As the amount of time we spend online continues to increase, so too does the possibility we’ll be exposed to scams, hacks and data leaks. But do we really understand the risks, or how we can avoid them?

You probably have a mental image of who falls victim to cyber-crime. And it’s probably wrong.

In New Zealand – and, indeed, in most places – it’s not clueless boomers who are most likely to suffer internet crime. According to NortonLifelock’s annual global cyber-security survey, it’s millennials, with Gen Z also coming on strong.

“They come out quite strong whenever we do research,” says Mark Gorrie, NortonLifelock’s senior director for Asia Pacific. “We typically see the younger audience is suffering – they share a lot of data, they even share passwords. These are activities that compromise data.

“One thing we note with the younger audience is this belief that it won’t happen to them, that these problems happen to someone else and that the data they have online is not of interest to hackers. That makes them vulnerable.”

The most recent NortonLifeLock survey highlighted a particular threat: the theft of personal information. In that survey, fully 95% of New Zealanders expressed some concern about their personal information on the internet – and around half feared that that information might be “exposed in a data breach and compromised by cyber-criminals.”

The Dark Web is in many ways similar to the internet most of us use every day: people there chat and network and buy and sell things. But because it’s not visible to search engines and is built to anonymise its users, the chatting and networking might be different and the goods bought, sold and paid for in cryptocurrency might include drugs or guns – or other people’s personal information.

That’s the backdrop to NortonLifelock’s launch of a new service to the New Zealand market – Dark Web Monitoring. This service, now part of the Norton 360 subscription package that goes with the retail software, scans the places where your personally identifiable information (PII) might be traded if it had been stolen – and alerts you if and when it finds your PII.

This is clearly something I’d want to know about. So I installed NortonLifelock, activated the 360 service and waited for an alert. Or, as it turned out, seven alerts.

My login details – both email and password in most cases – have been stolen in data breaches targeting professional social networking sites, productivity software and even online genealogy companies. In truth, these are historical breaches, I knew about several of them and have since changed the passwords for all. Yet if you’d asked me before the Dark Web Monitoring scan, I’d probably have said no, I haven’t been the victim of a PII breach.

But I have and you probably have too – especially if you are or were an Xtra email customer with Spark. In 2016, Yahoo, which was managing Xtra customers’ email service at the time, announced that login details for 500 million accounts it managed had been exposed in a huge 2014 hack attack. The breach affected at least 130,000 Xtra customers. Spark did its best to clean up the mess and dumped Yahoo as its service provider. The following year, Yahoo confessed that a billion accounts had been compromised in an earlier attack in 2013. Then it upgraded the number to three billion accounts.

For me, the most obvious consequence of these breaches is occasional emails from unidentified parties that slip through the spam filter and claim to admire my taste in porn and propose to share it with my friends and family. Look, they say, we have your password and everything. It’s not unknown for such threats to be genuine, but more often the scammers are brandishing your stolen credentials to try and scare you into paying them off.

“They’re a numbers game, says Gorrie. “They’ve got their hands on a compromised database that happens to have your email address and a password and they’re giving it a go. If there’s 10,000 people in the block of data and they’ve got a password that would be familiar to you and the likelihood that someone’s looked at porn and would be embarrassed about it, they can play on that. In most cases they have no idea beyond a credential that was traded on the dark web.”

Sometimes, however, the consequences of a breach can be more urgent and much more serious. NortonLifelock has taken the innovative step of sponsoring a podcast series, Criminal Domain, that illustrates just how serious they can be.

The first episode features Tayla Damir, winner of the 2018 edition of TV reality show Love Island Australia, who had her bank accounts and credit card cleaned out and was stranded, penniless in Lebanon and even had her mobile number ported to another network without her knowledge, to defeat two-factor authentication.

There’s a New Zealand story there too. Glenn Hart is the guy who does the cheery online roundups of Mike Hosking’s Newstalk ZB show and the station’s technology reviewer. He claims to be “a reasonably techie sort of a guy”, which seems a fairly rosy self-assessment given that the family computer he infected by trying to get a cheat code for his daughter’s game apparently had no local or online backup, or security software capable of detecting the malware he was inadvertently installing.

It turned out to be a ransomware attack – every file on the computer had its name changed and was locked up with encryption pending payment to the ransomers. Those files included his own media work and irreplaceable baby photos. Hart did show some moxie in bargaining down the price to $US200, but it took him “dozens if not hundreds of hours” to sort out, first in nerve-wracking dealings with the ransomers and then in painstakingly trying to get all the renamed files in some kind of order.

“It’s very confronting for those people impacted,” says Gorrie. “And the thing that often comes out for people who’ve been confronted by identity theft or other cybercrime is the time involved. The investment of time to make things right again can be massive.”

Although the attacks suffered by Damir and Hart were different in kind, it’s the nature of computer security that they’re all linked. Damir seems to have surrendered her details to a “virus-cleaning” scam that popped up when she was using unsecured wi-fi at a hotel (“I’m just the most gullible human in the world,” she cheerily admits at the beginning of the episode) and used the same password everywhere. Hart invited in malware and hadn’t backed up his family’s most precious files.

A significant challenge faced by online and digital security businesses is that the threats they protect against are rarely static or unchanging. With that in mind it was Lifelock’s specialisation in this form of cybersecurity that led Norton to acquire the Arizona-founded identity security business in 2017.

“When we came up with our cyber-safety strategy, identity was a key area,” says Gorrie. “And Lifelock had a long heritage working around identity theft protection. Obviously, our heritage on the Norton side was antivirus and protecting the device, but we had to move beyond that because people’s digital lives were becoming more complex and there were different threats evolving.”

NortonLifeLock systems engineer Dean Williams is reluctant to venture too far on exactly how the monitoring is done (“you don’t want to let these guys know how you’re getting the job done”) but says stolen PII will often be duplicated across multiple Dark Web forums.

Typically, the threat will split between opportunist hackers who seize personal information and put it up for sale and the financial criminals who pay for it.

“Quite often you’ll find that it’s not one person doing everything,” says Gorrie. “There are multiple players involved. Someone might have written a malicious tool, they’ll sell that tool on the Dark Web and others will buy it, then use it for data collection. They’ll generate a database with thousands of items that are of use, then sell it for others to use. It’s an economy.”

It’s also getting serious. This year’s update to the Privacy Act will place an additional duty on businesses to account for compromised information. From December 1, it will be mandatory (on pain of a $10,000 fine) to report any breach of customer data to the Privacy Commissioner.

It’s also likely that the year of Covid-19 is increasing risk. Employees discovering the pleasure and pain of working from home typically aren’t as well-secured as they are at the office. Working at the local cafe isn’t any better, says Gorrie. And don’t get him started on phones.

“We’ve had mobile security out there for years, but for a long time people were convinced that they didn’t need security on their mobile device. Yet for most people it has become a primary device now, they use it in the same way they would their PC.

“It’s not so much about the operating system being vulnerable, it’s through [things like] phishing scams; if you’re clicking the links, whether it’s on your mobile or your desktop PC, you’re still going to end up at the same location, giving up your PII.”

For Gorrie, one of the drivers of this increased risk is the ever-increasing convenience of always-on connectivity, particularly from unsecured third-party sources.

“What we started to see a few years ago is that we were protecting their devices, stopping the threats from hitting them. But people were being compromised because they were connecting onto open wifi networks where it’s quite easy to perform man-in-the-middle attacks and eavesdrop on people’s connections.

“We had to extend our protection beyond the device to the connection. Hence the VPN to protect the flow of information out of people’s devices. Even now, you can’t tell whether the apps on your phone are using SSL, the only way you can guarantee the app’s transmitting data in a secure way is to use a VPN.”

Most people don’t think about whether their mobile communications are encrypted, of course. And most people don’t think about what information they’re making available to whoever. Ironically, one feature of the Dark Web Monitoring service is that it’s more effective when you share more with it. It can scan for not only your email address but phone numbers, your mother’s maiden name, credit card and bank details and even physical address. But you have to tell it those things first. You have to type or paste them into a web page, which, even over a secure connection, feels a bit weird – like, it’s a thing not to do. So, does NortonLifelock itself need to earn the trust of its users?

“It’s critical,” Gorrie confirms. “If you want that data monitored, that’s private information that you don’t want leaked out. People do think twice about sharing it with any service, so obviously sharing it with us, there’s got to be a high level of trust.

“This is where for us coming into this space, trust is a big thing. We have customers who’ve been with us 20, 25 years and a lot of that’s to do with trust. So we take that very seriously.

“I must admit, when we were setting up I was asking a lot of questions about the level of effort that we go to to protect people’s information. And we do – we take that seriously. If we were compromised, it would be massively damaging, so we go to a lot of effort to protect the information.”

Bottom line: if you’re going to tell anyone, it might as well be the good guys – if only because you’re going to want to know if you’ve accidentally told the bad guys.

James Borrowdale learns the stories behind the images nominated for the New Zealand Geographic Photographer of the Year.

The room is crowded, cramped with the memories and resonances of a life. “A simple life lived, and a hard life lived,” photographer Nathan Secker said of his entry, a finalist in the Lumix Society category of the New Zealand Geographic Photographer of the Year competition. Last year’s Christmas cards hang from string looped on the walls, and sepia-toned family photos peek from among the houseplants and relentless bric-a-brac. In the middle of this kaleidoscope, if not at the literal centre of the composition, sits Secker’s 96-year-old aunt, Ida Ward, pink gloves warming her gout-ravaged hands. The door, slightly ajar, invites the mind’s eye out of the room, and into the rest of the life of which this photo is such a vibrant expression. 

“You can live your whole life, and that’s your whole life just sitting in that house, in a couple of rooms,” Secker said of the sense he hoped to capture in the photo. But, he said, Ward was happy with her humble lot, and never complained. Her life hadn’t been an easy one: she was born on the West Coast into a poor eight-child family, made poorer when her father died young. With no benefit, the family lived off local whitebait, a house cow, and a vegetable garden, eventually moving across the Southern Alps to seek new pastures. The Kaiapoi home of the picture was the same in which Ward had lived since she married, well over half a century before. Even the mattress she slept on, Secker said, was the same one with which she and her husband – he died 30 or so years ago – had first furnished their home. 

When Secker found himself in her home for the first time “in donkey’s years” he knew he needed to photograph it. “It was just a whole bombardment of the senses for me. I just went in and I’d never seen anything quite like it. It was like a museum piece.” And he documented it just in time. Not long after this photo was taken, Ward – having suffered a couple of falls – went to live in a rest home. She died not long after that; when I spoke to Secker, it had only been a couple of weeks since her funeral. 

It’s a sombre thing to dwell on – but perhaps not unnatural in this strange, sombre year. Throughout this year’s finalists the preoccupations and anxieties of the age are writ large – Black Lives Matter, the Christchurch mosque massacre, climate change – but it is Covid-19 that looms the largest, both in those photo essays that tackle the subject head on (one by Becki Moss, one by Andrew Stewart) but also in those photos that, in simpler times, would be about nothing other than what they show. 

Edin Whitehead’s entry, for example, a masterpiece of composition, shows a procession of Buller’s shearwaters/rako in flight, the Milky Way far above them. Looking at the photo now – she has an A0 print of it above her bed – brings with it a mixture of emotions. Whitehead is a doctoral researcher at the University of Auckland, her PhD investigating the effects of climate change on the lives of nocturnal seabirds. The photo was taken on what was meant to be a recce for a later research expedition on the Poor Knights Islands. It became, however, the last time she was able to get away in support of her research before lockdown hit, taking the season with it. “We had lots of fat chicks in burrows and we were going to stick GPS on their parents, and that all sort of went down the tubes with lockdown.” 

But she returned from that trip, at least, with this photo: a finalist in the Electric Kiwi Wildlife category. In it, the birds, lit from below by a manual flash, seem to merge with the burning stars, like sentinels from this world flying into the beyond. It was about 11pm at night. Earlier, she’d been surveying the birds flying in at dusk to feed their chicks. There was no moon; it was the perfect opportunity to stay up, watch the birds, and try to execute a photo she had long visualised and often attempted. “Lots of attempts, and lots of failures. And thankfully one success.”

The fleeting nature of opportunity is something Gavin Lang, a finalist in the Resene Landscape category, understands intimately. The plan had been to summit as many as six mountains along the Main Divide that day; he and his climbing partner had been up since 1am. They managed three, before strong winds forced them off the mountain. Lang’s photo captures his partner below, head bowed to the Silberhorn arête as if in prayer, enclosed in his torch’s private bubble of light. Aoraki/Mount Cook is to the right, the flanks of the Tasman to the left, the Hockstetter icefall, cracking as its weight carries it over a lip towards the darkness of the Tasman Valley below, is beyond. 

For Lang, the photo represents the connection between the climber and the mountain. “That’s your whole world, really. It’s step by step, it’s move by move. It’s in that world that you really get connected to the mountain. You’re focused, listening. Certainly always listening for any random sounds that might indicate either ice is falling from above, or something is falling below me.” The immediacy of the danger pushes the mind into a meditative state. “Death is ever-present, and you are forced to focus.” 

That state draws Lang to the mountains. The Wanaka-based mountaineer is working on a book and film project during which he will summit all 24 3,000-metre-plus peaks in New Zealand. He has five to go in an undertaking he hopes will illuminate the benefits of the mountains on mental health. “There’s a certain energy in the mountains that I really enjoy and that seems to bring balance into my life. Despite it being a dangerous place and mountaineering often being seen as a self-centred pursuit, I really see its benefits.”

A similar instinct attracts Mitchell Clark to the outdoors. Clark is drawn to the unpeopled nature of those big South Island vistas: in their emptiness, they almost feel like his alone. “I have just started to admire the mountains quite a lot and I would say almost every photo that I take, regardless of what subject it is, there’s probably a mountain in it somewhere,” he says. 

He works for Air Safaris, out of Lake Tekapo, and was on a flight over the Fox Glacier in January, when he noticed the curvature of the ice gracefully articulated by the pinkish remnants of ash and dust blown across the Tasman from the Australian bushfires. It appealed to his aesthetic sensibilities – clean, simple, but also momentarily puzzling. With no horizon line, it takes a second for the mind to settle on what exactly it is looking at. “It’s always kind of cool if there’s a question that’s linked to it – like, what is it? Because a lot of stuff that people see, it’s just like, cool, it’s a car, it’s a mountain, whatever, but if it’s something a bit different and something that you’ve never really seen before… If I took it before the ash all came across, people would just say, ‘It’s a bit of ice.’ [This photo] is just a bit different.”

There is also a less celebratory aspect to his photographic work. “Things are actually changing the landscape here, not just on the TV screen.” On a grander scale, that is something Clark – as a photographer, as a human – is intimately aware of. “I quite often get a lot of elderly people come in and say like, ‘Such and such was here and it didn’t look like this years ago.’” The example he gave was the Tasman Lake. Twenty-five years ago it didn’t exist, but melt from the glacier of the same name first created it and has ever since steadily been raising its level. “It is sobering,” he said. “Especially if you are relooking at everything every two years, and you actually physically see it with your own eyes.”

2020 WINNERS

Nikon Photographer of the Year – Alden Williams

Young Photographer of the Year – Becki Moss

Ockham Residential People’s Choice – Edin Whitehead

Resene Colour Award – William Patino

Electric Kiwi Wildlife – Douglas Thorne

Resene Landscape – Alden Williams

Lumix Society – Braden Fastier

Progear – PhotoStory Scott Sinton

Aerial – Emma Willetts