Internet security is everyone's business
About a month ago, a friend of mine revealed that his bank account had been compromised and that an unknown person or persons had conducted a foreign telegraphic transfer to wire a significant amount of cash he had deposited in one of the country's leading banks into a foreign account.
My heart went out to him as he had no inkling as to what had happened until he went to the bank last month to conduct some ATM transactions. As things unfolded, he discovered that some people almost cleaned out his account and the bank is now unwilling to cover his liabilities.
Admittedly, the whole turn of events was quite intricately conducted and is still a little fuzzy in my mind. But the one thing that hit me about this unfortunate turn of events was that my friend was adamant that no one had known his username and password to his Internet banking account, and consequently, no one should have been able to transact without his knowledge, or so he thought.
I then revealed to him the existence of malware known as keystroke loggers, which are programs that are designed to stealthily infiltrate a person's computer with the aim of stealing confidential keystrokes made by unsuspecting users. He was, unfortunately, quite surprised at the existence of such programs.
As I kept up with the tech news over the past two weeks, I paid special attention notably to what security researchers were revealing at the recently concluded Black Hat Conference held in Las Vegas from July 25 to 30.
Among those reports that generated great interest was the revelation of how security in the mega-popular Apple iphone can be compromised. According to tech portal V3, researchers found they could take complete control of the device and use it to hijack other devices by merely sending the right code via SMS to the phone. The only way to stop it is to shut the phone down completely.
Another noteworthy one, says V3, was the revelation that the Secure Socket Layer (SSL) security could now be subverted using a process known as a "man in the middle" attack. The scary thing about it is that SSL is what persuades millions of Internet users to hand over their credit card details and engage in e-commerce on the browser interface.
Yet another one was how software updates can be hijacked by using a Wi-Fi connection to detect computers looking for the updates. Hackers then jump onto the signal and tell the user that there is a code ready for upload (even if no updates are needed) and instead inject malware onto the target computer. It's an especially scary attack because patch management is vital for secure computing.
Mulling over it the past week, I realized that there's just no escaping the eerie world of hacking. So unless you're prepared to be a "cyber-monk" living in a "cyber monastery", and dedicating yourself to "cyber asceticism", all of us should try and do something about this.
As sympathetic as I am to my friend who suffered losses, and if he did indeed have his password stolen inadvertently without his knowledge, he might have needlessly suffered losses. I believe that had he known about such malware as keystroke loggers, then he might have been more wary of such methods to steal his money and consequently be more careful about his online activities.
So the first thing that everyone must do in this increasingly cyber-driven world, is to get educated. No longer can anyone of us--tech-savvy or otherwise--say we've no clue about these kinds of issues, or that it's too complicated for us to learn.
After all, many of us would not think twice to learn more about our hobbies or things that we like, and yet, we turn a blind eye to technology issues. If we are to survive smartly in this cyber world, we cannot afford to have this attitude any longer.
In this respect, Malaysia is lucky in that it had the foresight and vision to establish not-for-profit organizations such as CyberSecurity Malaysia. Evolving from what was previously known as the National ICT Security and Response Center (Niser), the organization now coordinates all ICT security response on the national level for the country. Not many know this but Cybersecurity has some valuable resources that Joe Public can benefit from.
Another thing that can be done is that the industry, particularly security players, government ministries and not-for-profit agencies, should come together and hatch better educational and awareness programs for Joe Public.
In doing so, vendors have to ensure that the first goal on their agenda is to educate commoners of the threats and traps hackers use without pushing their respective products and services onto would-be paranoid Internet users. And while they are at it, they must do so in layman terms, minus all the jargon and intricacies that will inevitably scare techno-phobics away.
Finally, we journalists too have a part to play. In the stories that we cover, we need to be sensitive to what our readers should know so that we can, to a certain extent, tailor our stories and educate them accordingly. And that's what I hope I've done with this posting--kick off something for all to think about and hopefully continue the task to educate the public at large.