As long as we have the Internet, cyber security will never cease to be an issue. In fact, with modern economies going paperless and cashless, there has never been a more important time to keep our digital selves secure, lest an untimely attack causes life to grind to a halt. As individuals, we’re largely powerless to stop cyber-attacks on organisations and critical infrastructure, like the SingHealth episode in 2018. We can, however, keep ourselves safe.
To learn more, we spoke to Samuel Eng, a senior security engineer at ByteDance who doubles as a white-hat hacker in his free time. Going by his bug bounty record and ranking on HackerOne, a global online community of hackers, Eng is among Singapore’s top white hat hackers. He highlighted some key points that may seem like common sense, but are anything but.
You’re Not Special
When hackers attempt to gain unauthorised access into personal accounts online, they usually follow the law of large numbers not unlike what men do on Tinder: with enough attempts, an account somewhere is bound to be compromised sooner or later. One common method is to build a dictionary of the most common passwords, then try them on individual accounts sequentially. This is commonly known as a brute force attack, since it relies on sheer doggedness to succeed.
As you can infer, such a method does not identify specific accounts to attack. Instead, your account was just another attempt in a long list of attempts: you’re not that special, and everyone is at risk. By extension, brute force attacks do not consider their accounts’ vulnerabilities as well – unlike a physical burglary, being more secure does not make your “house” less likely to be a target. The takeaway here is that your accounts’ security should meet an absolute standard to be secure, instead of being just relatively more secure than your “neighbours’”.
Eng identified several common attack vectors – or ways that hackers can attempt to gain access to your accounts. We’ve already discussed the first, which involves common passwords that are easily “guessed” by a hacking programme using a dictionary of typical passwords. Related to this is a second attack vector: if you reuse passwords across platforms, then your most secure password will only be as secure as the least secure site it’s used on.
While major platforms like Facebook and Twitter have sophisticated IT security measures in place and are in Eng’s words “very secure”, that independent shopping website that you just bought a shirt off may not be. If a technical fault is exploited and hackers gain access to your password from that website, there’s no stopping them from reusing this password to gain access to even the most secure sites that you’ve signed up on. Using identical passwords across platforms is thus a bad idea.
The Human Factor
Brute force attacks and technical exploits aside, hackers can also use social engineering to get your passwords. Hackers may call in pretending to be technical staff who are doing routine checks or emergency maintenance, and ask for passwords or two-factor authentication codes over the phone. Don’t scoff at it: social engineering frequently succeeds, especially when the victim is not mindful enough to suspect anything or lacks the technical knowledge to understand what’s going on.
There’s also plain old carelessness too. If you’ve ever used the free Wifi at Starbucks but done your surfing on websites that lack the https (‘s’ stands for secure) protocol, then you’re one of them. Using off-the-shelf tools that can be downloaded for free, anyone can monitor your web traffic and potentially gain access to your device if you connect to public Wifi without encryption. It’s a vulnerability that’s hiding in plain sight, and it is akin to leaving your front door wide open.
If it’s not obvious by now, the most common vulnerabilities are also the easiest to avoid – and consequently the simplest to defend against. Personal hygiene is probably the most important factor that keeps oneself safe, from being careful about not reusing passwords to being mindful about suspicious callers. It’s not complex, just tedious, and it begins with changing your passwords.