In the past few years there have been remarkable low lights in the overall quality of reports coming from official channels about information technology. There was the light weight report from the Standing Committee on Communications entitled "Hackers, Fraudsters and Botnets". There have been a few reports commissioned by the minister for communications and broadband that weren't even worth the electrons they were written on.
With such mediocre efforts on offer, it makes a refreshing change to read the Targeting Scams report from ACCC (available as a PDF). It is a timely, methodical and well written report which gives a good summary of scams reported to the ACCC ScamWatch site. It also includes a few representative "case studies", which do not mention the victims names. It is heartening to see evidence that "our money" is being well spent ...
The billion dollars that Australians may have spent on scams is just an estimate. As the author admits, in the report, they have based their conclusions on what is actually reported to the ACCC. For a government body, the recommendations in the report are surprisingly sensible and practical. Rather than hysteria and cries for extreme remedies and "new legislation", we have encountered in other reports, this ACCC report recommends education ... Which could alert potential victims of the modus operand ... And encourage victims to speak out when they have been duped. There is also a list of Fraud task force agencies.
The report contains the sage advise, repeated by the Justice Minister at his door-stop interview, that "If it sounds too good be true then it probably is". This is advice that is oft-repeated. For example, the New York Times recently published a frank admission from a victim, about what he describes as A Lamp Too Good To Be True, which illustrates how even experienced and world-wise lawyers can be duped by online confidence tricksters.
Remarkably, according to the ACCC report Advance Fee Fraud (AFF), may be the leading online scam. It accounts for 52.3% of reported scams. The report breaks the AFF scams into the following sub-categories:
Sub-category % Total Standard (419 or Nigerian style) 34.8 Lottery/Sweepstakes 8.2 Unexpected Lucky Prize 6.6 Dating, Romance, Adult Services 2.7
Figures copied from Table 4 on page 7 of ACCC Report
The standard ("Nigerian" style) scam tops the list of reported online scams at 34.8% -- The "dating and romance" sub-category (including "adult" services) although the smallest are increasing, and this sub-category often result in more substantial losses for individual victims. The author also brings to our attention once again, the fact that most "Nigerian" spammers, don't actually come from Nigeria. A fact that is sometimes over-looked by bloggers and commentators when discussing "Nigerian" style spam.
The full table in the ACCC report also includes figures for "Online shopping" which is 13% of the total reported and "False Billing" which is 6.6%. Which means that over 70% of reported scams involved the fraudulent collection of fees.
Nevertheless the trend towards online trading show no sign of slowing down. The criminals are just following the money. And if law-enforcement want to apprehend them, they could try that also (i.e. following the money).
And in your blogger's humble opinion, it would also make a refreshing
change if there was more concerted action from law enforcement agencies in
regard to investigation and prosecution of genuine cyber-criminals, rather
than devoting so much time and resources to pursuing misguided, sometimes
annoying although mostly harmless and well-meaning miscreants such as the
online hactivist group Anonymous.
The report also fails to mention the broken Internet security paradigm that has evolved thanks largely to Microsoft, and the many companies that have emulated Microsoft's poor design and dumbing down of interfaces. This has led to.
- A profound and wide-spread ignorance of the basics of computing and data storage. Many computer users do not understand what a bit or a byte is. Nor do they understand what a file or folder is. Nor how a computer user might interact with them ... And thanks mostly to two decades of exposure to Microsoft stupidity, many of them don't even care to find out.
- An operating system (Windows) that has been designed to consider certain filename suffixes as "special" ... (.exe, .bat, .cmd, .vbs, etc), and therefore above such mundane considerations as "execute permissions". This makes it easy for "bad guys" to insert malicious executable files into the user interface. A more secure operating systems would rely exclusively on permissions to decide whether a file is "executable".
- A cavalier disregard for security when mounting external devices and opening files. The default behaviour for USB devices will automatically execute certain files on external devices whenever they are inserted into a local USB port. Software packages will automatically execute procedures embedded in certain files. This ignores the lessons of history. Lessons which should have been learned during the boot sector floppy virus fiasco last century. Even though this default behaviour can be turned off. Most users do not know how to (or worse still, do not care to)
- A Mail User Agent (Outlook) which can only be described as appalling when it comes to security. There is nothing in the SMTP protocol that suggest that any data streams and/or attachments should be clickeable. And yet Outlook has been designed to operate on emails, and decode and deploy MIME encoded attachments, almost exclusively with the single click of a mouse. Plain text messages have been been (deliberately?) discouraged (with default behaviour that makes plain text appear ugly and malformed). HTML is automatically rendered and hidden from the user by default ... And most astounding of all ... Files that end in those "special" suffixes (above) Will be loaded into local user space and executed immediately with only a single mouse click! ... If the user is running as a privleged user, malign software can (and will) gain "root" access
Of course those are only the obvious security flaws. The flaws go all the way down (including interaction with websites). Last week, a news article appeared about the same time that the ACCC released their report ... About a new "trojan" called "Tatanga". The first reports that your humble blogger read mentioned that this was a "universal trojan", and would compromise all browsers ... Including Internet Explorer, Mozilla Firefox, Google Chrome and Konqueror! This certainly sounded alarming. Your blogger often uses Konqueror, since it is the default browser for Kubuntu.
However it turned out that the alarming "trojan" was not so universal. It
only compromises the Windows versions of those browsers. Since most browsers
running on Windows machines use common Microsoft components, vulnerabilities
in these areas make an ideal vector to get between the browser and the
Internet. The "Tatanga trojan" appears to be a re-write of an old and
well-documented vulnerability. Most of the articles and blogs about it include
a long list of nasty side effects which in your blogger's humble opinion are
just more good reasons not to do Internet banking (or any financial
activities) with a Windows PC at home.
Also news has just come in about a very large global paedophile ring that has been infiltrated and "smashed" by an international task force that includes British and European police and the Australian Federal Police.
The primary server ("loverboy") was based in the Netherlands and the initial reports seem to indicate that it had very tight security. Police managed to infiltrate it by using traditional policing methods and legwork. This involved interviews with suspects and offering prosecution deals to them. Then with the passwords gained from the interviews, police officers were able to infiltrate the network and make contact with the paedophiles who used the site to exchange information and boast to each other about their crimes.
This was a classic police operation. Most news website now report that the gang was the biggest ever and has been "taken down" ("smashed") ... And that hundreds will face prosecution. Your blogger can only hope that many of the principals ... Those who actually organise and commit crimes against children will face prosecution.
And your blogger can't help offering his humble opinion that Senator Conroy's Internet Filter would have been utterly worthless in pursuing, preventing or locating any of these criminals.