It sounds like the stuff of sci-fi nightmares – a stranger hacking your baby cam and shouting abuse at your toddler. Someone controlling your home's lights and power points via a system that should only respond to your smartphone. Criminals watching you and your family from your smart TV without your knowledge.
But each of these has already happened, and mark the beginning of a cyber crime wave threatening business, governments and individuals around the world. The number of smart devices being connected online in what's called the "Internet of Things" will rocket from 13 billion to an estimated 50 billion by 2020. The problem, says LA security consultant Marc Goodman, is that they're all hackable.
We've wired the world but failed to secure it.
Marc Goodman, security consultant.
Goodman, who's worked with the likes of the FBI, Interpol and NATO, says the problem isn't new technology — "everything in our physical world is becoming a computer and there will be tremendous benefits from that" — but the lack of security.
High threat: Zeroaccess malware has infected devices and networks including POS systems in some Australian Pizza Hut stores. Photo: istock
In his new book, Future Crimes, he talks of upcoming threats including killer robots, malicious artificial intelligence and bio-threats. Even some computer-crime police think those particular topics are "crazy", but he's used to such reactions – he met them 20 years ago as part of the first wave of police investigating tech-based crimes.
The mind-boggling amount of information produced when 50 billion devices are networked together will effectively end privacy. Smart meters can reveal which TV show you're watching. A smart thermostat might be set to holiday mode, showing your absence. A smart fridge records your groceries. All can be hacked.
Red alert: Last year's TorrentLocker attacks which masqueraded as Post Office emails extorted an estimated $740,000. Photo: Glenn Hunt
What troubles Goodman most is the downside of computing power that doubles every two years. Robbery used to be a one-on-one affair in a dark alley; the 2013 Target hack stole 40 million credit card numbers. "Most people don't get [the nature of exponential growth], including policy makers," he says. "Bad guys seem pretty good at this stuff. We're in a world where crime's growing exponentially." Cyber crime's becoming automated, with programs for everything from so-called distributed denial of service attacks (DDOS) to hacking Facebook accounts or cameras. "When you take human beings out of the loop you take away any impediments to the growth of crime," Goodman says.
British firm Juniper Research predicts global cyber crime will hit $US2.1 trillion globally in 2019, quadrupling from this year's figure. Just last week, the Australian Crime Commission (ACC) predicted Australia will lose $1billion from cyber crime in 2015 – and the real figure could be much higher.
Last week's ACC report, Organised Crime in Australia 2015, says victims of cyber crime notified the Australian Cybercrime Online Reporting Network (ACORN) of more than $234 million in losses in the first quarter of the year. That figure only covers members of the public and small to medium businesses. ACORN receives 3500 reports each month including financial and romance scams and identity theft.
Growing internet take-up is one factor driving the "significant" threat, with 12.4 million internet subscribers and 20.6 million mobile internet subscribers by June 2014.
ACC's chief executive Chris Dawson tells Fairfax Media more connectivity means more opportunities for criminals.
"The rapidity of technological change is undoubtedly a challenge for law enforcement," he says, "but it's also an opportunity. We're able to identify targets ... that were previously unidentified. That's been a sting in the tale for criminals. As smart as they sometimes think they're operating, law enforcement can get a competitive advantage."
Wade Alcorn, the founder of Brisbane-based cyber-security consultants Alcorn Group, puts potential 2015 cyber-crime losses at $2 billion. He says the resources and energy sectors are typically Australia's biggest target, with financial institutions coming under renewed focus in the last couple of years.
"Cyber criminals have an ever-evolving business model that makes money from defrauding organisations," he says. "They are extremely creative when it comes to extracting value and monetising it."
Dawson says they've found "significant numbers" of "dark nets" – online forums and marketplaces where members' identity is cloaked in secrecy and items like drugs and child exploitation material are traded — "causing significant harm".
"[They're] enabling Australian-based criminals to not only use the technology to share information among themselves ... but also facilitates trade and illicit services. They're also able to use it to attack networks by using things like ransomware and malware," he says.
The ACC report details last year's TorrentLocker attacks. Australians began receiving emails with the Australia Post logo notifying them of a parcel. If they filled in a "captcha" – one of those boxes filled with distorted text designed to pick humans from computers – they could find out more.
But instead of a parcel, the email delivered a virus to their computer which locked it down. The victim had to pay a ransom in bitcoins – untraceable digital currency – purchased from Australian websites to regain control.
The digital extortion artists, who used a number of Aussie corporations as bait, raised up to $740,000 in 2014 from about 570 individuals and businesses.
They're not the only information superhighwaymen in cyberspace. Barry Brailey, chair of the NZ Internet Task Force, warned this month that ransom demands of 25 bitcoins each – about $7000 – have been made against four NZ companies and "a number" of Australian firms. Failure to do so would lead to a DDOS attack – flooding their network with requests for data, crippling its ability to operate. The cyber-criminals mount a one-hour attack to show what they can do.
And the ACC warns the Zeroaccess malware – which has infected a wide variety of devices, including POS systems in 60 Australian Pizza Hut stores – remains a "high threat". Between October and December 2014, 4000 Australian devices each day were infected by the malware, which enables criminals to carry out click fraud and bitcoin mining.
The potential for harm is increasing. Hackers will demonstrate how to control a factory-model car remotely for the first time, at the 2015 Black Hat security conference in Las Vegas. German authorities reported last year that hackers manipulated someone at a steel mill into clicking on an email link which enabled them to seize control of its production network, leading to the destruction of a blast furnace.
And what Goodman calls a "fairly seminal moment" came with an FBI affidavit claiming that American Chris Roberts has hacked into dozens of planes via their entertainment systems, once taking a plane's controls to make it climb and fly sideways. "If true … that's worth being perturbed about."
Goodman says, bluntly, "the internet broke policing." For a hotel robbery in Sydney, NSW police can be pretty confident the evidence and the criminals will be somewhere in the state. With bank hacks – the multinational Carbanak scam looted $1bn from dozens of banks — there can be a victim in Australia, a criminal in Brazil and evidence on a Russian server. He asks, "Which law jurisdiction applies? It's incredibly expensive to investigate and incredibly slow. We'll never arrest our way out of this problem." A better approach would be to "drain the swamp" that enables cyber crime – for example, creating software that's harder to hack, and designing automated security that works like an immune system, responding rapidly to different threats.
Graham Ingram became chief information officer at Brisbane-based For The Record in April 2015 after a security breach. The company supplies software used in court recordings around the world. Luckily, the breach was one of data loss – not personal information — from an external public forum not connected to the corporate system, but executives vowed never to let it happen again. "It was a landmark moment," says Ingram.
They're now integrating security across the business. The company's culture needs a security focus – do people click on links, for example? They're testing for and eliminating software bugs as they code, rather than waiting for a finished product. They're also considering whether their hardware delivers the best combination of security and efficiency.
Ingram echoes Goodman, saying perfect security is impossible. He prefers to focus 80 per cent of his resources on the most important 20 per cent of data. They keep some data on their own servers – such as programs they're testing – but other information goes on the cloud, with an extra layer of protection added.
The ACC's Dawson warns Australians to be "very careful in how you protect your online identity". Goodman says 85 per cent of attacks can be stopped by following a simple six-step protocol he's coined UPDATE. "When we go out in physical space we lock our doors and don't leave our car running with keys in it. I don't think people know how to do that in cyberspace. Teaching folks how to do that can make a big difference."
HOW TO PROTECT YOURSELF USING UPDATE
- U – automatically update all operating system software, programs and apps
- P – passwords should be 20 digits or longer and contain upper- and lower-case letters, numbers and symbols
- D – only download official software. A free program on torrent sites might end up costing you big-time
- A – never log in as admin on your computer
- T – turn your computer off when not using it
- E – encrypt the data on your home computer, your internet traffic and mobile phone
LOCK DOWN - HOW IT WORKS
1. An email appears asking for a captcha code to be entered to download an important form – as well as Australia Post, TorrentLocker used the Office of State Revenue: State Debt Recovery page.
2. After the victim clicks on a zip file, the TorrentLocker virus is extracted and a warning screen appears — the computer's files have been encrypted and it lists the steps necessary to rescue them.
3. Clicking on the "file recovery" option takes the victim to a payment page, stating you have to pay in bitcoins. There's even an FAQ option if you have more questions.
4. The page offers to decrypt one file to show it's possible – and it does so. The victim then picks a bitcoin supplier from a list, buys the ransom, sends it off – and hopefully has use of their computer back.
$245m Financial losses reported in first quarter of 2015
$US2.1 trillion estimated global cost of cyber crime in 2019
770,000 Number of records hacked from Aussie Travel Cover travel insurance company in January
$US1b Amount thought stolen from 100 banks in 30 countries in the Carbanak attack which started last year