Sometime back I had a meaningful discussion with a few people on the importance on cybersecurity. We all have a common consensus that everyone needs to embrace the importance of cybersecurity. This means that security will not be seen as a burden to the everyday tasks. The question though, is how do we achieve it?
This is a question that has been asked for a long time. Many companies approach it by educating their staff through mandatory courses/programmes. However, this does not guarantee that what is taught will be learnt and remembered. It also does not change how others are viewing security. In fact, we can still often read about companies falling victim to cyber attacks due to high ranking employees falling into the social engineering traps, e.g phishing emails. Therefore, this method is not effective.
Perhaps the best way to do it is to learn it the hard way. As humans, it is difficult to learn from the mistakes of others but we will often remember the painful experiences that we encounter. Yet, the company can’t possibly hire a white hat attacker to attack everyone, can they?
Indeed, this is an extremely difficult problem to tackle and I believe the high ranking personnel in every company will be looking for a feasible and effective solution. So does anyone have any ideas?
The idea of a smart nation is exciting. For example, drivers will have access to real time traffic conditions so they know which roads to avoid (same goes for parking spaces); an elderly who live alone can have their sensors in their homes linked with a caregiver’s mobile device so that the caregiver can be notified if the elderly needed assistance. For these scenarios to become a reality, information must be easily available to those that require them. However, these information must not be made available to malicious attackers. The consequences will be disastrous if attackers get their hands on these information.
To understand the scale of the severity, we should first understand what the information contains. It includes, but is not limited to, the CCTV footage from every CCTV camera (; positions of every local registered car; our past records like medical records, educational records. With these information, it is possible to reconstruct anyone’s personal profile, which includes their history, daily routine and even habits and hobbies. On a smaller scale, the availability of these information makes it extremely easy for a malicious attacker to use social engineering to attack whoever it wants to. On a larger scale, it provides terrorists with information on the best places to conduct an attack with the largest impact, but with the largest probability of success.
Therefore, the security of these information is of paramount importance! Minister of Foreign Affairs Dr Vivian Balakrishnan, also the Minister in charge of SmartNation Singapore, has acknowledged this as well. Easier said than done! Many organizations have fell to the hands of malicious attackers in the past. There is nothing to suggest that Singapore will be invulnerable. On the contrary, the integrated aspect of the Smart Nation makes us even more vulnerable as there are more channels of attack than before. What then will Singapore do to ensure that the information will be kept secure? In the past, security and efficiency always has to reach a compromised position. However, in my opinion, a project of this scale should place security as its undisputed number one priority. We can do without some features, but we cannot accept our information falling into the wrong hands.
It’s been a while since the last update as I was very tied up this week. This post I’ll like to share about ransomware and the importance of having a proper backup. Ransomware, as the name suggests, involves criminal activity that holds something dear to you as hostage for ransom. In this case, what they are holding hostage is your access to your data.
You can read about how it works here. In short, an attacker gains access to your data, encrypts it and demands a fee for the decryption key. Usually, this fee increases after a certain number of days and may be threatened to be destroyed after another stated time. This is where the victim has to analyze the cost of the damages. If they have a unaffected back-up, preferably stored in a separately stand-alone terminal, they can do the backup and lose the amount of data depending on the frequency of the back-up. In the worst case scenario, none of the data is recoverable and the victim has to face the tough choice of either paying the ransom, or risk losing all his data, whichever has a lower cost. While attackers usually attack organizations in hopes of larger returns (the value of lost data is much higher than personal data), do not be naive and assume that our personal PC will never be compromised. Do your backups frequently and have them stored in a separate network.
WhatsApp is now end-to-end encrypted. I spoke about the benefits of end-to-end encryption in a previous post. Now, all personal messages, group messages, calls, videos, photos sent are all end-to-end encrypted. That means even WhatsApp can’t comply with FBI’s wishes even they request to view your messages. HEHE.
You can read about the technical description here
I think this reflects the best attitude for learning and growth. I firmly believe that the best way to learn is to try first. Even if you fail, you develop understanding of it and when the solution is given to you, you are able to understand why it works (or why your solution doesn’t). Although I’m not a saint, and I’ll admit that I am guilty of being lazy at times but I don’t think I had demanded for solutions without showing evidence of trying. Such virtues should be taught, and emphasized in schools. I think schools are very guilty of feeding solution without the students first trying. When I was tutoring, I had students who just looked to me for answers. I really hated it. I don’t mind wrong answers, but I hate “I don’t know” replied in 5 seconds.
A good read on Washington’s Times here from Bruce Schneier.
A summary of all the excellent points he mentioned:
- What FBI is doing is not the norm of vulnerability research. They are deliberately degrading the security of iPhone by keeping the vulnerability secret. I mentioned in a previous post, keeping a vulnerability secret doesn’t mean the vulnerability can only be exploited by you. More importantly, it means the vulnerability exists and anyone can exploit it once they’ve discovered it.
- A vulnerability affects every device, not just one. So there’s no such thing as “Let’s compromise this single device only.”
- The notion of Security v.s Surveillance. In my opinion, it is really difficult to side any one of this. Surveillance requires tapping on weaknesses to listen to traffic. Security is ensuring that no one is able to eavesdrop. At first glance, it may seem that they are mutually exclusive. I don’t think it’s the case. If you are able to do surveillance on your adversary simply because he is not doing things right, then it doesn’t compromise security in general. However, if he is doing everything right and you are able to do surveillance due to some weakness that you, and only you cracked, then it compromises security because everyone else will be using the same method without realising that there exists a way to break it.
Last week I was on Facebook when I received a notification that one of my Facebook friend tagged me in a photo. I wasn’t really close to that friend so it was strange. Turns out the photo is about promoting Ray-Ban Sunglasses and I was tagged with over 50 other people.
I’m sure at some point as a Facebook user everyone would have encountered a similar incident. It happened because the victim clicked on something that he shouldn’t be clicking. These are usually click baits with captions such as “OMG! You will never believe such atrocities exists!” and then requires you to share/like a certain page. Sometimes, these actions even give full access of your Facebook rights to the third party, allowing them to post on your behalf or obtain information that they otherwise shouldn’t obtain. Hence, if you, or any of your friend, should fall victim to this, here are the few steps to take.
- Change your password immediately! You never know if they obtain the password to your Facebook account. While you are at it, if you are using the same password for emails, change those as well.
- Remove all rights given to the application/webpage through Facebook’s privacy and security settings. While you cannot deny whatever information they obtained from you, you can deny them future access to full rights to your account.
- Report them to Facebook immediately. Facebook is against spam and scam and clams them down as much as possible. Help Facebook build a safer environment for everyone to use.
- Be vigilant! Prevention is better than cure. Do NOT be tempted to click untrusted links to satisfy your curiosity.