Category: Blog

– Christy Loh –

Attending A Cyber Security Workshop For The First Time

This story recounts the experience of Samantha Goh, a participant at the recent Youth Cyber Exploration Programme (YCEP) May 2020.

YCEP May 2020 is a 4-day cyber security workshop organised by Cyber Youth Singapore (CYS) and Singapore Polytechnic School of Computing, held on the CYS Discord channel.

Before the YCEP, I had no prior knowledge about cyber security. The only times I ever heard about cyber security was through cyber wellness talks in school during assembly programmes.

I wouldn’t say that I’m completely foreign to the concept of technology, however, as my CCA happens to be Infocomm Club. We learn about game programming and basic coding. It was through my CCA that I got to learn about YCEP, but like my peers, I was rather apprehensive initially. I was afraid that the programme might be too technical and challenging to understand. Deep down though, I’ve always yearned to learn more about programming in general, which spurred me to take up the challenge and sign up for the workshop.

The programme for the first three days was split into morning lectures and afternoon practicals, quizzes and showcases, which were essentially live demonstrations. The final day was dedicated to an online Capture-The-Flag (CTF) competition, where we had to hunt for specific codes called ‘strings’ across various platforms. This structure made the programme really engaging and fun—things I honestly didn’t expect out of an online workshop. I also got a rough glimpse into Poly life in Singapore, which was really insightful.

At the end of each day, we would be given a feedback form to give the student lecturers a sense of our understanding. What impressed me was that they actually used the feedback forms to assess our level of understanding, and tweaked subsequent lessons to suit our pace of learning. They also took the time to revisit topics we faced difficulty comprehending and made themselves available for consultations even after the programme had ended for the day.

Day 1

Day 1 started with us having to introduce ourselves and getting comfortable with our virtual classmates, which was facilitated by the student lecturers.

We were introduced to the basics of cyber security, like the anatomy of a computer, law and order in cyber security, networking, user management and inevitably, coding. When the lecture first began, I was immediately overwhelmed by the many slides thrown at us. But this concern was soon dispelled as I was fortunate to have a student lecturer who could explain it well.

While the lecture was quite the ordeal, the practical was easy to understand, thanks to my basic understanding of coding from my CCA. One of the key things I learnt was how to apply coding into practical means, like securing our computers.

By the end of the first day, I was EXHAUSTED but the feelings of accomplishment got me so riled up for the following day.

Day 2

Day 2 was all about the ‘Attack Methodology’, so we learnt things like penetration testing, which involves testing the system of a computer to check for vulnerabilities by attempting authorised hacking on our own devices. Before diving straight into penetration testing, we had to learn the 5 stages of a cyber attack and the intentions of the attackers at each stage to prevent those opportunities from presenting itself in the first place. In short—we’re trying to outsmart them.

With the concepts taught to us in the perspective of a pen tester, it allowed us to digest the information much better. A pen tester scans the device for vulnerabilities in a system and identifies them to prove that a system is not protected. By experiencing pen testing first hand, we could better understand what went wrong and manage the situation ourselves.

The lecture was much simpler to understand, but the practical was much more challenging this time round. I was struggling quite a fair bit and had to seek guidance from the student lecturer time after time. But I was determined to grasp the concepts fully, so I reviewed the slides once more later that evening and that helped a lot.

Day 3

The lectures on day 3 provided more insight on the concepts taught the previous day. We were taught what attackers would do when finding vulnerabilities in our program. I had the opportunity to put myself in the shoes of an information officer to learn how it protects its company or organisation from cyber attacks.

The practical was a lot easier to complete compared to the one on day 2 even though I faced some challenges during the troubleshooting process. This process required me to use the secure shell command, which connects our computer to another computer on the internet in order to spot vulnerabilities. A recap of the content taught over the first 3 days was later streamed and that allowed me to better understand the correlation between the chunks of information taught over the workshop.

Throughout these 3 days, I learnt a lot, including how to crack passwords and keep it safe. The most valuable piece of information I’ve learnt through the workshop would be the importance of updating the operating system of my computer. Since many computer updates introduce new security features, it is necessary to ensure the versions are up to date with them.

Day 4

When I heard that there was going to be a competition, I initially thought it was going to be a test, only to be surprised that it was more like a game. During the competition, we had to look for challenges on the jeopardy board to solve it. Since my teammates were all friends from my CCA, communication was not an issue for us and we delegated the challenges pretty efficiently among each other.

Although we failed to obtain a good score, our team worked well nonetheless and had a blast. With my skills adopted over the past three days combined and put to the test, I managed to elevate my understanding of the concepts to a greater level.

Final Thoughts On The 4-Day Cyber Security Workshop

Overall, I feel that this cyber security workshop has taught me the importance of protecting my information. If you, like me, thought that simply going incognito on your browser would help secure your data, think again. I learnt to be more woke about my online activity and that without proper encryption, others can still gain access to our data via Wi-FI. Now, I try to add special characters and use different passwords for each account to make it more secure.

I can understand why people have the mindset that cyber security is complex, daunting and difficult to grasp. I mean, jobs in this field require years of proper education and training as it is the digital security of our devices and the devices around us that we’re talking about here. My advice for those keen on dabbling in cyber security, but are intimidated to do so, would be to just get to it, start slow and learn your basics well. Enroll yourself in beginner-level workshops like these.

Technology is advancing at a rapid pace and to say that IT literacy is only for experts in the field would be false. IT literacy has undoubtedly evolved into a staple skill set in our 21st century and it is therefore crucial to know the basics of technology, at the very least. The most crucial part of it all would be to know how to protect your information online. All in all, I would attend another workshop of the likes and recommend them to my peers. Two thumbs up!

Signs That Your Device Is Hacked

With the advancement in technology, we can now do many things with our devices, from networking through social media to contactless payment. As a result, a lot of sensitive information like our credit card details could possibly be stored on our phones.

Failure to keep your device secure, could lead to grave consequences. Learn how to tell if your device has been hacked with these 6 signs.

1. Drastic decrease in battery life

While it is definite that your battery will drain over time, a device that has been hacked will perform dramatically shorter.

A common practice of hackers is to install a spy app on your device to track your activity. Such applications allow them to access your messages, audio input, data, GPS locations, passwords, and more—all while going unnoticed, hidden from your interface and task manager.

Additionally, these apps can run ads in the background, which gradually drains the battery life of your device.

2. Poor performance

Frozen screens and crashing of apps are some signs of a hacking attempt as well. This may be the result of malware such as spyware and viruses installed to your device. Malware are insecure software secretly installed on your device. 

All programs function on memory space, which is why we sometimes notice that our devices get progressively unresponsive with age, since we download more materials over time. Such malware consumes a substantial amount of memory of our devices, resulting in limited space for the other programs to function. This may then result in your internet browser and the operating system of your device performing at a sluggish rate.

Additionally, malware can strain computing power, which refers to how fast a device can perform an operation. This sometimes causes your device to heat up, even when you are not using it.

3. New apps not installed by you

While your device manufacturer or service provider might introduce new apps with updates, it isn’t common for novel apps to be appearing in an unwarranted manner.

When encountered with the appearance of new (and questionable) apps on your device, you should go to your app manager in your settings to uncover its source. You might have downloaded it on accident, or it could merely be installed with your latest update. If you notice that it hails from an ambiguous or unknown source, uninstall it immediately.

4. Pop-ups on your browser

Browser pop-ups are typically one of the first signs of a virus attack. But it is getting a lot more sneaky and challenging for one to discern between a genuine alert and a pop-up caused by a virus. So always approach all pop-ups with caution. Read the copy carefully and try to identify any suspicious signs like spelling or grammatical errors. Instructions by your device—like the one reflected in the illustration above— would unlikely appear as a browser pop-up, so that’s a major red flag too.

Malware can also add bookmarks to your browser, website shortcuts to your home screen and spam messages that entice you to click. 

Pop-ups often flash, produce sounds or, for mobile devices, cause the device to vibrate. If that happens, close all running apps and refrain from clicking anything on your web browser. And definitely, do not provide any sensitive information, if prompted.

5. Your device suddenly restarts

While automatic restarts during software updates and the installation of new applications are normal, sudden restarts are not. When performing automatic restarts, your device would typically prompt you to agree to it first and usually offer you the choice to postpone it. 

However, a hacker installing malware may force a restart in order to access your device and steal your personal information. In such cases, we recommend that you perform a factory reset.

6. Your passwords do not work anymore

When we talk about being denied access to our online accounts due to a successful hack attempt, we can boil it down to two primary possibilities—the first being that our accounts might have been directly penetrated by the hackers. The second could be that the hackers might have used an indirect approach of hacking into our devices first before utilising that opportunity to access our accounts. Obviously, the latter has much heavier consequences, since the attacker would then have access to a lot more information. 

It is often tough to differentiate between the two, but your best bet would be to change your passwords across all your accounts and perform a factory reset on your device.

Ensuring That Your Device Isn’t Hacked

If these signs seem familiar to you, you should consider purchasing a security software from renowned providers such as Kaspersky and Bitdefender. But ultimately, if these signs continue to persist, it is recommended that you perform a factory reset on your device.

Cover Image: Source

Securing Your Online Identity

Most of us spend a bulk of our time online on our mobile phones, computers, and other internet-connected devices. While we are at it, we sometimes tend to overshare information that might be an invitation to threat from cyber criminals.

It is important to learn how to protect our personal information like bank details and NRIC from identity thieves. This information, when stolen, could potentially result in dire consequences like money theft or even the use of your name to participate in illegal activities. So, here are 6 easy measures highlighted to help you secure your online identity.

1. Always use secure websites

An easy way to identify a secure website is by ensuring that its URL starts with ‘https’. The ‘s’ stands for ‘secure’ and lessens the chances of you disclosing personal information to other unauthorised parties unknowingly. These websites are denied access to data on your browser unless authorised by the user—you.

If the URL begins with ‘http’, the website is not secure and any personal information shared might be stolen. Browsing such sites should be fine, but sharing personal information on it is definitely not advisable.

2. Use VPN when you need to connect to a public Wi-Fi

It is difficult to resist free Wi-Fi but there are many disadvantages of connecting to one. It gives cybercriminals direct access to your device, and valuable information like credit card and financial details when connected to the same network.

If you find yourself having to log into public Wi-Fi, use a virtual private network (VPN) as it encrypts your activity. What this means is that it converts your actions on the internet into unique codes that only your computer can register. This prevents others on the same network from accessing your activity and hacking into your computer.

3. Use strong passwords consisting at least 15 characters

Be sure to create a strong password that is between 15 and 20 characters long, comprising both upper and lower case letters, numbers and symbols. Here are some tips on boosting the strength of your password:

1. Create long but simple passwords that you can memorise so you won’t need to note them down physically
2. Refrain from using personal information like your NRIC or birthday as your password
3. Misspell any dictionary words

With technology so advanced now, software is available for hackers to crack passwords in unimaginable ways.

4. Beware of phishing emails and messages

This is a very popular way for cybercriminals to steal personal information. By opening dubious files and links sent in questionable emails and messages, you run the risk of submitting personal data.

The only way to stay resilient against such traps is never click on links or download files attached to unsolicited emails. You can minimize your risk of falling for these scams by:

1. Conducting background checks on the sender and the contents of its email. This will ensure that the websites you visit are legalized and safe.
2. Install a firewall to increase the security of your device.
3. Install a renowned anti-virus software and update it regularly.

5. Make purchases from reputable websites only

If you are unsure about the legitimacy of the website you’re about to make purchases from, check out its reviews and ratings. Check that the amount deducted from your bank account is correct immediately upon purchase.

Conduct timely checks to verify and ensure that there aren’t any suspicious transactions in your bank account’s transaction history. If you find anything odd or unsolicited, contact your bank immediately.

6. Lock all your devices with unique passwords

Let’s say you’ve lost your phone. If there isn’t any passcode, the person who found it can have immediate access to your phone and potentially steal all the information inside. It’s a terrifying thought, so keep yourself protected by setting a passcode on all your devices.

Secure Your Online Identity To Keep Identity Fraud At Bay

Applying these 6 steps regularly in your daily life will help secure your online identity in the long run. If you suspect that your information is stolen, alert the police immediately. Always stay vigilant and protect your valuable personal information against spyware and other online threats.

Cover Image: Source

The Emerging Popularity Of Phishing Emails

Phishing emails are becoming increasingly popular among scammers and hackers due to the low technical knowledge needed.

As the saying goes, “The chain is only as strong as its weakest link.” In the context of a working environment, the cyber-illiterate may potentially jeopardise the safety of the organisation, especially since criminals tend to prey on this specific demographic.Time to get woke and prevent yourself from falling for phishing emails with this guide of 7 red flags.

1. Strange email titles regarding subjects unrelated to you

The email title is the first thing that can tip you off about a potential phishing email. If you’ve received an email about a non-existent account or something you didn’t order, it’s most likely a phishing email. Some other things to note include long strings of dubious-looking codes or numbers, spelling errors and awkward spaces between text and punctuation.

2. Suspiciously long or strange email addresses and domains

Another dead giveaway would be long usernames—the portion of the email before the ‘@’—or domains of the sender’s email address. Official emails are typically short and assume professional usernames and domains.

Team accounts of official organisations would have usernames assuming either its department’s name, like ‘human.resources’, or universal ones like ‘contact.us’ or ‘customer.support’. On the other hand, emails sent by official individuals should include their name or full name only—like ‘anne.lim’. Rarely should you expect to find numbers in a username, and certainly not long strings of it.

More often than not, the domain of legitimate email accounts would simply be the name of the organisation. An example would be ‘@cyberyouth.sg’.

3. Generic greetings

You should always expect to open your email to a proper greeting, where your name or full name is properly addressed, especially when it regards confidential activity such as online purchases.

Generic greetings including ‘Hi!’, ‘Hello!’ or even ‘Dear Sir’ and ‘Dear Ma’am’ could be a red flag for phishing emails. Banks, government organisations and other major bodies whom you share a personal and confidential relationship with would definitely address you by your name.

4. Unusual or weird formatting

Formatting issues like awkward spaces and text alignments can be a clear sign of a phishing email. Some phishers try to circumvent phishing and spam filters, which results in formatting issues within their emails.

You should also take note of how the sender presents the visual contents in the email. This includes icons, links, buttons and footer content. Anything amiss could potentially be a red flag.

While the formatting of email contents may differ between devices and web browsers, a reputable organisation would not have major formatting issues with their email in most cases.

5. Common language mistakes

Language errors are very common in phishing emails. Check for errors in spelling, grammar and the capitalisation of characters. Non-fraudulent emails are highly unlikely to make such mistakes.

6. Messages that induce panic, urgency or curiosity to take action immediately

Treat emails that try to evoke panic, fear, or urgency in the receiver with caution. Phishers use this tactic in a bid to psych you into taking the “precautionary measures” in fear of the repercussions. This can sometimes be hard to spot, but always check for other danger signs highlighted in this article before taking any action.

7. Extremely long or suspicious-looking links

Check the links in the email by hovering over those links and see if they lead to wherever they are supposed to bring you to.

Some suspicious things to look out for in the links are:

1. Use of URL shorteners that prevents you from seeing the actual URL the link brings you to.
2. Misspellings, substitutions, omissions or unusual characters in links.
3. URL has a domain that does not take you to its intended destination.

Stay Resilient To Phishing Emails By Looking Out For These 7 Signs

Keep yourself updated with the latest cybersecurity news and be wary of unsolicited emails. With these 7 tips on how to spot phishing emails, we can better protect ourselves from scammers.

– Christy Loh –

Securing Your Device And Accounts

We are connected to the Internet via Wi-Fi all the time. When covering new ground, we dive straight into finding an open network to connect our devices to. But this often comes with the unbeknown risk that we may potentially be sending personal data to hackers.

This, like many other cyber threats, can easily be avoided with simple precautionary measures that do not require complex tech knowledge. Here are 7 tips on how you can secure your devices and accounts.

1. Keep your device’s software updated

We need to always ensure that our anti-virus software tools are up to date. Software updates help to fix security holes that are found in it. By keeping it updated, it helps improve stability and adds new features as well. These new features replace outdated ones and patch security flaws to block hackers.

Software updates also help to protect data by defending your devices from cybercriminals who try to bypass security measures and prevent your personal information from getting stolen.

2. Use VPN when connecting to foreign Wi-Fi networks

To protect ourselves, we should only connect to foreign Wi-Fi networks using a Virtual Private Network (VPN) as it encrypts our information. This means that your activity on the internet will be converted into unique codes that only your computer can register. The result: others on the same network as you will not be able to access your data and steal your private information.

Some secure VPNs we recommend include: NordVPN, ExpressVPN, CyberGhost, Surfshark, privateVPN.

3. Create strong passwords

In order to create strong passwords, you need to include lower and uppercase characters, at least one number and a special character. Your password needs to be at least 15 characters long to be considered secure. Above all, refrain from using the same password across multiple accounts. 

With technology becoming so advanced today, hackers are able to run mix-and-match software that can easily penetrate accounts with weak passwords. Some common examples of weak passwords include basic keyboard patterns and password reuse.

4. Share your location only with people you trust

Nowadays, we tend to post many things online without thinking. It is important to refrain from sharing your location and whereabouts on social media as you run the risk of getting stalked if you do so. Additionally, you should not post personal information like your phone number, emails and passwords as this could result in data theft.

A few tips you can take to protect yourself include:

1. Reading fine print when registering or applying for social media accounts. Ensure you have autonomy over who you wish to share your device’s location with. If you don’t have rights to do so, ensure that it explicitly declares not to extract your location information.
2. For Android, go to Menu>Settings>Location/Location and Security
3. If you are using an iPhone, you can edit it under Settings>Location Services.

5.   Backup your data regularly

It is just as important to back your data up on an external hard drive as it is having a strong password. The last thing you want to experience is having your data stolen with no way of getting it back. 

Storing data in an external hard disk will ensure that you’ll always have a copy of your files, without the worry of it overwriting one another due to a lack of space. This will ensure that the data on your device stays secured, should it experience a viral attack.

6. Run security tests regularly

Running security tests are important as it helps identify security risks so that developers can fix them promptly. Some free apps that you should get acquainted to include Zed Attack Proxy (ZAP), Wfuzz and Wapiti. Some features of these security apps include firewalls, which acts like an electronic barricade that prevents hackers from getting in, and a reader that checks for coding errors in a website or application, which may potentially result in data theft.

It is common to assume that what we see is what we get; that our devices are running smooth as a nut when there are no evident threats. But the reality is that most viruses and bugs are now able to disguise itself and go about unnoticed without proper security tests.

7. Ensure emails received are legit before entertaining them

To verify if an email is legitimate, you can click the show details arrow located directly below the name of the sender. Ensure that the sender’s email address has a username or domain that matches its name. The subject is often very telling of the email’s integrity as well. Scam mails often have dubiously long strings of numbers and codes that look unprofessional.

If the message is unsolicited, do not click on any links as it may harm your device. Conduct a quick background check on the sender and the email’s content and ensure that it isn’t fraudulent.

Protecting Ourselves From Cyber Threats

While technology has certainly benefited us, there are also many out there who will take advantage of it. These 7 simple tips to secure your device and accounts should help you stay vigilant against such cybersecurity threats.

Cover image: Source

Creating Strong Passwords

Every now and then, a new media platform arises and takes the world by storm. And in a moment of “I need to be part of the pioneer batch of users to become an influencer,” we use the same login credentials as our Instagram, Facebook and Twitter accounts.

This haphazard manner of creating an account is merely a treat for vicious hackers out there. But all is not lost, if you follow these 6 foolproof and simple steps to creating a strong password.

1. Long passwords over complex ones

Step aside passwords, passphrases are the new thang. Lengthening passwords by incorporating multiple words and spaces will help increase the password entropy, a.k.a. the measurement of how unpredictable the password is. Take the example of a purely numerical pin passcode.

To find the total number of combination possibilities, we use a basic probability formula where we take 10—the total number of numerical keys on the keyboard—to the power of the number of digits in the pincode. A 4-digit pincode (10^4) would have 1000 possibilities, while an 8-digit pincode (10^8) would have 100000000 possibilities. And you can imagine how the numbers will only get bigger when accompanied with a mixture of the 26 lowercase and uppercase alphabets each, 33 special characters and, when possible, spaces.

2. Avoid including dictionary words or any form of your identity

Here’s a password taboo: never use dictionary words, phrases or abbreviations as it makes your passcodes highly susceptible to attacks. Most password-cracking tools are advanced and equipped with lists of dictionary words of various languages. If the use of such words are absolutely necessary, you should misspell it by adding, removing or rearranging characters. An example being to replace ‘butterfly’ with ‘butrfly’.

The only thing worse than that is incorporating personal details like your NRIC or birthday into your password. These information are easily obtainable by skilled hackers and the last thing you want is a 2-in-1 combo—a stolen identity and hacked account.

3. Don’t use running alphabets or numbers on the keyboard

We’ve been told to make our passwords ‘complex’ by introducing random numbers and characters. When creating new accounts, Apple users would get complicated password suggestions that resemble something from the Da Vinci Code. But for the fear of forgetting these strings of gibberish, we often go for consecutive number patterns like ‘12345’ or keyboard patterns like ‘qwerty’ or ‘asdfgh’. While the alphabets and numbers are randomised, they’re just as easy to crack with advanced software that attempts various consecutive patterns of varying lengths, which beats the whole point of a “complex password”.

4. Never note or store passwords

A bad habit even tech professionals are guilty of is storing passwords on some form of document. This often happens when we have overly complex passwords that we aren’t able to memorise easily. An easy solution to this problem is to create long but simple ones instead. A passphrase like ‘I lve unicornz-4’ will be simple enough for you to remember while still promising a relatively high level of security.

5. Refrain from reusing passwords

This is yet another bad habit of many. Passwords are often reused across sites and platforms for ease of memory. But by doing so, we run the risk of having all our accounts hacked simultaneously. Having variations of that one ‘common’ passphrase that’s elementary enough for you to remember in your mental passphrase bank will do the trick. If ‘I lve unicornz-4’ has been used for say—your Instagram account, consider modifying it to ‘I lve koalaz-7’ for your Twitter account.

6. Revise passwords periodically

Most educational institutions have this implemented, where it’s mandatory for students to change the password to their student account at the start of every academic semester. The rationale behind this requirement is simply to make hack attacks as challenging and impossible of a feat. By keeping the passwords ever-changing, hackers will be unable to keep up, especially when your long passphrase requires years or even decades beyond your lifetime to infiltrate. A revision every six months would more than suffice.

Establishing Strong Passwords Besides Capitalising One Alphabet And Adding An Exclamation Point

With the rapidly developing tech and cyber scene, hacking might soon cross unimaginable boundaries. While cybersecurity is a collective responsibility, password and accounts management starts with each and every one of us. With these 6 simple tips on how to create strong passwords, a simple layman like you and me definitely stand a chance against those pesky hackers.

Cover image: Source, Source