comment 0

When bad advice comes from good people

What happens when a government agency tasked with providing cybersecurity “guidance” and “expertise” gives you advice like “avoid uploading pictures of yourself to avoid the threat of black magic”?

And then goes into damage-control claiming that it “was just a casual remark and did not represent the federal agency’s official position on the matter”,  only to follow-up with more ridiculous advice like “passwords should be changed constantly to prevent identity theft and hacking”.

Sometimes I sigh so often my wife gets worried—or annoyed, maybe both 🙂

First-off you know my view on black magic, and for an agency under MOSTI to make such an anti-science remark is just appalling. Secondly, from a security point of view, changing passwords regularly doesn’t help, and they cause more harm than good by encouraging users to use easy to remember passwords that they transform after every iteration. Think superman123, then superman456…etc.

In fact, research from Microsoft suggest changing your passwords regularly isn’t worth the effort, and the best one can do is use a password manager that would allow you to have passwords that are both unique and hard to remember across all online services you use.

The fact, that the head of cybersecurity Malaysia is giving advice that most people in the security community consider obsolete doesn’t exactly calms your nerves.

In the same piece, he goes on to say that threats in Malaysia are under control and that we’ve not had cyber-attacks on us, similar to countries like Estonia.

I’m not saying we’re under severe threat, but Estonia and South Korea aren’t exactly equivalents here. Firstly, Estonia has Russia and South Korea and North Korea, both countries in his example have hated enemies with proven cyberwar abilities on their borders. Malaysia on the other hand doesn’t have such heated animosity in our region, and no one in our region has yet demonstrated cyberwar capabilities.

And secondly, even without hated enemies on our borders, we have been under attack by Advanced Persistent Threats (APTs), including the recent APT30 who were spying on us for 10 years. Not forgetting Regin, possibly the most advanced APT the world has ever seen, whose victims have included those in Malaysia.

And while government infrastructure ‘might’ have never been attacked, Malaysia’s TLD owner, MYNIC had been hacked (twice) by hackers claiming to be from Bangladesh,  who on both occasions re-directed users hoping to go the Google Malaysia homepage.

We’ve had foreign criminals come into our country to rob our ATMs with malware, and we’ve exported our own criminals to countries like Singapore where they were caught installing ATM skimmers.

On a more global scale, we’ve had a foreign student at Lim Kok Wing hack into several system in the US, only for him to be caught and extradited for aiding ISIS. (ISIS!!)

And finally, Stuxnet, the world’s first cyber-weapon ever deployed, actually had some of it’s command and control infrastructure deployed on Malaysian IPs.  Let me reiterate that last sentence (just in case it’s importance has been lost on you), the US and Israelis got together to build a cyberweapon to target Iranian Nuclear facilities, and decided to host some of the command and control servers in Malaysia….interesting isn’t it?

The New York Time also reported that the North Korean attack on Sony Pictures, most likely originated from North Korea hackers that favored internet connections in Malaysia, apparently we’re at the center of everything!!

Overall, these incidents give a realistic indication of where we stand as opposed to a simplified comparison with Estonia and South Korea. True we’ve never been a target of a cyber-attacks, but we’ve been indirectly affected and involved in global sophisticated attacks.

At the end of day, you need to define the security you wish to achieve against the attacker you have to defend from. Earlier this year, Kevin Roose, a reporter with Fusion, invited two hackers to hack him–and boy did he suffer. One hacker mentioned that he could have easily made Kevin bankrupt if he were so inclined, while another manage to lock him out of his telco account with nothing more than a phone call.

Bad-ass hackers (otherwise known as black hats) can hack at just about anybody they want, in the same way that trained martial artist can beat up whoever they choose (except of course other trained martial artist). The point is that worrying about being completely hacked by professional hackers is like worrying about getting beat up by martial artist–it rarely (if ever) happens, and there’s nothing much you can do about it.

And the question I commonly get is how to we avoid being spied on by the government? The common answers given are use things like Tails, or VPNs, or Ubuntu, or good Anti-Viruses, all of these while good for security don’t make you invulnerable, they merely make it more difficult, and if the government hired a couple of black hats, that would be nothing you could do anyway. Much like if the government hired a UFC champion to beat you up, there’s no advice anyone can give (other than run away) that would help you address that challenge.

But running away on the internet isn’t plausible, asking people to stop using twitter, Google, Wikipedia and Facebook just to avoid government surveillance is quite impractical.

So is there any light at the end of the tunnel–well yes and no. The good news about these black hat hackers is that they’re highly specialized and highly targeted, it’s not a method that scales well to thousands or even hundreds of people. At most only a handful of people would be susceptible at any one time, and unless you feature in the Top 50 Malaysians the government wants to spy on , you don’t have anything to worry about–at least not yet anyway.

The take-away is that if you truly want to be secure you need to arm yourself with the proper skills, and before you can learn to do a spinning heel kick, you need to learn how to wax-on wax-off.