5 Cybersecurity Projects For Beginners

Codomo Singapore

It's been a somewhat peculiar past few months. As we witness, the global pandemic unfolding before our eyes, most of us sit at home with more time in our hands than usual. During this crisis, many of our responsibilities have been curtailed or exist on a much smaller scope so free time has inadvertently increased, leaving people with plenty of opportunities to pick up new skills, learn and take part in more activities and spend their time productively.

But free time is not the only thing that has seen an increase due to this global crisis. Studies by the International Association of IT Asset Managers (IATAM) has found that at-home work due to the COVID-19 pandemic is leading to a spike in cyber attacks. The recent compromise of half a million Zoom accounts, of which you may have heard of, is only one of the many examples of data breaches carried out recently.

If you are someone who has recently started learning about cybersecurity and would like to put your newly acquired knowledge to test, you have come to the right place.

In this article, I will attempt to point you towards some exciting projects. What better time to embark on these cool projects than now, when there’s both the time to do it and is the need of the hour.


Before diving deep, if you would like to access some of our free resources on computer networking and programming, click here.

 

Caesar Cipher

The Caesar Cipher is one of the simplest and most widely known encryption techniques. The encryption step performed by a Caesar cipher is often incorporated as part of more complex schemes, such as the Vigenère cipher, and still has modern applications in the ROT13 system (you can Google these later!). The method involves shifting each letter in the alphabet to either the left or right by a certain number and writing the message using the new alphabet arrangement.

 


 

The shift number can be varied so decrypting a Caesar cipher without knowing the ‘shift’ can be tedious to do manually. You would have to go through 26 (the number of possible shifts) possibilities and that's definitely not something I would fancy doing.

 

Luckily the process is fairly straightforward and so you can make a program do the repetitive stuff for you.

  • That’s why a cool project for you could be to write a program that does both encryption and decryption of codes using the Caesar Cipher. There are plenty of guides online for building a Caesar Decrypter.
  • If you are looking for a tougher challenge, you can click on the link here and check out ‘The Ultimate Potato Cracker Challenge’. This is a series of 8 challenges where you have to figure out the encryption method and crack the password. You can try the different common encryption techniques and crack the password.

If things get too difficult something that could boost your confidence, is chanting,

“M Pszi Gcfiv Wigyvmxc”

 

Keylogger

Keylogging is, as the name suggests, the action of recording the keys entered on the keyboard on a computer. Keyloggers can be used for both legitimate and malicious purposes. There are a bunch of keylogger software apps that are available for download online mainly for activity tracking. The most common uses are for parental control over their children’s device usage and for tracking of employees’ non-work related activities on their work devices.

However, when used as a form of malware, a keylogger can pose a serious threat to the user of the device that has a keylogger surreptitiously installed on it. It can be used to intercept passwords, login details, credit card details, and other sensitive data entered via the keyboard. The following project ideas could be ideal as it provides an opportunity to learn about the different methods a hacker can break into your system and gain sensitive information. Understanding how the malware work can be instrumental in staying safe from it.

  • Your project can be to build a simple keylogger, using python to understand how exactly it works so that you can get a better idea of how logged data is transmitted to your hacker. Click here for a clear and comprehensive guide.

Here is an example of a very simplified keylogger:


  • You can even do research and conduct an analysis of how a keylogger can be detected and what are the steps that can be taken to remove one from your personal device. Some useful links could help you get started: how to detect a keylogger - article, video
  • Lastly, to challenge yourself, you could even find out how to make a keylogger that works on a virtual keyboard (one which does not require key inputs from the user). Check out this link for some cool information on this.

 

Hash Function

Hashing is like encryption; you take some normal text and transform it into gibberish. Except, in the case of hashing it is a one way transformation. There are many different algorithms that are used to convert a bunch of plain, normal words into these hash values. 

Seeing how they are quite difficult to crack, they are used by many companies to store information (like passwords) in databases. Even if a hacker manages to gain access to this warehouse of information, nothing will make any sense as it is all gibberish. This is why hashing is such an integral and commonly used method in cybersecurity.

To have a more thorough read on this check out this article.

  • Your project could be to look up the different hash functions out there, understand how they work and write your own hash encoder on Python

However, hashing is not a foolproof method; it is still and has been for a long time, vulnerable to brute force attacks. These attacks are attempts by malicious hackers to crack passwords and gain access to people’s accounts by using nothing but time and computing power. 

  • In fact, you could try this yourself. [insert link] It is the same article like the one linked above and it shows how you can create your own brute force password cracker. 

Since it is common and not that difficult for hackers to use brute force hacking methods, people have devised clever methods to keep sensitive data secure. For example, Dropbox uses a 4-layered encryption method that will ensure that the resources and time required to brute force through these layers will make the acquisition of actual data meaningless.

  • Therefore, another project you could embark on is researching these multi-layered encryption systems and learning how they make the data more secure. A few examples for you to start with are ‘salting’ and ‘bcrypt’.

Watch this great video summary for a quick understanding of this issue

SQL Injection

Structured Query Language (SQL) is the language that is used to communicate with databases. You can use SQL to retrieve, add, update or delete information from the database.

SQL Injections are malicious attacks by hackers that exploit certain vulnerabilities of a website’s database. These attacks generally allow an attacker to view data that they are not normally able to retrieve. Many high-profile data breaches in recent years have been the result of SQL injection attacks. Some examples include:

  • Back in 2017, a hacker breached more than 60 universities and government agencies using SQL Injection. High profile universities like Virginia Tech, Cornell University, the Rochester Institute of Technology, and Purdue University were breached. 
  • An SQL Injection attack on Yahoo back in 2012 caused the compromise of 450,000 Yahoo users’ passwords.

There are many SQL injection vulnerabilities that open up possibilities for hackers to launch attacks.

  • A cool project for you could be to find out the common vulnerabilities and how they allow hackers to accomplish their malicious goals. If you have not already, you could also take this as an opportunity to introduce yourself to the query language syntax and learn more about queries and databases.
  • If you want to take the project further you can run SQL injection vulnerability assessments on websites. Of course, you would need to get permission from the website owner first. Alternatively, you can make your own fun website to test on.
  • Lastly, you can find out the different methods to prevent an SQL injection attack and possibly implement them on the website of your own to test the method.

 

Packet Sniffer

A packet in computer networking is a small chunk of data (literally a packet). Each packet includes a source and destination as well as the content (or data) being transferred.

What a packet sniffer does is to gather, collect, and log the packets that pass through a computer network.

Network administrators often use the collected data to monitor bandwidth and traffic. However, ill-intentioned packet sniffers can capture unencrypted packets that carry sensitive data like passwords.

  • Your project could be to build your own packet sniffer on Python and use it to intercept packets traveling on your own home computer network. Check out this example for a guide.
  • You could use a Virtual Machine software to emulate two separate computer systems.
    More information on this can be found here
  • A fun analysis of the data could be carried out to monitor consumption trends on a network. It would be a good idea to research the legal limits of packet sniffing to get a general idea of where you should draw a line.

 

 

Conclusion

For almost all of these projects, there are plenty of online resources and guides you can refer to. There are a few modules and packages you would need to install for the python projects so do not hesitate to do so. For a guide on how to download python packages, you can click here.

 

The most important thing for these projects is to have an open and adventurous mindset. Be willing and eager to try new things even if they may seem beyond your current knowledge level. The importance of knowing how to stay safe online is more vital than ever in the current context. It would be best to use this special time to get a firm hold on cybersecurity and computer networking concepts and put them to practical use. If you are looking for more interesting reads on these topics click here.

 

So what are you waiting for? Get ready to set sail on this spudtastic journey and be sure to watch out for the pirates (like bugs and other hindrances).

Read more →

How Facebook tracks you on Android (even if you don’t have a Facebook account)

Codomo Singapore

iPhone screen with 4 apps

Suppose you’ve picked up an Android phone on the street and you saw the 4 apps above. Can you guess the profile of the phone user?

Your guess is likely to be that the user is a ‘she’, she is a Muslim, perhaps looking for a job recently, and she’s either a mother or someone who is into virtual cats.

Yes, in essence, that’s how Facebook profiles you if you own these apps in your Android phone. Now, let’s talk about the ‘how’.

Cut to the chase

  • Facebook is able to track you because Android developers of 3rd party apps (example: Indeed Job Search) implement Facebook’s Software Development Kit (SDK).
  • SDK is a collection of tools that eases the creation of software. By using Facebook SDK, developers can do advanced analytics without the need to code it from scratch. SDK is like a Swiss Army Knife. With it, you can start your job immediately instead of having to build your own scissors, knife, corkscrew etc.
  • This article is written based on the research conducted by Frederike Kaltheuner and Christopher Weatherhead. You can watch the full video here. The official study can be found here.

Purpose of this article

I wrote this article to inform the general public on how these tech companies collect our data and how we can protect our digital privacy. My job is to “de-jargonise” the research, not to be 100% technically accurate (although I will do my best to be).

Just a heads up, I am not an expert in the data privacy domain; I just consider myself more of an intermediate developer. So if you have detected any technical inaccuracies, please point it out and I will send you a 💌.

Outline

  • Anatomy of the Google Play Store
  • How the tech works (without going too much on the tech)
  • What’s our defence?

Anatomy of the Google Play Store

According to Privacy International, research done by the University of Oxford has suggested that approximately 42.55% of the free apps in the Google Play Store could share data with Facebook.

Infographic showing 42.55% of free apps on the Google Play Store could share data with Facebook

Out of the 42.55%, this study picked 34 apps, based on the fact that they have either a huge number of installations, or they involve sensitive information such as religion and health, or they are simply utility apps (You know, torchlight, QR code scanner, fart sound etc).

Apps sharing data with Facebook

Out of the 34 apps, over 61% of them automatically transfer data to Facebook the moment a user opens the app.

“…the moment a user opens the app”. That means, there is no chance for the app to ask permission from the user to grant/deny the sharing of personal data.


How the tech works (without going into too much on the tech)

App #1: Kayak

Take Kayak for example. If you are unsure what’s Kayak, it’s a travel metasearch engine. It allows you to search for flights, hotels, and cars if you are going on holiday.

Action 1: You tap on the application icon.
What happens: The application is initialised and the following data is sent to Facebook immediately.

Data anonymously sent to Facebook on app startup

The highlighted word “anon_id” stands for anonymous id. Basically, you are identified as XZdfd5f00f-9271–4e82-a8ce-6cea1d38b6d3. Facebook does not know your actual name, but that doesn’t matter. There’s a term for that; it’s called shadow profiling.

It’s comical to know that Kayak confidently declares this message “Don’t worry, we’ll never share anything without your permission” at its login screen even though it shares data the moment you open the app. In Kayak’s defence, the SDK is built by Facebook, so Kayak should not shoulder the entire blame here. To be fair, Kayak no longer shares data instantaneously with Facebook as of this writing.

Kayak login page

Action 2: You search for a flight with 1 economy passenger from London (Gatwick) to Tokyo on the 2nd December, returning on the 5th
What happens: The search is initialised and the app sends the following to Facebook.

Data send to Facebook from flight booking

In a span of a minute or two, Facebook took notice of this random person who wants to travel from London to Tokyo in December and he’s travelling alone. This data is harvested from a single person with a single device at a single search.

Imagine you close the Kayak app and switch to (say) “Amazon”. Facebook knows that you have these 2 apps and it will probably start to put you into categories like “preparing for holiday” or “affinity for winter clothes”.

The bottom line is that Facebook harvests billions of data points every single day, even from users who made a conscious effort to stay away from Facebook. That’s how creepy it is.

What’s our defence?

Stay in a cave.

I’m joking.

Well, half-joking.

The best defence is, of course, getting yourself off the internet. That means, no Facebook, no Google search, no YouTube, don’t hang out with friends who love to take selfies and buy airline tickets at the booth. But we all know that that’s kind of impractical in this day and age. But there are certain ways to limit the reach of these tech companies into your personal life.

Here are 5 suggestions:

1. Reset your advertising identifier (Very simple)

Every device has an advertising identifier (aka ad id). You can’t stop Facebook or Google from tracking you but you can make their tracking difficult by frequently resetting your ad id. If you reset it, in theory, Facebook and Google algorithms will view you as a different person in your next online activity.

Android Phone: Go to settings > Google > Ads > Reset advertising identifier

iPhone: Go to settings > Privacy > Advertising > Reset advertising identifier

2. Limit ad personalisation (Very simple)

In theory, this should limit the amount of data collected by the companies. However, this study showed that we can end up sharing more data to companies if we limit ad personalisation. But I will not go into the details of that.

Android: Go to Settings > Google > Ads > Opt Out of Personalized Advertising

iPhone: Go to settings > Privacy > Advertising > turn on ‘Limit Ad Tracking’

3. Review permissions (Very annoying)

Reviewing permissions on Android and iOS

Do you notice that apps these days have been asking for permissions before you carry out a simple task like importing a photo or opening a map? Yeah, it’s irritating but it’s crucial. This allows you to have greater control of your privacy. Not perfect, but at least it helps to a certain extent.

4. Use Brave browser to surf & use DuckDuckGo to search (Simple)

Brave (as opposed to Google Chrome) is a web browser which focuses a lot more on data privacy.

DuckDuckGo (as opposed to Google Search) is a search engine which distinguishes itself from other search engines by not profiling its users.

5. Educate yourself / your parents / your children on how the Internet works (Not so simple)

Education is the most powerful weapon. There are tons of articles and YouTube videos explaining how computers and network works; go read them up.

However, if the content is too complex, especially for the older generations and the newcomers (aka your children), you can check out Potato Pirates -Enter The Spudnet. It’s a board game that’s developed to teach cybersecurity and computer networking without computers.


Closing Remarks

After the Facebook-Cambridge Analytica data scandal, people are starting to take notice of the importance of digital privacy and the government has been implementing measures after measures to curb the big companies from being overly intrusive in terms of data collection. One prominent move is the implementation of the General Data Protection Regulation (commonly known as GDPR) in the EU. It basically sets a compliance framework that companies need to comply with. While it’s heartening to know that the government has made progress to protect us, we need to do our part as well.

I hope this article is useful to you. Do drop me a response if you would like to discuss this topic further.

Read more →

I cracked 40,000 passwords with Python. Yours might have been one of them

Codomo Singapore

xkcd comic about encryption expectation vs reality

Remember the good old days when you were passing love notes to your crush across the classroom? Chances are you’ve had to pass that note to your friend > another friend > and another friend before it reaches your crush. And friends are the worst; you can’t trust them with your secret message. In response, you probably established some kind of code between you and your crush beforehand. The message makes sense to both of you but appears as gibberish to the people in between. That’s what we called encryption.

🚨 JARGON ALERT:

Encryption and hashing are similar; they make words become gibberish. The difference is encryption is reversible, while hashing is (almost) irreversible. For passwords, we use hashing.

HOW PASSWORDS ARE STORED IN COMPANIES

  1. Plain text (Can you hear me shaking my head?)
  2. Hashed passwords
  3. Salted hashed passwords

Responsible companies hash your passwords. They take the password you type into their sign-up page, make it gibberish, then store those gibberish words into their database. In the event a hacker flirts with your database administrator and gains access to the database, all he’ll see is just the gibberish stuff. They can’t just copy your gibberish password and paste it into the login page because the algorithm will make a gibberish out of the gibberish word. I’ll let that sink in.

Even more responsible companies salt your passwords. Meaning, they “add random characters at random position” to your password entries before sending it for hashing. For example, you enter a shitty password — “Password”. With salting, the algorithm probably adds a few characters to it till it becomes something like this “xyzPassword123”. “Password” is in the dictionary, however, “xyzPassword123” is not. This makes guessing the actual password way tougher ☝️.


SETTING EXPECTATIONS

In the next part of this article, I’m going to show you how hackers “decrypt” hashed password to the actual word (Well, they don’t actually decrypt, they guess). Then, I’m going to show you how it’s done in Python.

Before I proceed any further, I would like to point out that the purpose of this article is to show you the big picture; I will avoid being technical here. If I say anything technical, you will hear me saying sorry. Yes, I have oversimplified many things here. Cool? Let’s go.

HOW DICTIONARY ATTACKS WORK

In short, a dictionary attack (sorry!) is the cracking of a password, based on the words that appear in the dictionary (durh..). There are 3 steps to a dictionary attack.

  1. ACCESS to the (hashed) password list
  2. HASH all the words found in the English dictionary
  3. COMPARE the (hashed) English words with the (hashed) passwords

STAGE 1: ACCESS

Let me give you an example. Let’s say I flirted with a database administrator of a company and managed to gain access to the following 3 hashed passwords:

  1. 5f4dcc3b5aa765d61d8327deb882cf99
  2. 9b4609b17fea63f3f3f067fc2f465c6e
  3. 24ebcd0fd5d6b86649fb187d75f80ad0

STAGE 2: HASH

Using programming, I hashed all of the 350,000+ English words. I will use a hashing method called “md5” (sorry!). There are many hashing methods — MD5, SHA1, SHA2, SHA3 (sorry, sorry, sorry, sorry) etc.

STAGE 3: COMPARE

I then comb through all of the 370,000+ (hashed) English words. If I find a match, bingo! That’s the password.

Still confused? I have created a 20 second blockbuster movie below for you to see how it works:


DICTIONARY ATTACKS (Using Python)

>>> You can download my entire python code here. <<<

I started with 2 text files: english.txt and 1MillionPassword.txt.

  • english.txt is a text file containing english words
  • 1MillionPassword.txt is a text file containing 1 million passwords that humans have created in the real world.

📰 Breaking news

In Dec 2009, a company named Rockyou experienced a data breach where 32 million user accounts were exposed. To make matter worse, 14 million passwords were exposed, IN PLAIN TEXT!! Yes, the 1MillionPassword.txt is derived from this 14 million.

ASSUMPTIONS

For the purpose of this article, I’m going to hash the rockyou passwords with md5 hashing (Meaning, we’re assuming that rockyou did hash the 14 million passwords before the hack). I mean, what’s there to crack if the password is revealed to us in plain text… ¯\_(ツ)_/¯

PYTHON LIBRARIES | SPECS OF MY MACHINE

There’s a python library called hashlib where you can convert text to the hashed characters. I’ve also used concurrent.futures library to run parallel tasks to make my code run faster. Yes, I am slave-driving my 4 CPU cores. I’m running on a Macbook with a 3.1 GHz Intel Core i7 CPU, and Intel Iris Graphics 6100 1536 MB GPU.

macOS model and specifications

CREATING THE PYTHON SCRIPT

I created 2 python files: createHash.py and crackPassword.py.

  1. createHash.py — Hash the 370,000 words in english.txt and 1MillionPassword.txt using md5 (sorry!).
  2. crackPassword.py — Splits the 1 million passwords into 4 lists. Each CPU core will take a list and make a comparison between the (hashed) English word and the (hashed) password.

THE RESULT

Passwords cracked by CPU

Summary:

CPU 1: 26826/250000 password has been cracked. 72.49 minutes elapsed.

CPU 2: 8138/249999 password has been cracked. 74.19 minutes elapsed.

CPU 3: 4671/249999 password has been cracked. 74.38 minutes elapsed.

CPU 4: 653/249999 password has been cracked. 74.59 minutes elapsed.

Total passwords cracked: 40,288 in a little more than an hour

FAQ

You: “All right, Sherlock; then how do you bypass the maximum login attempts allowed? Hm? You can’t just brute force over there, bro.”

Me: “Of course. Hackers are probably not interested in accessing the account they’ve just hacked. They are probably more interested in the higher valued accounts, like your email address. Why? Because if they managed to compromise your email, they can try a ‘forget password’ on all of your other accounts. They can start hacking into your Facebook account and start liking your crush’s photos 5 years ago. No amount of justification can save you from that embarrassment, you ‘creep’.”

You: “Wait. How would they know my email’s password? They are not the same.”

Me: “People reuse passwords. That’s the problem.”

You: I’m still not convinced. I don’t think there are a lot of people who reuse the exact same password for their email.

Me: Well, maybe. I don’t know the statistics of how many people reuse their email password on other accounts. The problem is that if a hacker manages to gain access to one or two emails, he can send a malicious email to the victims’ friends. People tend to click at an email that arrives from a friendly source. The process will go something like this.

‘Victim’ sends an email > A few friends open it > Malicious software gets downloaded > Their computers gets compromised > Starts spreading to other friends.

It’s almost like a virus.

You: What about 2-step verification?

Me: Thank goodness we have this. Wait, did you turn on your 2-step verification?

CLOSING THOUGHTS

Protecting ourself from cyber crime is like buying insurance. People don’t subscribe to it until shit hits the fan. I have 6 tips for you to protect yourself and your loved ones.

  1. Secure your main email address to the highest security. Use a strong password, don’t reuse it, and turn on 2FA.
  2. Don’t use a password that can be found in the dictionary. I just showed you how easy it is to crack. “Password” and “P@$$w0rd” are equally vulnerable.
  3. Use passphrases, not complicated passwords. Meaning, don’t use Tr0ub4dor&3, use something like correct-horse-battery-staple; it’s longer and more memorable. Yes, I stole this example from xkcd.
  4. Invest in a password manager to diversify your password; I use 1Password for its security and beautiful UI. It costs $2.99/month (that’s cheaper than a cup of latte from Starbucks).
  5. If you have children, consider buying a “Potato Pirates: Enter the Spudnet” for them. It’s a board game that teaches cybersecurity.
  6. If you want to know more about the different types of cyber attacks, you can check out this article.

Read more →

How Cyber Savvy Are You?

Codomo Singapore

Comprehensive Answer Guide and Cybersecurity Tips for you to be safe online

Other than being synonymous to Halloween, October is actually National Cyber Security Awareness Month in the US. A survey recently revealed that the majority of U.S. adults can answer fewer than half the questions correctly on a digital knowledge quiz. Are you among that majority?

Take our rendition of the quiz below to see how cyber savvy you are and learn some cybersecurity tips to stay safe and secure online in the process! 

Answers and tips are down below ⬇️


Answers

how cyber savvy are you quiz answers

If you got some of them wrong, continue to the next section to find out why, answers are explained below. It is important to be informed, and it is better to be safe than sorry. Share this quiz and the knowledge you gained with your friends and family so that they can start protecting themselves.


Essential Cybersecurity Tips

🔐 Good Practices for Passwords

  1. Use different passwords for your online accounts.
    If you always use the same password, or variations of it, and one of your accounts is hacked, cyber criminals can gain access to other of your online accounts. Especially, your email account, which leads to the next point 
  2. Secure your main email address to the highest security using a strong password. [Q1]
    Weak passwords are easily hacked, especially passwords that can be found in the dictionary. The common practice now is to use a phrase of words and include upper and lowercase letters, special symbols, and numbers. Check out the infographic below on the steps to create a strong password.
  3. Use a secure password manager
    Maintaining different, strong passwords for your online accounts can be hassle-free. Use a secure password manager from a trusted source to help you encrypt, store and organise your passwords. Apps like 1password and remembear are convenient and low-cost solutions you should try out.
  4. Turn on Two-Factor Authentication (2FA) [Q4]
    2FA is an additional layer of protection you can activate to prevent your accounts from being hacked. Most apps and services, especially banks, issue one-time-passwords to your mobile phone or email account, to be submitted while you log in to the account.  

Infographic on how to create a strong password

Source: CSA

🌐 Online Activities and Behaviour

  1. Do not conduct sensitive online activities over public networks. [Q2 & 3]
    Even though the the network is protected by a password and the 's' in the https denotes that the website you are visiting encrypts and secure the information entered in the site, it is still a public network and hackers can still view the information sent over the network. It is better to engage in such sensitive activities in trusted private networks.
  2. Incognito/Private windows are only good for shared computers. [Q8]

    There may be no cookies or cache are saved on your computer, your computer's IP address is however, still visible to the internet service provider. Your information is only hidden from a co-worker who may have access to the computer you are using. The next two tips are great ways to keep your online activities private and more secure.

  3. Use a Virtual Private Network. (VPN) [Q6]
    A VPN allows users to create an encrypted connection between their devices and the internet. This makes it much harder for anyone other than the user to see their activity. Using a VPN would mask your IP address and provide a safer way to keep your browsing session confidential.
  4. Surf the net on secure browsers.
    Safari, BraveFirefox, and Tor are probably the most secure and private browsers out there. Check out this article that briefly explains and compare the technology behind the browsers and how it keeps users safe from online threats. On the other hand, Internet Explorer is one of the least secure browsers with many issues that even officers working in Microsoft are not shy to discourage the usage of it
  5. Learn how to identify a phish
    Email accounts are still the number one way for hackers to attack. If you encounter a website or email that asks for personal information such as your online banking account ID and password or shown a deal too good to be true, report them as spam and block them.  Learn how to spot a phish in the image below. 
  6. Do not blindly click on links. 
    Be cautious when you receive links through your messaging apps or emails. Your close friend may have sent it but they could be affected by phishing scams and clicking those links may infect your devices with malicious software. Where possible, verify with the sender to make sure that it is a legitimate link before clicking on it.
  7. Encrypt your files before putting them in Google Drive, iCloud, or Dropbox.
    If you have been backing up sensitive data in the cloud, it is time for you to consider encrypting them before uploading them to cloud storage. This is a great listicle on free apps that allow you to encrypt files before sending them to the cloud.

How to spot a phish infographic

Source: CSA

🦠 Malware Threats

  1. Install an anti-virus software on all your devices, including your smartphone. [Q5 & 7]
    This helps to protect your devices from cyber threats, especially against those that you may not be aware of. Read this article on the types of cyber threats that may end up on your computer without you knowing.
  2. Update your software and operating systems regularly
    As explained in the infographic below, failure to update your software will expose yourself to security vulnerabilities as usually updates are patches to security gaps found in the system. Such gaps can be used by cyber criminals to take control of your device.
  3. Always scan your devices.
    Anything connected to your office’s network can pave a way for hackers to compromise your company. That does not just compromise you, but your whole company.  Before connecting a device to a shared network, �inform your IT staff so they can run proper scans �and security procedures on the device.
  4. Stay offline if you have to connect to devices that you do not own. 
    Thumbdrives and external storage disks you receive from outsiders or clients may contain malware. Some malware are known to be able to run programs that bypass security protocol and shut down companies' servers and back-up systems. In order to prevent an outbreak, it is always good practice to stay offline while you connect to these devices. That way there is a smaller chance for the malware to affect the others. 

How to choose an anti-virus app infographic

Source: CSA

What software updates mean for you infographic

Source: CSA


It's never too early to start inculcating good online habits in order to protect yourself and your loved ones from cyber criminals. This is why we created our latest game, Potato Pirates: Enter the Spudnet, we want to teach digital natives as young as 10, about computer networking and cybersecurity. If you are interested, sign up to get early bird discount and referral links here.

Read more →

How does your data get compromised on the internet?

Codomo Singapore

Common cyber threats you should be aware of.

“Security is always excessive until it’s not enough.” — Robbie Sinclair

Today, about 3.9 billion people are connected to the internet or about half of the world’s total population. Everyone in this pool is susceptible to multiple forms of cyber attacks for every second they remain connected to the internet. We are not even counting how many different devices each one of us owns...

10 MILLION! That is the estimated total number of cyber attacks happening globally every single day. As technology advances, more of our lives are connected to the cyber world. This opens up more avenues for attackers to breach, while security companies find new ways to prevent. Though it’s a cat and mouse game between the attackers and the ones trying to prevent it, the onus is upon us to be aware, informed, and protected. Just to give you some perspective, Global Sign has highlighted some of the biggest attacks that occurred in 2019 and what's ahead for 2020.

While most organised crimes target businesses and government organizations, as an individual, you can never be too vigilant in protecting yourself against cyber attacks.

Cyber claims by reported incident infographic

Breakdown of reported incident claims for insurance submitted to AIG

The number of cybercriminals globally are on a rapid rise, and whether they operate in highly organised networks or individually out of their home computers, these criminals know no geographic bounds. You can be watching Netflix on your laptop in Singapore, and be subjected to a botnet attack from a group in Russia. Or you might be lounging in your local Starbucks, and have the person sitting right next to you sniffing your phone for potential blackmail.

You have anti-virus software installed on your phone and computers. And your password looks like this: $bpr%L9qfg4! So what’s there to worry about? Well, lots. While we are not recommending you to become a digital hermit, you will definitely benefit from the knowledge we are supplementing here.

In this article, we will highlight some of the concerns in modern cybersecurity, the misconceptions surrounding them, and how you can be vigilant.

Potato cyber army
Yes, evil cyber armies are real and they are already here.

Types of Cybersecurity Threats

Potato hacker

1. Social Engineering

Social engineering is an umbrella term for tactics used by adversaries to psychologically manipulate you into breaking security procedures to perform actions or revealing information. Everyone is prone to this form of attack, including ourselves. Social engineering can also be used as a carrier for other more threatening forms of attacks, such as downloading malware, installing botnets or mass sending out malicious emails.

Phishing attacks are the most common form of social engineering. Phishing attacks usually come in the form of a deceptive email that tricks the user into giving away personal information. One such example is a “password reset”, where you are linked a page that asks you to input your existing username and password. In the last section of this article, we will offer some advice on how to detect potential phishing attempts.

2. Malware

Malware is short for malicious software. Malware comes in various forms and it is often a software that is installed unconsciously by the user. Malware might be embedded in the installers of seemingly legit software, or you could have allowed its entry from infected USB devices. Nowadays, malware is not limited to computers anymore, it has evolved and spread to devices of all types, including your mobile phone.

Spyware

One of the most common forms of malware, spyware is a software that monitors your activities and steals sensitive information like bank details and password. In recent years, spyware has evolved to extract information that can be used to blackmail, such as capturing images from your webcam or incriminating chat histories from your messenger platforms.

Bloatware

Bloatware is type of software that is not particularly malicious, but if left unchecked, could open the doors to more damaging consequences. Bloatware is classified as software which uses large amounts of computing resources, thereby reducing the effectiveness of the device. A lot of modern gadgets are usually shipped with bloatware that you might not use, such as games or entertainment software. Remember the last time you bought a Windows laptop and the first time you clicked the Start button, there were a bunch of apps such as Candy Crush and Xbox? Not that they are malicious, but if you do not use them, you should uninstall them right away.

Adware is a common type of bloatware, where it periodically pops up on your screen with some enticing advertisement. It usually includes a link on the advertisement that takes you to a web page, and while these websites are not always malicious, you might let your guard down and grant permissions to allow the intrusion of other malware.

Ransomware

Ransomware is designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. This can range from encrypting your system to holding important data until a ransom such as Bitcoin is paid to the attackers. The notorious WannaCry worm in 2017 is a prime example of ransomware.

Botnets

A network of connected devices infected with malware, tasked to perform other malicious actions such as email spam or denial of service (DDoS) attacks. Simply put it, malicious botnets are automated hijackers. It could also consume large amounts of resources while operating, causing your system to slow down dramatically. Another usage of botnets are for cryptojacking, which is the unauthorized use of someone else’s computer to mine cryptocurrency.

3. Packet Sniffing

Packet sniffing can be simplified as the act of capturing data packets over a computer network. Normally, packet sniffers or protocol analyzers are used by network technicians to diagnose network-related problems. However, the same tool can also be used by hackers for ill intentions, such as spying on user traffic and collecting passwords. Vulnerabilities include connecting to unsecured Wi-Fi networks or browsing on unencrypted websites.

Top Myths on Cybersecurity

Potato holding up false sign

According to Moore’s Law, computing power would increase while relative costs would decrease, at an exponential rate. This means that as technologies evolve, our knowledge of the cyber world might not be kept up to date. Security threats from a decade ago might not be relevant today, while systems that are seemingly immune might now be a common target. Let’s debunk some of these myths.

1. Only Windows OS is susceptible to malware

A severely outdated misconception! While Windows users remain on top of the list of victims for cyberattacks, this does not mean other platforms are immune. In the early 2000s, macOS had been frequently touted as safe from malware. We would not call it “safe”, merely less vulnerable due to the sheer percentage of users on each platform. Recognizing this common myth, cyber attackers have in recent years mounted their efforts into penetrating other systems, and unsurprisingly have managed to breach unsuspecting victims.

2. Mobile phones are perfectly safe.

Completely untrue. In the early 2000s, when the ubiquitous Nokia 3310 reigned supreme, phones were not exactly ‘smart’. You could definitely play games like Snake and conduct some operations akin to modern smartphones, but the computer chips in them did not face the same vulnerabilities as computers of that era. Today, phones are like mini-computers. They contain very similar components, run operating systems, and the software architecture is not too dissimilar from Windows or iOS. The most worrisome aspect of this is how much of our personal lives depend on phones. In there, we keep our photos, valuable data and login details of our social networking apps. Talk about putting all your eggs in one basket 🤔. In essence, your phone is vulnerable to threats such as malware, social engineering, and sniffing.

How you can protect yourself

Potato with shield

1. Use two-factor authentication on your inbox

Email is the skeleton of our cyber life. It can be used to reset passwords to almost any online service that we have signed up for or access emails that contain sensitive information. To dramatically improve the security of your inbox, turn on two-factor authentication. It adds an extra layer of security on top of existing login passwords, usually involving codes or one-time pins (OTP) sent to your mobile number or alternate email. For most of us who are on Gmail, you can enable this feature here. It only takes several minutes, so go ahead and do this right now if you have not already done so.

2. Use a different password for each service

Passwords are easily hackable. Even if you have complicated passwords, you might commit the mistake of using the same password for every service. That makes you extremely accessible to attacks once a single online service has been compromised.

Don’t feel burdened by the need to remember a gazillion passwords. Use a password manager for this. Look up the options here and pick one that suits you best. Popular ones include LastPass, Dashlane and Keeper.

3. Keep your software up to date

Most software companies regularly update their offerings to patch loopholes and protect against trending threats. Your computer is likely to receive updates automatically, but it never hurts to make sure of this.

Check out these guides for updating Windows and Mac respectively.

Another important aspect is to keep your security software’s definitions up to date. If you’re on Windows, do a simple check by following these steps.

In the bottom right corner of your screen, look for this icon:

Windows protection updates 1

Right click on it, and then click “Check for protection updates”

Windows protection updates 2

In this window, make sure to click “Check for updates” and follow the prompts if any.

Windows protection updates 3

4. Use an encrypted messaging service

Many of us believe that confidential data shared via Facebook, Snapchat or Skype is safe. For most services, this is an illusion. The recent events in which Facebook shared users’ private information with Cambridge Analytica is considered one of the largest data breach in recent years, and it should jolt us to be more aware of how we share information. Without end-to-end encryption, your communication could be easily tapped by government agencies or cybercriminals.

Signal ranks at the top for secure messaging, endorsed by the infamous whistle-blower Edward Snowden. Another popular service with advanced encrypted features is Telegram. Of course, these services won’t be useful if your friends and family aren’t on board. Spread the knowledge and invite them to install it.

5. Search in private

Google actually retains your search history and uses it to track you or suggest ads. That is why you get personalised search results and somewhat relevant ads whenever you use the search engine. A service like DuckDuckGo allows you to search in private.

DuckDuckGo

Read this article comparing the 2 search engines.


No amount of protection can keep you safe unless you remain vigilant. It is important to recognize potential threats and not fall for the tricks.

Tip #1: Always check the URL of the link you have been sent
Tip #2: If you receive an email or message about an offer that sounds too good to be true, it probably is.
Tip #3: If you receive an email to reset your password, make sure you yourself made that request.
Tip #4: Take this quiz to see how cybersavvy you are and learn more tips!​
Tip #5: Educate yourself and your loved ones. Get Potato Pirates - Enter the Spudnet.

Read more →