional $135 million per year is the “largest ever investment in cyber security” is true in a sense. But this is the case in many areas of government expenditure.

The government has obviously cut pre-planned expenses in some unrevealed areas of Defence.

Meanwhile, the issues this funding is supposed to address are so complex, that $1.35 billion over ten years can best be seen as an incremental response to a radical threat.

Australia needs to do much more

According to authoritative sources, including the federal government-funded AustCyber in 2019, there are a number of underlying deficiencies in Australia’s industrial and economic response to cyber security.

These can only be improved if federal government departments adopt stricter approaches, if state governments follow suit, and if the private sector makes appropriate adjustments.

Above all, the leading players need to shift their planning to better accommodate the organisational and management aspects of cyber security delivery.




Read more:
Australia is vulnerable to a catastrophic cyber attack, but the Coalition has a poor cyber security track record


Yes, we need to up our technical game, but our social response is also essential.

CEOs and departmental secretaries should be legally obliged to attest every year that they have sound cyber security practices and their entire organisations are properly trained.

Without better corporate management, Australia’s cyber defences will remain fragmented and inadequate.The Conversation

Greg Austin, Professor UNSW Canberra Cyber, UNSW

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Don’t be phish food! Tips to avoid sharing your personal information online



Shutterstock

Nik Thompson, Curtin University

Data is the new oil, and online platforms will siphon it off at any opportunity. Platforms increasingly demand our personal information in exchange for a service.

Avoiding online services altogether can limit your participation in society, so the advice to just opt out is easier said than done.

Here are some tricks you can use to avoid giving online platforms your personal information. Some ways to limit your exposure include using “alternative facts”, using guest check-out options, and a burner email.

Alternative facts

While “alternative facts” is a term coined by White House press staff to describe factual inaccuracies, in this context it refers to false details supplied in place of your personal information.




Read more:
Hackers are now targeting councils and governments, threatening to leak citizen data


This is an effective strategy to avoid giving out information online. Though platforms might insist you complete a user profile, they can do little to check if that information is correct. For example, they can check whether a phone number contains the correct amount of digits, or if an email address has a valid format, but that’s about it.

When a website requests your date of birth, address, or name, consider how this information will be used and whether you’re prepared to hand it over.

There’s a distinction to be made between which platforms do or don’t warrant using your real information. If it’s an official banking or educational institute website, then it’s important to be truthful.

But an online shopping, gaming, or movie review site shouldn’t require the same level of disclosure, and using an alternative identity could protect you.

Secret shopper

Online stores and services often encourage users to set up a profile, offering convenience in exchange for information. Stores value your profile data, as it can provide them additional revenue through targeted advertising and emails.

But many websites also offer a guest checkout option to streamline the purchase process. After all, one thing as valuable as your data is your money.

So unless you’re making very frequent purchases from a site, use guest checkout and skip profile creation altogether. Even without disclosing extra details, you can still track your delivery, as tracking is provided by transport companies (and not the store).

Also consider your payment options. Many credit cards and payment merchants such as PayPal provide additional buyer protection, adding another layer of separation between you and the website.

Avoid sharing your bank account details online, and instead use an intermediary such as PayPal, or a credit card, to provide additional protection.

If you use a credit card (even prepaid), then even if your details are compromised, any potential losses are limited to the card balance. Also, with credit cards this balance is effectively the bank’s funds, meaning you won’t be charged out of pocket for any fraudulent transactions.

Burner emails

An email address is usually the first item a site requests.

They also often require email verification when a profile is created, and that verification email is probably the only one you’ll ever want to receive from the site. So rather than handing over your main email address, consider a burner email.

This is a fully functional but disposable email address that remains active for about 10 minutes. You can get one for free from online services including Maildrop, Guerilla Mail and 10 Minute Mail.

Just make sure you don’t forget your password, as you won’t be able to recover it once your burner email becomes inactive.

The 10 Minute Mail website offers free burner emails.
screenshot

The risk of being honest

Every online profile containing your personal information is another potential target for attackers. The more profiles you make, the greater the chance of your details being breached.

A breach in one place can lead to others. Names and emails alone are sufficient for email phishing attacks. And a phish becomes more convincing (and more likely to succeed) when paired with other details such as your recent purchasing history.

Surveys indicate about half of us recycle passwords across multiple sites. While this is convenient, it means if a breach at one site reveals your password, then attackers can hack into your other accounts.

In fact, even just an email address is a valuable piece of intelligence, as emails are used as a login for many sites, and a login (unlike a password) can sometimes be impossible to change.

Obtaining your email could open the door for targeted attacks on your other accounts, such as social media accounts.




Read more:
The ugly truth: tech companies are tracking and misusing our data, and there’s little we can do


In “password spraying” attacks“, cybercriminals test common passwords against many emails/usernames in hopes of landing a correct combination.

The bottom line is, the safest information is the information you never release. And practising alternatives to disclosing your true details could go a long way to limiting your data being used against you.The Conversation

Nik Thompson, Senior Lecturer, Curtin University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

There is no specific crime of catfishing. But is it illegal?



http://www.shutterstock.com

Marilyn McMahon, Deakin University and Paul McGorrery, Deakin University

Twenty-year-old Sydney woman Renae Marsden died by suicide after she was the victim of an elaborate catfishing scam.

A recent coronial investigation into her 2013 death found no offence had been committed by the perpetrator, revealing the difficulties of dealing with this new and emerging phenomenon.

While we wait for law reform in this area, we think police and prosecutors could make better use of our existing laws to deal with these sorts of behaviours.

What is catfishing?

“Catfishing” occurs when a person creates a fake profile on social media in order to deceive someone else and abuse them, take their money or otherwise
manipulate and control them.

While statistics about the prevalence of catfishing are elusive, popular dating sites such as eHarmony and the Australian government’s eSafety Commission offer advice about spotting catfishers.




Read more:
From catfish to romance fraud, how to avoid getting caught in any online scam


Catfishing is also the subject of an MTV reality series, major Hollywood films, and psychological research on why people do it.

Dangerous, damaging but not a specific crime

There is no specific crime of catfishing in Australia. But there are many different behaviours involved in catfishing, which can come under various existing offences.

One of these is financial fraud. In 2018, a Canberra woman pleaded guilty to 10 fraud offences after she created an elaborate and false online profile on a dating website. She befriended at least ten men online, then lied to them about having cancer and other illnesses and asked them to help her pay for treatment. She obtained more than $300,000.

Catfishers create fake online profiles to deceive others.
http://www.shutterstock.com

Another crime associated with catfishing is stalking. In 2019, a Victorian woman was convicted of stalking and sentenced to two years and eight months jail after she created a Facebook page where she pretended to be Australian actor Lincoln Lewis. This case is currently subject to an appeal.

The grey area of psychological and emotional abuse

When catfishing doesn’t involve fraud or threats, but involves psychological and emotional manipulation, it can be more difficult to obtain convictions.

One of the most notorious cases occurred more than a decade ago in the United States. Missouri mother Lori Drew catfished a teenager she believed had been unkind to her daughter.




Read more:
Have you caught a catfish? Online dating can be deceptive


With the help of her daughter and young employee, Drew created a fake MySpace profile as a teenage boy and contacted the 13-year-old victim. Online flirting took place until the relationship was abruptly ended. The victim was told that “the world would be a better place without her”. Later that day, she killed herself.

Because the harm suffered by the victim was not physical but psychological, and had been perpetrated online, prosecutors had trouble identifying an appropriate criminal charge.

Eventually, Drew was charged with computer fraud and found guilty. But the conviction was overturned in 2009 when an appeal court concluded the legislation was never meant to capture this type of behaviour.

Renae Marsden’s case

The harm done to Marsden was also psychological and emotional. She was deliberately deceived and psychologically manipulated through the creation of a fake online identity by one of her oldest female friends.

Marsden thought she had met a man online who would become her husband. For almost two years, they exchanged thousands of text and Facebook messages. Marsden ended an engagement to another man so that she could be with the man she met online. They planned their wedding.

When he abruptly ended the relationship, Marsden ended her life.

The coroner described the conduct of Marsden’s catfisher as “appalling” and an “extreme betrayal”, but found that no offence had been committed. She observed:

Where ‘catfishing’ is without threat or intimidation or is not for monetary gain, then the conduct appears to be committed with the intent to coerce and control someone for the purpose of a wish fulfilment or some other gratification. Though such conduct may cause the recipient mental and or physical harm because it is not conduct committed with the necessary intent it falls outside the parameters of a known State criminal offence.

Existing laws like manslaughter could apply

We disagree with the coroner’s conclusion. We think that existing state criminal offences might capture some of this behaviour.

In particular, deliberately deceptive and psychologically manipulative online conduct, resulting in the death of a victim by suicide, could potentially make a perpetrator liable for manslaughter.

This is because a perpetrator who commits the offence of recklessly causing grievous bodily harm (which may include psychological harm), in circumstances where a reasonable person would realise this exposed the victim to an appreciable risk of serious injury, could be liable for the crime of “manslaughter by unlawful and dangerous act”.

Such prosecutions can and should be contemplated as an appropriate response to the serious wrongdoing that has occurred.

Where to from here?

Marsden’s parents are pushing for catfishing to be made illegal.

Teresa and Mark Marsden want catfishing to be made illegal.
Dean Lewis/AAP

The coroner chose not to recommend a specific offence of catfishing, noting:

there are complex matters which were not canvassed at the inquest which need to be taken into account before any coronial recommendation involving the introduction of criminal legislation.

But the report did recommend a closer look at making “coercive control” an offence.

Coercive control involves a wide range of controlling behaviours and could potentially criminalise the sort of psychologically and emotionally abusive conduct Marsden experienced.

It is also on the political agenda. In March, New South Wales Attorney-General Mark Speakman announced he would consult on possible new “coercive control” laws.




Read more:
It’s time ‘coercive control’ was made illegal in Australia


We note, however, that the coercive control discussion is happening in the context of domestic violence. Whether prospective new laws can or should extend to catfishing will require careful consideration and drafting.

While we wait for a new offence, we should also ensure that we make use of the laws we already have to protect people from the devastating damage that can be done by catfishing.The Conversation

Marilyn McMahon, Deputy Dean, School of Law, Deakin University and Paul McGorrery, PhD Candidate in Criminal Law, Deakin University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Trump’s Twitter tantrum may wreck the internet


Michael Douglas, University of Western Australia

US President Donald Trump, who tweeted more than 11,000 times in the first two years of his presidency, is very upset with Twitter.

Earlier this week Trump tweeted complaints about mail-in ballots, alleging voter fraud – a familiar Trump falsehood. Twitter attached a label to two of his tweets with links to sources that fact–checked the tweets, showing Trump’s claims were unsubstantiated.

Trump retaliated with the power of the presidency. On May 28 he made an “Executive Order on Preventing Online Censorship”. The order focuses on an important piece of legislation: section 230 of the Communications Decency Act 1996.




Read more:
Can you be liable for defamation for what other people write on your Facebook page? Australian court says: maybe


What is section 230?

Section 230 has been described as “the bedrock of the internet”.

It affects companies that host content on the internet. It provides in part:

(2) Civil liability. No provider or user of an interactive computer service shall be held liable on account of

(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1).

This means that, generally, the companies behind Google, Facebook, Twitter and other “internet intermediaries” are not liable for the content on their platforms.

For example, if something defamatory is written by a Twitter user, the company Twitter Inc will enjoy a shield from liability in the United States even if the author does not.




Read more:
A push to make social media companies liable in defamation is great for newspapers and lawyers, but not you


Trump’s executive order

Within the US legal system, an executive order is a “signed, written, and published directive from the President of the United States that manages operations of the federal government”. It is not legislation. Under the Constitution of the United States, Congress – the equivalent of our Parliament – has the power to make legislation.

Trump’s executive order claims to protect free speech by narrowing the protection section 230 provides for social media companies.

The text of the order includes the following:

It is the policy of the United States that such a provider [who does not act in “good faith”, but stifles viewpoints with which they disagree] should properly lose the limited liability shield of subparagraph (c)(2)(A) and be exposed to liability like any traditional editor and publisher that is not an online provider …

To advance [this] policy … all executive departments and agencies should ensure that their application of section 230 (c) properly reflects the narrow purpose of the section and take all appropriate actions in this regard.

The order attempts to do a lot of other things too. For example, it calls for the creation of new regulations concerning section 230, and what “taken in good faith” means.

The reaction

Trump’s action has some support. Republican senator Marco Rubio said if social media companies “have now decided to exercise an editorial role like a publisher, then they should no longer be shielded from liability and treated as publishers under the law”.

Critics argue the order threatens, rather than protects, freedom of speech, thus threatening the internet itself.

The status of this order within the American legal system is an issue for American constitutional lawyers. Experts were quick to suggest the order is unconstitutional; it seems contrary to the separation of powers enshrined in the US Constitution (which partly inspired Australia’s Constitution).

Harvard Law School constitutional law professor Laurence Tribe has described the order as “totally absurd and legally illiterate”.

That may be so, but the constitutionality of the order is an issue for the US judiciary. Many judges in the United States were appointed by Trump or his ideological allies.

Even if the order is legally illiterate, it should not be assumed it will lack force.

What this means for Australia

Section 230 is part of US law. It is not in force in Australia. But its effects are felt around the globe.

Social media companies who would otherwise feel safe under section 230 may be more likely to remove content when threatened with legal action.

The order might cause these companies to change their internal policies and practices. If that happens, policy changes could be implemented at a global level.

Compare, for example, what happened when the European Union introduced its General Data Protection Regulation (GDPR). Countless companies in Australia had to ensure they were meeting European standards. US-based tech companies such as Facebook changed their privacy policies and disclosures globally – they did not want to meet two different privacy standards.

If section 230 is diminished, it could also impact Australian litigation by providing another target for people who are hurt by damaging content on social media, or accessible by internet search. When your neighbour defames you on Facebook, for example, you can sue both the neighbour and Facebook.

That was already the law in Australia. But with a toothless section 230, if you win, the judgement could be enforceable in the US.

Currently, suing certain American tech companies is not always a good idea. Even if you win, you may not be able to enforce the Australian judgement overseas. Tech companies are aware of this.

In 2017 litigation, Twitter did not even bother sending anyone to respond to litigation in the Supreme Court of New South Wales involving leaks of confidential information by tweet. When tech companies like Google have responded to Aussie litigation, it might be understood as a weird brand of corporate social responsibility: a way of keeping up appearances in an economy that makes them money.

A big day for ‘social media and fairness’?

When Trump made his order, he called it a big day for “fairness”. This is standard Trump fare. But it should not be dismissed outright.

As our own Australian Competition and Consumer Commission recognised last year in its Digital Platforms Inquiry, companies such as Twitter have enormous market power. Their exercise of that power does not always benefit society.

In recent years, social media has advanced the goals of terrorists and undermined democracy. So if social media companies can be held legally liable for some of what they cause, it may do some good.

As for Twitter, the inclusion of the fact check links was a good thing. It’s not like they deleted Trump’s tweets. Also, they’re a private company, and Trump is not compelled to use Twitter.

We should support Twitter’s recognition of its moral responsibility for the dissemination of information (and misinformation), while still leaving room for free speech.

Trump’s executive order is legally illiterate spite, but it should prompt us to consider how free we want the internet to be. And we should take that issue more seriously than we take Trump’s order.The Conversation

Michael Douglas, Senior Lecturer in Law, University of Western Australia

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Internet traffic is growing 25% each year. We created a fingernail-sized chip that can help the NBN keep up


<

This tiny micro-comb chip produces a precision rainbow of light that can support transmission of 40 terabits of data per second in standard optic fibres.
Corcoran et al., N.Comms., 2020, CC BY-SA

Bill Corcoran, Monash University

Our internet connections have never been more important to us, nor have they been under such strain. As the COVID-19 pandemic has made remote working, remote socialisation, and online entertainment the norm, we have seen an unprecedented spike in society’s demand for data.

Singapore’s prime minister declared broadband to be essential infrastructure. The European Union asked streaming services to limit their traffic. Video conferencing service Zoom was suddenly unavoidable. Even my parents have grown used to reading to my four-year-old over Skype.

In Australia telecommunications companies have supported this growth, with Telstra removing data caps on users and the National Broadband Network (NBN) enabling ISPs to expand their network capacity. In fact, the NBN saw its highest ever peak capacity of 13.8 terabits per second (or Tbps) on April 8 this year. A terabit is one trillion bits, and 1 Tbps is the equivalent of about 40,000 standard NBN connections.




Read more:
Around 50% of homes in Sydney, Melbourne and Brisbane have the oldest NBN technology


This has given us a glimpse of the capacity crunch we could be facing in the near future, as high-speed 5G wireless connections, self-driving cars and the internet of things put more stress on our networks. Internet traffic is growing by 25% each year as society becomes increasingly connected.

We need new technological solutions to expand data infrastructure, without breaking the bank. The key to this is making devices that can transmit and receive massive amounts of data using the optical fibre infrastructure we have already spent time and money putting into the ground.

A high-speed rainbow

Fortunately, such a device is at hand. My colleagues and I have demonstrated a new fingernail-sized chip that can transmit data at 40 Tbps through a single optical fibre connection of the same kind used in the NBN. That’s about three times the record data rate for the entire NBN network and about 100 times the speed of any single device currently used in Australian fibre networks.

The chip uses an “optical micro-comb” to create a rainbow of infrared light that allows data to be transmitted with many frequencies of light at the same time. Our results are published in Nature Communications today.

This collaboration, between Monash, RMIT and Swinburne universities in Melbourne, and international partners (INRS, CIOPM Xi’an, CityU Hong Kong), is the first “field-trial” of an optical micro-comb system, and a record capacity for such a device.

The internet runs on light

Optical fibres have formed the backbone of our communication systems since the late 1980s. The fibres that link the world together carry light signals that are periodically boosted by optical amplifiers which can transmit light with a huge range of wavelengths.

To make the most of this range of wavelengths, different information is sent using signals of different infrared “colours” of light. If you’ve ever seen a prism split up white light into separate colours, you’ve got an insight into how this works – we can add a bunch of these colours together, send the combined signal through a single optical fibre, then split it back up again into the original colours at the other end.




Read more:
What should be done with the NBN in the long run?


Making powerful rainbows from tiny chips

Optical micro-combs are tiny gadgets that in essence use a single laser, a temperature-controlled chip, and a tiny ring called an optical resonator to send out signals using many different wavelengths of light.

(left) Micrograph of the optical ring resonator on the chip. Launching light from a single laser into this chip generates over 100 new laser lines (right). We use 80 lines in the optical C-band (right, green shaded) for our communications system demonstration.
Corcoran et al, N.Comms, 2020

Optical combs have had a major impact on a massive range of research in optics and photonics. Optical microcombs are miniature devices that can produce optical combs, and have been used in a wide range of exciting demonstrations, including optical communications.

The key to micro-combs are optical resonator structures, tiny rings (see picture above) that when hit with enough light convert the incoming single wavelength into a precise rainbow of wavelengths.

The demonstration

The test was carried out on a 75-km optical fibre loop in Melbourne.

For our demonstration transmitting data at 40 Tbps, we used a novel kind of micro-comb called a “soliton crystal” that produces 80 separate wavelengths of light that can carry different signals at the same time. To prove the micro-comb could be used in a real-world environment, we transmitted the data through installed optical fibres in Melbourne (provided by AARNet) between RMIT’s City campus and Monash’s Clayton campus and back, for a round trip of 75 kilometres.

This shows that the optical fibres we have in the ground today can handle huge capacity growth, simply by changing what we plug into those fibres.

What’s next?

There is more work to do! Monash and RMIT are working together to make the micro-comb devices more flexible and simpler to run.

Putting not only the micro-comb, but also the modulators that turn an electrical signal into an optical signal, on a single chip is a tremendous technical challenge.

There are new frontiers of optical communications to explore with these micro-combs, looking at using parallel paths in space, improving data rates for satellite communications, and in making “light that thinks”: artificial optical neural networks. The future is bright for these tiny rainbows.


We gratefully acknowledge support from Australia’s Academic Research Network (AARNet) for supporting our access to the field-trial cabling through the Australian Lightwave Infrastructure Research Testbed (ALIRT), and in particular Tim Rayner, John Nicholls, Anna Van, Jodie O’Donohoe and Stuart Robinson.The Conversation

Bill Corcoran, Lecturer & Research Fellow, Monash Photonic Communications Lab & InPAC, Monash University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The darknet – a wild west for fake coronavirus ‘cures’? The reality is more complicated (and regulated)



Shutterstock

James Martin, Swinburne University of Technology

The coronavirus pandemic has spawned reports of unregulated health products and fake cures being sold on the dark web. These include black market PPE, illicit medications such as the widely touted “miracle” drug chloroquine, and fake COVID-19 “cures” including blood supposedly from recovered coronavirus patients.

These dealings have once again focused public attention on this little-understood section of the internet. Nearly a decade since it started being used on a significant scale, the dark web continues to be a lucrative safe haven for traders in a range of illegal goods and services, especially illicit drugs.

Black market trading on the dark web is carried out primarily through darknet marketplaces or cryptomarkets. These are anonymised trading platforms that directly connect buyers and sellers of a range of illegal goods and services – similar to legitimate trading websites such as eBay.

So how do darknet marketplaces work? And how much illegal trading of COVID-19-related products is happening via these online spaces?




Read more:
Dark web, not dark alley: why drug sellers see the internet as a lucrative safe haven


Not a free-for-all

There are currently more than a dozen darknet marketplaces in operation. Protected by powerful encryption technology, authorities around the world have largely failed to contain their growth. A steadily increasing proportion of illicit drug users around the world report sourcing their drugs online. In Australia, we have one of the world’s highest concentrations of darknet drug vendors per capita.

Contrary to popular belief, cryptomarkets are not the “lawless spaces” they’re often presented as in the news. Market prohibitions exist on all mainstream cryptomarkets. Universally prohibited goods and services include: hitman services, trafficked human organs and snuff movies.

Although cryptomarkets lie outside the realm of state regulation, each one is set up and maintained by a central administrator who, along with employees or associates, is responsible for the market’s security, dispute resolution between buyers and sellers, and the charging of commissions on transactions.

Administrators are also ultimately responsible for determining what can and can’t be sold on their cryptomarket. These decisions are likely informed by:

  • the attitudes of the surrounding community comprising buyers and sellers
  • the extent of consumer demand and supply for certain products
  • the revenues a site makes from commissions charged on transactions
  • and the perceived “heat” that may be attracted from law enforcement in the trading of particularly dangerous illegal goods and services.



Read more:
Illuminating the ‘dark web’


Experts delve into the dark web

A report from the Australian National University published last week looks at several hundred coronavirus-related products for sale across a dozen cryptomarkets, including supposed vaccines and antidotes.

While the study confirms some unscrupulous dark web traders are indeed exploiting the pandemic and seeking to defraud naïve customers, this information should be contextualised with a couple of important caveats.

Firstly, the number of dodgy covid-related products for sale on the dark web is relatively small. According to this research, they account for about 0.2% of all listed items. The overwhelming majority of products were those we are already familiar with – particularly illicit drugs such as cannabis and MDMA.

Also, while the study focused on products listed for sale, these are most likely listings for products that either do no exist or are listed with the specific intention to defraud a customer.

Thus, the actual sale of fake coronavirus “cures” on the dark web is likely minimal, at best.

A self-regulating entity

By far the most commonly traded products on cryptomarkets are illicit drugs. Smaller sub-markets exist for other products such as stolen credit card information and fraudulent identity documents.

This isn’t to say extraordinarily dangerous and disturbing content, such as child exploitation material, can’t be found on the dark web. Rather, the sites that trade in such “products” are segregated from mainstream cryptomarkets, in much the same way convicted paedophiles are segregated from mainstream prison populations.

Since the outbreak of the coronavirus, dark web journalist and author Eileen Ormsby reported some cryptomarkets have quickly imposed bans on vendors seeking to profit from the pandemic. For instance, the following was tweeted by one cryptomarket administrator:

Any vendor caught flogging goods as a “cure” to coronavirus will not only be permanently removed from this market but should be avoided like the Spanish Flu. You are about to ingest drugs from a stranger on the internet –- under no circumstances should you trust any vendor that is using COVID-19 as a marketing tool to peddle tangible/already questionable goods. I highly doubt many of you would fall for that shit to begin with but you know, dishonest practice is never a good sign and a sure sign to stay away.

So it seems, despite the activities of a few dodgy operators, the vast majority of dark web traders are steering clear of exploiting the pandemic for their own profit. Instead, they are sticking to trading in products they can genuinely supply, such as illicit drugs.




Read more:
What is the dark web and how does it work?


The Conversation


James Martin, Associate Professor in Criminology, Swinburne University of Technology

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The coronavirus lockdown is forcing us to view ‘screen time’ differently. That’s a good thing



Shutterstock

Karl Sebire, University of New England

“How would we have coped before the internet?” is a quandary likely posed by someone you know.

Beyond being a whimsical hypothetical, this question is relevant at a time when the digital age is ridiculed as the end of social skills as we know them. COVID-19 has seen society pivot, almost overnight, from real world interactions to the online space.

We have gone from mingling with colleagues, classmates and friends to being told to move our social interactions safely behind a webcam and sanitised keyboard. Internet providers and servers around the globe are being pushed to the limit as kitchen tables become boardrooms and laps become school desks.




Read more:
How to boost your internet speed when everyone is working from home


Thus, it is cause to reframe our views on screen time – an activity that consumes, now more than ever, a significant proportion of our day.

COVID-19’s impact on screen time

With more than 90% of Australians having a smartphone, our often pilloried devices are now more essential to daily life than ever. As people fulfil their civic duty by staying home, platforms and internet providers are facing an unprecedented surge in online activity.

Australia’s National Broadband Network (NBN) has seen a daytime usage increase of 70-80%, compared to figures in February.

Demand for streaming sites across the globe has intensified, with Amazon and Netflix having to reduce video quality in some countries to handle the strain.

In March, Zoom knocked Facebook and Netflix down the Apple and Google mobile app store rankings in the US, as people sought video chat options.

Social media and video/online gaming are also flourishing.

If we’re to take anything away from the significant increase in screen time caused by this pandemic, it is that human connection in the digital age comes in many forms.




Read more:
Time well spent, not wasted: video games are boosting well-being during the coronavirus lockdown


Think of screen time as calories

We must acknowledge the umbrella term “screen time” can denote both positive and negative interactions with technology.

Think of screen time as consuming calories. All humans require calories to function. This unit of energy provides nutritional information relating to the contents of a food item, such as chocolate bar, or a carrot.

Whereas both foods contain calories, we know the carrot is a healthier source. While professionals might offer advice about which provides the most beneficial nutrition, the individual should still have agency over what they consume.

Similarly, people should be able to choose to partake in online activities not normally deemed “productive” – but which may help them through their day.
Like calories, screen time is about moderation, making responsible choices and exercising self-control.

Lockdown and locked screens

Just as there are good and bad calories, so too exist good and bad examples of screen time. It is therefore not helpful to use the overarching term “screen time” when discussing how technology use should be moderated.

An hour spent researching for an assignment is not tantamount to an hour spent watching cat videos, as the former is contributing to learning.

Also, an hour on social media chatting with friends is productive if it allows you to socialise at a time when important social interactions can’t otherwise take place (such as during lockdown). In this way, the current pandemic is not only helping shift our views on screen time – but has subtly rewritten them, too.

The coronavirus crisis may be an exercise in self-control for many of us, as we reach for our smartphones to bide idle time.
Shutterstock

Screen time does not necessarily need to be objectively “beneficial”, nor does it need to have arbitrary time limits associated with it to prevent it from being detrimental.

Appropriate use is contextual. This fact should determine how parents, teachers and policymakers moderate its use, as opposed to mandating a certain number of hours per day, and not specifying how these hours should be spent.

We must steer clear of blanket statements when it comes to critiquing screen time. Our digital diets vary significantly, just as our real diets do. Consequently, screen time should be approached with a level of flexibility.




Read more:
Does social media make us more or less lonely? Depends on how you use it


Fear fuels stigma

Some of the derision and concern associated with time spent on digital devices can be attributed to a fear of the new.

Swiss scientist Conrad Gessner was among the first to raise alarm over information overload, claiming an overabundance of data was “confusing and harmful” to the mind. If you’re not familiar with Gessner’s theory, it may be because he exclaimed it back in 1565, in response to the printing press.

Gessner’s warnings referred to the seemingly unmanageable flood of information unleashed by Johannes Gutenberg’s contraption. Fear of the new has permeated the debate on emerging technologies for generations.

And Gessner is not alone. From the New York Times warning in the late 1800s the telephone would invade our privacy, to concerns in the 1970s the rapid pacing of children’s shows such as Sesame Street led to distractibility – it is inherent human behaviour to be cautious about what we don’t fully understand.

Yet, many of these proclamations seem almost absurd in retrospect. What will later generations look back upon as statements fuelled by paranoia and fear, just because a new technology had disrupted the status quo?The Conversation

Karl Sebire, Researcher (Technology and education), University of New England

This article is republished from The Conversation under a Creative Commons license. Read the original article.

‘Click for urgent coronavirus update’: how working from home may be exposing us to cybercrime


Craig Valli, Edith Cowan University

Apart from the obvious health and economic impacts, the coronavirus also presents a major opportunity for cybercriminals.

As staff across sectors and university students shift to working and studying from home, large organisations are at increased risk of being targeted. With defences down, companies should go the extra mile to protect their business networks and employees at such a precarious time.

Reports suggest hackers are already exploiting remote workers, luring them into online scams masquerading as important information related to the pandemic.

On Friday, the Australian Competition and Consumer Commission’s Scamwatch reported that since January 1 it had received 94 reports of coronavirus-related scams, and this figure could rise.

As COVID-19 causes a spike in telework, teleheath and online education, cybercriminals have fewer hurdles to jump in gaining access to networks.

High-speed access theft

The National Broadband Network’s infrastructure has afforded many Australians access to higher-speed internet, compared with DSL connections. Unfortunately this also gives cybercriminals high-speed access to Australian homes, letting them rapidly extract personal and financial details from victims.

The shift to working from home means many people are using home computers, instead of more secure corporate-supplied devices. This provides criminals relatively easy access to corporate documents, trade secrets and financial information.




Read more:
What’s your IT department’s role in preventing a data breach?


Instead of attacking a corporation’s network, which would likely be secured with advanced cybersecurity countermeasures and tracking, they now simply have to locate and attack the employee’s home network. This means less chance of discovery.

Beware cryptolocker attacks

Cryptolocker-based attacks are an advanced cyberattack that can bypass many traditional countermeasures, including antivirus software. This is because they’re designed and built by advanced cybercriminals.

Most infections from a cryptolocker virus happen when people open unknown attachments, sent in malicious emails.

In some cases, the attack can be traced to nation state actors. One example is the infamous WannaCry cyberattack, which deployed malware (software designed to cause harm) that encrypted computers in more than 150 countries. The hackers, supposedly from North Korea, demanded cryptocurrency in exchange for unlocking them.

If an employee working from home accidentally activates cryptolocker malware while browsing the internet or reading an email, this could first take out the home network, then spread to the corporate network, and to other attached home networks.

This can happen if their device is connected to the workplace network via a Virtual Private Network (VPN). This makes the home device an extension of the corporate network, and the virus can bypass any advanced barriers the corporate network may have.




Read more:
Hackers are now targeting councils and governments, threatening to leak citizen data


If devices are attached to a network that has been infected and not completely cleaned, the contaminant can rapidly spread again and again. In fact, a single device that isn’t cleaned properly can cause millions of dollars in damage. This happened during the 2016 Petya and NotPetya malware attack.

Encryption: not a cryptic concept

On the bright side, there are some steps organisations and employees can take to protect their digital assets from opportunistic criminal activity.

Encryption is a key weapon in this fight. This security method protects files and network communications by methodically “scrambling” the contents using an algorithm. The receiving party is given a key to unscramble, or “decrypt”, the information.

With remote work booming, encryption should be enabled for files on hard drives and USB sticks that contain sensitive information.

Enabling encryption on a Windows or Apple device is also simple. And don’t forget to backup your encryption keys when prompted onto a USB drive, and store them in a safe place such as a locked cabinet, or off site.

VPNs help close the loop

A VPN should be used at all times when connected to WiFi, even at home. This tool helps mask your online activity and location, by routing outgoing and incoming data through a secure “virtual tunnel” between your computer and the VPN server.

Existing WiFi access protocols (WEP, WPA, WPA2) are insecure when being used to transmit sensitive data. Without a VPN, cybercriminals can more easily intercept and retrieve data.

VPN is already functional in Windows and Apple devices. Most reputable antivirus internet protection suites incorporate them.

It’s also important that businesses and organisations encourage remote employees to use the best malware and antiviral protections on their home systems, even if this comes at the organisation’s expense.

Backup, backup, backup

People often backup their files on a home computer, personal phone or tablet. There is significant risk in doing this with corporate documents and sensitive digital files.

When working from home, sensitive material can be stored in a location unknown to the organisation. This could be a cloud location (such as iCloud, Google Cloud, or Dropbox), or via backup software the user owns or uses. Files stored in these locations may not protected under Australian laws.




Read more:
How we can each fight cybercrime with smarter habits


Businesses choosing to save files on the cloud, on an external hard drive or on a home computer need to identify backup regimes that fit the risk profile of their business. Essentially, if you don’t allow files to be saved on a computer’s hard drive at work, and use the cloud exclusively, the same level of protection should apply when working from home.

Appropriate backups must observed by all remote workers, along with standard cybersecurity measures such as firewall, encryption, VPN and antivirus software. Only then can we rely on some level of protection at a time when cybercriminals are desperate to profit.The Conversation

Craig Valli, Director of ECU Security Research Institute, Edith Cowan University

This article is republished from The Conversation under a Creative Commons license. Read the original article.