Uploaded by nuke

Voluntary hack and cybersecurity

advertisement
Voluntary Hack and cybersecurity
By: Andang Nugroho, CISSP
Not too long ago, still fresh in our minds, a very big Indonesian unicorn online marketplace got
hacked, and some 91 million user accounts were stolen and later offered up in a dark web. Of
course, it’s no longer a surprise, companies got hacked around the world, and accounts were stolen
from them, even LinkedIn itself had its user database plucked a few years ago. Maybe because this
one was closer to home. But what really ticked me off was the formal communication they released
shortly after, stressing that users should “change their passwords periodically to prevent further data
breaches.” There was no urgency in that message at all, nothing like “we just got hacked, change
your password NOW” it was more like it’s our job as users anyway to “periodically” change our
passwords. Correct, but totally missed the mark.
It’s a good thing that hackers only attack big corporations, right? Who am I to be hacked, right? Well,
maybe it’s because we don’t need to be hacked, we already give away our data voluntarily, no?
Voluntarily hack(ed)
Do we realize how easy it is we give our (personal) data away? Maybe at a mall entrance we were
approached by an officer of a reputable for-good-cause NGO. Fill up a form, put in your full name
here, mobile phone number there, and email address too. Help us save the earth. And we did. Other
time other place, we were offered a new huge cash-back credit card, let’s go back to our stall and
photocopy your ID, and your existing credit card, only the front side they assure you. And we gave
them our cards too.
The same is true for the Internet. Nowadays, even just to download a product brochure, we need to
fill up a form therefore giving away our full name, mobile phone number, email address, and
sometimes also information on the company we work for. Just to get a brochure, which the vendor
should supposedly be glad that we took interest in. No, they want our contacts too. Yet we did fill in
those infos. And after all these, now you want other people to protect your identity?
How about when downloading and installing apps? That’s even worse.
Look at a typical screen of app
install, where they ask for
permission to access our phone.
Contacts and audio are the usual
suspects. This example was for a
local app. When I clicked “deny” the
app continued on to install, only to
crash consistently when I tried to
run it. Apparently, it absolutely
needed the access to my contacts
and microphone. But it did not even
bother to confirm during the install
that I have allowed the access,
maybe because 9 out of 10 people
would’ve said yes anyway.
It’s good to be the odd man out, but
the majority of us are giving away
freely a bunch of information. On
us, and on our friends.
LinkedIn itself from time to time asks to access my contacts to find those that are also in LinkedIn to
reconnect me there, probably to rekindle the good old time. I have so far politely denied it, but I
know that it won’t stop asking. Nor will most of the apps we have on your phone, or the apps we are
about to install on it.
Access or excess?
There are other times where we thought we have justifiedly given access, because we really need
the apps to function. Or because we “trust” the app or its maker. This is probably where the incident
of Facebook and Cambridge Analytica in 2018 sits. As a result, though arguably, it has changed the
political scene and the lives of people in the United States, forever. I will quote an article by Lauren
Goode posted in Wired here, also written in 2018, that still rings true. A powerful note from that
article is that although access granting mechanism has improved for apps, “it’s not enough to match
the sophistication of the data-gathering technology that now surrounds us.” Our data is continuously
being harvested, and almost everything is up for grab: our contacts, calendar, messages, location,
installed apps list, and most of the hardware too: speaker and mics, camera, storage, Bluetooth,
even phone orientation and screen on and off state. Talking about excess.
There have been reported incidents where a peer-to-peer lending app sent messages and harassed
the contacts it found on its late-paying client on the condition of their friend and asked them to
assist on payment. This really happens, one such incident is reported here. Typical peer-to-peer apps
are also able to detect how many other similar apps have been installed on the prospective client’s
phone to decide on whether to disburse loan or not. The extent of access given by users are
staggering, and awareness needs to be built around this to protect us, users.
Some tightening help is coming
OK, now let’s start to limit access. Of course, there is an
option to allow app access only while we are using the app.
Now location service is probably the most abused
information the apps clamor for, either needed or not, as
long as we allow them to.
But what defines “while using app?” If we swipe away the
app from screen but it is still running in the background,
can it still access my location? Turns out there is a separate
set for “enable background location” capability. If this is
turned on, the app just needs to start in the foreground,
then keeps the right to track location although it is running
invisibly from the screen. Isn’t in virtually the same as
always?
Well, starting in IOS 13 Apple is tightening this right, removing the option “Always” and introducing
“Allow Once” which, like it reads, would allow access only once, for that session only. Next time the
app runs, it would have to re-request this right. IOS also keeps track of which apps are frequently
getting the phone location, and periodically prompts us whether this right needs to change for the
said app. Also, starting in IOS13, Bluetooth function usage needs further permission. All is good stuff.
In an almost like concerted act, Google is also getting tighter for location services with the release of
Android 10.
So we are taking better control. Information is still seeping out of our mobile phone daily, but at
least we know better what is, and can prevent ones that we really don’t want to. Still a long way to
go, though. Better control is needed for other data too, commonly asked by apps.
Back to the hack
Yes, back to the online marketplace hack we started this with. News said that user passwords were
leaked but in hashed format. Still a considerable work to break and use them. Only user information
like customer name, userid, email address, mobile phone number, etc were in clear text. Nothing
that we don’t regularly leak ourselves, right? Another day another hack, we might not be so lucky.
And that day that hack WILL eventually come, so we need to prepare.
We really should start to be more aware, more secure. Really read what information we are
surrendering when installing a new app, is it really worth it? I have now balked away from many new
and good apps because they asked for too much. I can do without them, and almost always I found
similar alternatives with better compromise in that matter.
But it really is the passwords we need to take control. Using 2FA (2-factor authentication) helps
security tremendously. Now hacker would have to steal both authentication means to really own our
accounts. Add in a salt factor like time-based authentication, then it would be exponentially more
difficult. I now use 2FA whenever possible.
Turns out that our online marketplace has had this feature for as long as I can remember. I just can’t
figure out why in the picture below, Google Authenticator still has a “NEW” label on it. There is even
a 2018 Youtube video posted by “HendriTV” here that shows how to use Google Authenticator for
the site. Maybe the label is just there as incentive to users to enable it, since it is a “new” feature.
Anyway, users DO need to enable it NOW to have better security.
Just one more thing to add. Since Google Authenticator is used as an additional factor, it is wise to
install it on a different phone. I am carrying two phones, one Android and one IOS, both have Google
Authenticator installed. To authenticate apps installed on Android, I use the Google Authenticator
on the iphone. And vice versa. All we need to do is to avoid both phones stolen at the same time.
But then there is the screenlock on both, that rely on my biometrics. I think I’m good there.
Is Google Authenticator itself safe? Not completely, read this article in Trusted Review by Hannah
Davies here, written as recent as two months ago. But, as that article said, exploitation of that
vulnerability is “yet to be detected in a real-world attack.” I just updated my Authenticator last week,
so probably that’s the cure. Hopefully.
Well, security is a rat rate. A moving target. Just don’t let us to be the rat, or the target.
https://www.linkedin.com/pulse/voluntary-hack-cybersecurity-andang-nugroho-cissp
Download