By Annette Chrysostomou
Yahoo has revealed only now, after a huge delay, that in August 2013 more than one billion of their user accounts were hacked into.
Cyber-hacking is an international phenomenon which last week raised its ugly – and often hidden – head in Cyprus, when two well-known electronic supply shops, Stephanis and Bionic, were forced to pay ransoms to avoid facing unspecified operational problems after cyber-hackers attacked and locked down their software systems.
Security expert Dino Pastos who headed the negotiation for the ransom hackers demanded from Stephanis shared his knowledge of hacking with the Sunday Mail this week.
The biggest issue, he stressed, are passwords.
“Most people use the same password for everything, or at least use it more than once,” he said. “When you use the same password for your email and social media like Facebook or Linkedin you are very vulnerable. And this goes for millions of people.”
There are other problems with passwords. “More than 50 per cent of all users use their birthday or their ID, and those who think they might forget it often write it on a piece of paper and stick it on the monitor,” Pastos added.
Forgetfulness is a big issue, so even where people have multiple passwords they tend to either write them all down, or, arguably worse, store them on the computer they use.
“A password should never be saved on the same machine the user works on,” Pastos warned.
Aris Savva, 27, an ethical hacker who specialises in hacking in order to test or evaluate a computer network’s security, agrees on the importance of a good password.
The safest thing people can do, Savva says, is use a 16-digit password with numbers, symbols and some letters in capitals that may take up to five years to crack. But if someone is specifically targeting you, it will take much less time.
Another solution, though not perfect, is to use password manager, a software application or hardware that helps a user store and organise passwords. Password managers usually store passwords encrypted, requiring the user to create a master password, a single, ideally very strong password which grants the user access to their entire password database.
But Pastos wants to pass on the message that nothing is a perfect protection, as there is always the human factor. “There is no software that hasn’t been hacked,” he said.
Therefore, the first thing that needs to be done is to change people’s mindset so they understand the seriousness of the situation. This requires more openness. Yahoo, for example, probably didn’t want to disclose the hacking because immediately after it became public there were widespread fears that the new disclosure would adversely affect the planned acquisition of Yahoo by Verizon with a price tag of $ 4.83 billion. Verizon declared that they “will examine the new development, before reaching any final conclusions”.
For every five physical attacks there are 500 cyberattacks, and the numbers are growing. “The attackers will always be better than those enforcing the law, because they are more motivated. Hackers are almost never caught.”
Pastos explained they can operate from anywhere. The hackers of Stephanis, for example, were Russians. The money they demanded was paid in Bitcoins, an untraceable currency. They had demanded 20 Bitcoins (14,200 euros) but Pastos negotiated them down to 15 bitcoins (10,650 euros).
Although big companies like this back up all their files in a secure location, they often pay up the ransom as the recovery process is considered too time consuming and expensive.
Pastos fears that there will be much bigger attacks in future, on the government, power companies, public transport system or hospitals. Hospitals are just one example where the hacking would most likely not be made public, because who would trust a clinic knowing that their private health file is in the hands of hackers?
Yet people don’t take security seriously. “It is a bit like health. When you have it, you don’t worry about it. People don’t understand what is happening and they rely on their devices blindly,” he commented, adding that people are prone to act on disasters and don’t take pre-emptive measures.
We are now in more danger than ever, as we have everything in our pocket. Phones have two cameras, a microphone and sensors, and a GPS, and “can even tell if you are turning right or left.”
Many users, especially at work, either don’t care whether their company gets hacked or trust their company to have back-ups and a firewall, which are both more problematic than the public is aware of.
A firewall monitors and controls incoming and outgoing network traffic. But people tend to inadvertently invite the hackers in. There is piracy, as many download movies for free or use unlicensed software to avoid paying the licence fee, all of which hackers can take advantage of.
And, once so many people do it, more follow suit. Governments, as we can see in Cyprus, don’t do much to enforce existing laws.
Even those who think they follow the rules may invite viruses by clicking on links that look innocent but have been created by hackers.
What about back-up? “Many times people never check if it actually works,” the security expert said, “they never check if they can actually restore the information. Also, the back-up should never be in the same machine. It needs to be sent to a remote location or a hard drive.”
When they are in trouble, individual users often ask the wrong experts for advice. “It is wrong to ask someone because they are ‘good with computers’ or IT people. That is not security,” he warns.
Dino Pastos at [email protected] or 99-463940