The risks are everywhere. In your PC. Your smartphone. Your email. Here’s how the bad guys are trying to get to you – and how you can protect yourself from getting hacked.
STOLEN IN THE OPEN
When free Wi-Fi isn’t the deal you think it is.
Security company Kaspersky surveyed over 11,000 people from all over the world and discovered that 82% readily connect to unprotected public Wi-Fi networks at airports, hotels and cafes.
What’s more alarming, however, is that a further survey by Symantec of people who connect to public Wi-Fi found that a whopping 60% actually believe that their information is safe when using public Wi-Fi.
Public Wi-Fi is normally unencrypted, in other words, it’s visible to anyone in range. Using specialized software, hackers can snoop on traffic in the network and monitor other users’ activities on the network, and even steal account information.
And if you don’t have secure file- sharing settings, you may also be inadvertently sharing your files with other users on the network. Or worse, hackers could also access folders in your device and plant infected software and files without your knowledge.
Finally, there’s the risk of malicious hotspots. Sophisticated hackers can create innocuous-looking free Wi-Fi networks to trick users into connecting. And when they do, these hackers will then perform man-in-the-middle type attacks to intercept and steal your data.
How to defend yourself:
1. Use a VPN
One of the most basic ways of protecting yourself when using an unprotected Wi-Fi network is to use a VPN (virtual private network). A VPN acts as a middleman between you and the rest of the Internet and encrypts all of your data. A hacker would be able to see that you are connected to a VPN, but not your activities on it.
2. Don’t log in on public Wi-Fi
Don’t use any online service that requires your login information, this includes your online banking account and social media accounts. In addition, do not access or share sensitive data when connected through public Wi-Fi. Save these activities for the times when you are sure that your connection is secure.
CAUGHT ON CAMERA
When your cameras are spying on you.
One morning, a mother in Houston, Texas, woke up to an alarming text from a friend. Was this a picture of her daughter’s room? The friend wanted to know. The picture had surfaced on Facebook, but the disturbing part was that it was actually a still from a live feed of her daughter’s room. The feed came from a free app called Live Camera Viewer, and the picture only reached the mother because another woman had accidentally stumbled upon it.
The Houston mother had installed an IP camera in her daughter’s room to keep a watchful eye on her, and the terrifying irony was that the same camera ended up serving as eyes for an unknown number of intruders into their private lives. Somewhere, someone was watching her daughter play, sleep, and get dressed.
The breach was stunningly simple. All it took was for her daughter to unwittingly enter an unprotected Minecraft server, where she became an easy target for malicious actors.
IP cameras are especially vulnerable because they use generic IP addresses and public websites, where there is only a username and password guarding control of and access to the camera. More disturbingly, Symantec’s Security Response team recently found that the most common passwords malware used to attempt to log into IoT devices – which includes IP cameras – were a combination of “root” and “admin.” These are the default passwords, and they are frequently never changed, leaving the cameras wide open to attack and the inside of users’ homes vulnerable to outside spying.
Unfortunately, you could change your password and still be vulnerable. Back in 2012, a bug in Trendnet’s firmware allowed practically anyone to access feeds from the company’s cameras. The firmware contained code that could be appended to the camera’s IP address, creating a URL to the feed that bypassed password authentication entirely.
How to defend yourself:
1. Change your default username and password
The first thing to do with a new IP camera (or even an old one) is to change your default username and password immediately.
2. Keep your camera’s firmware updated with the latest security patches
How easy it is to update your camera’s firmware depends on its manufacturer. You might need to visit its oﬃcial website and check for security updates to manually download and install.
3. Don’t connect the camera to an unsecured wireless network
It won’t do any good to secure your IP camera if your Wi-Fi network is not secure. Change your router’s default username and password as well.
4. Just don’t put the camera in an area where you don’t want to be seen
Finally, you can do everything to secure your IP camera and still fall prey to zero-day vulnerabilities. The best way to stay safe is still not to point it where you don’t want to be seen.
SERVERS ARE SERVED
When it’s not your fault, but you still got hacked.
On September 22, Yahoo confirmed that a data breach orchestrated by a “state-sponsored actor” in late 2014 has resulted in at least 500 million user accounts being compromised. The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and even encrypted or unencrypted security questions and answers; but not credit card data.
While this is definitely a cybercatastrophe for Yahoo, it has to be said that this is just one in a constant drumbeat of hacks in recent memory. In May, LinkedIn discovered more than 117 million account details originating from a 2012 breach had surfaced on the dark web; and shortly after, Time confirmed a MySpace hack had compromised 360 million accounts. In fact, as of this writing, a data dump of 68 million Dropbox accounts from a 2012 breach has just been made available for download - for free.
We hate to say this, but such security breaches will continue to happen. As we conduct more and more activities online, we’re also storing more and more personal records online. Put simply, the mountains of data on servers are to hackers what money in banks are to bank robbers.
If there’s any consolation, it’s that companies, big and small, in general are moving towards adopting better security practices. No semi-decent web services today will store passwords as unsalted SHA-1 hashes, as these are so, so easily cracked. Better companies will use at least a salted hash and well- designed hashing functions like bcrypt, and many companies will encrypt user data when they’re in transit and at rest. We like to check a company’s security policy before we sign up for its service - we recommend that you do it too.
How to defend yourself:
1. Never reuse the same password
Using a strong password is the first must-do. The second is not to use it for other accounts. A repeatedly used strong password will immediately become a weak password for all your other accounts the moment one of them is compromised.
2. Fake answers to security questions
Don’t use simple answers to account security questions. Since they may be known even to acquaintances, I actually suggest that you fake them. Because tell me, who would have guessed that your mother’s maiden name is “Pirates of the Caribbean”?
YOUR BASE ARE BELONG TO THEM
When your PC joins the enemy.
Despite the advent of smartphones and tablets, personal computers are still the mainstay computing equipment, making them a common target for security breaches. In June this year, TeamViewer revealed that user accounts of its flagship remote access product were breached in a hacking incident.
Stolen credentials were used to illegally access its TeamViewer installation base. The credentials were allegedly pilfered from “data caches” that belong “to other companies.” Some affected users took to Internet forums and social media to share their unfortunate experiences, which range from their PCs being controlled by hackers to financial losses.
Maliciously crafted emails can also be used for to hack PCs. Recently, MarsJoke, a ransomware used on a large-scale email campaign, targeted state and local government agencies in the United States. The MarsJoke email contains a URL that links to an executable file. When an unsuspecting victim downloads and executes it, MarsJoke will be installed on his PC. The malware will encrypt targeted files for a ransom, else they will be deleted in 96 hours.
In a recent picture of Facebook CEO Mark Zuckerberg celebrating 500 million monthly active Instagram users, keen-eyed observers picked out a sticker pasted over his laptop’s webcam. This brings to mind the 2014 incident where Ms. Teen USA Cassidy Wolf’s laptop was compromised and its webcam was used to spy on her remotely by a hacker. He made use of DarkComet, a similar tool to TeamViewer; it was believed Wolf was tricked into installing DarkComet. Fortunately, the FBI intervened and the hacker was apprehended.
How to defend yourself:
1. Don’t click on any embedded URLs, even if it’s from a trusted source.
If an email looks suspicious, it probably is. Check with the original sender to confirm that they sent it.
2. Upgrade your PC’s OS ASAP
Set automatic updates to your OS so that your PC is operating on the latest version. Ditto for software titles, especially productivity suites for home and oﬃce, like Microsoft Oﬃce.
3. Use third party security software suites
Choose those that have anti-virus, anti-spyware, and firewall functions rolled into one package. Keep their software signatures updated regularly too.
When your most personal device gets invaded.
In September this year it was discovered that as many as 500,000 people had downloaded the CallJam malware trojan from the Google Play Store. Shockingly, the malware, which poses as a simple guide to earning Gem Chests in the Clash Royale game, has been available on Google’s official Play Store since May and maintained a high reputation throughout, with a four-star review rating average, and thousands of five-star reviews. The malware was able to do this by asking its users to rate it 5 stars with the promise of unlocking additional content.
Once installed, the malware was used to redirect victims to malicious websites that display fraudulent advertisements. More worryingly, any users who approved the app’s permissions requests, were subject to CallJam making expensive premium phone number calls, often at odd hours so that the user would not notice them, all at the expense of the user.
CallJam is just the latest in a long line of malware targeting mobile devices. Trend Micro’s 2016 report found 3,000 active Trojan malware apps on well-known Android mobile markets, including more than 400 detected on Google’s own official Play Store. By far the worst offenders are fake apps posing as official apps from big brands across the banking, retail, media and entertainment, and travel categories.
According to security research firm RiskIQ, who accessed 80 different app stores in its 2016 report, including both the Google Play Store and Apple App Store, it was found that over 100,000 apps, or 43 percent of all brand- associated apps, were discovered to be fake and unassociated with that brand. Many of these apps asked for credit card or other personal information.
And from the looks of it, it’s only going to get worse. As digital and mobile wallets like Apple Pay, Android Pay and Samsung Pay take off, we’re likely to see a parallel growth in attacks targeting mobile platforms. When your phone has access to all of your credit card and banking information, cybercriminals no longer need to serve you adverts to make money, they can attack your bank account directly.
How to defend yourself:
1. Always read the user reviews
Read what other users are saying to see if there are any red flags that could hint at malware.
2. Check what the app is requesting permission for
If a game is requesting permission to your phone calls, contact information or messages, it could be malware.
3. Don’t install apps from a third party app store
Only install apps from the oﬃcial app stores. While these stores aren’t risk-free, they have stricter checks on what is approved.
YOU’VE BEEN PLAYED
When the hack gets personal.
It was a busy day at work when Vincent Chang received an e-mail from his ex-boss. He wanted Chang’s help on testing a new website by clicking on an attached URL. Chang did so, only to find the URL leading to a dead web page.
This opened Chang up to more suspicious e-mails along the week. To Chang’s horror, his former superior said that he hadn’t sent anything. The e-mails were from a practiced Trend Micro researcher named Ryan Flores.
Vincent Chang isn’t just your average Joe suffering from a social engineering attack – he’s our ex-Senior Tech Writer, and now a correspondent for the technology columns in the Straits Times, Singapore’s broadsheet. To make matters worse, the researcher had left tell-tale signs in the e-mail. Chang also had pre-warning, since he had requested for the test of his cyber defenses.
Social engineering uses privileged information and psychological manipulation to gather leverage or unauthorized access. Within the cybersecurity realm, it uses a host of tricks to fool their victims, but the threat is personalized by pretending to be a legitimate contact or website. What makes social engineering dangerous is its ability to use the offline emotions and trust to break into the online realm. The hacker toys the human mind into giving away hard-earned digital cash.
According to the FBI, social engineering attacks cost US$2.3 billion worldwide, from October 2013 to August 2015. Closer to home, bank and parcel phone scams cost victims more than S$1 million within Singapore, while Malaysia authorities arrested and released 20 of such fraudsters, citing lack of evidence despite Taiwanese scammers being responsible for losses totaling S$1.54 million.
How to defend yourself:
1. Avoid giving out your personal info on scammy sites
If a scammy site promises to give you the secrets to getting rich quick while asking for your personal details, it’s probably a scam.
2. Look closely at the URL
Malicious sites can look almost identical to the real thing, with similar URLs like www.the-facebook-real- news.com. Don’t be fooled, bookmark the real thing to stay safe.
3. Don’t be intimidated by threats
Calls or e-mails pretending to be the police, the delivery guy, or even your mother are one of many scams. Stay calm, and verify the call through another mode of communication.
ADVICE FROM THE MASTERS
Expert opinion on how to protect your digital life.
What’s one thing about online security that you wish most people knew?
Looking around, many Singaporeans are tech-savvy and fairly confident about their online security behaviour. Yet, many users are falling into the common password trap – whether it is sharing of passwords or not using a secure password.
According to the latest Norton Cybersecurity Insights Report, one in five Singaporeans share passwords to their email, social media and even banking accounts. These accounts hold valuable personal data and could easily lead to bigger problems if they fall into the wrong hands. Furthermore, many users are guilty of re-using similar passwords for multiple accounts – cyber attackers are well aware of this and will take advantage of it.
As such, users need to pay particular attention to the passwords they use and make them as complex and unique as possible. Passwords for each device and online accounts should be different and unrelated as far as possible. While it may seem difficult trying to remember complicated passwords, this can save users a lot of time and frustration. According to the report, online crime victims in Singapore lose an average of 20 hours due to the impact of online crime and an average of S$545 per person.
– Chee Choon Hong,
Director, Asia Consumer Business, Norton By Symantec
What are the first things you personally do to secure a new PC, tablet or smartphone?
The moment you unbox your phone, ensure that your operating system (OS) is up to date. Additionally, ensure that any pre-installed applications and applications that you download are also of the latest version. Updates help to patch vulnerabilities that expose your device to cybersecurity risks such as ransomware and malware.
Also ensure that robust antivirus software is installed on your device. Antivirus software can help scan for, detect, quarantine and delete cyberthreats before it has a chance to infect your system. Also, make sure your security software is set to automatically update so you always have the latest protection.
– David Freer,
Vice President, Consumer, APAC, Intel Security
What should you do if you think your device has been compromised?
If you think your device has been compromised, you should act swiftly to rectify the issue:
- You must ensure that you have genuine, current and updated software in place to support your fundamental computer hygiene. Ensure that your security software is updated to help you monitor, detect and remove malware threats in a timely manner. Post- full update, restart your device and run a full scan.
- Check if you have any vulnerable/unwanted software on your PC. Your security software should alert you to vulnerable software on your PC, which you should update immediately. Software that is not updated leaves your PC open to infections, which will keep recurring no matter how many times your security software cleans up.
- Download the Microsoft Safety Scanner or Windows Defender Offline on a non-infected PC and save the file into a USB flash drive. Run either program on the PC that has been compromised.
- Install and run Microsoft’s free Malicious Software Removal Tool (MSRT) that checks your computer for infections by specific and prevalent malicious software, and helps to remove the infection. Microsoft releases an updated version of this tool on the 2nd Tuesday of each month.
- If none of the above steps work, you should restore your PC from a backup version.
– Keshav Dhakad,
Regional Director, Digital Crimes Unit, Microsoft Asia
What’s the biggest threat on the horizon that worries you?
The generally appalling state of security of many Internet of Things (IoT) devices has been of concern for some time now, but it has largely been seen as a theoretical, rather than an actual, threat.
However, in the final few days of September, computer security journalist Brian Krebs had his website knocked offline by one of the largest DDoS attacks seen to date. The volume of traffic involved in the attack was so great that the commercial DDoS mitigation service that was protecting Krebs’ site, free of charge, had to pull the plug on that arrangement.
A large proportion of the traffic attacking Krebs’ site was generated by IoT devices. Due to stupid and irresponsible design of these mostly consumer-grade routers, DVRs, IP cameras and such, the criminals behind this DDoS attack have been able to commandeer many tens of thousands of these devices into botnets able to challenge the capabilities of the largest anti-DDoS service providers.
That is a chilling consideration given the immense amount of good an open and free internet promises to provide for political activists, investigative journalists, and anyone else who may become the target of a competitor or opponent. The internet just got a little darker and dirtier.
– Nick FitzGerald,
Senior Research Fellow, ESET