Let us take a step back and understand how digital is impacting our lives. We are becoming increasingly dependent on digital. Today, literally every person has a parallel digital avatar or identity. If you recall, in the corporate world 10 years back, digital was only about office automation, installing an ERP software or a tally, or install a printer, so that things could be formatted better, few things became more time and cost efficient but that was the extent. We could see the impact of this with the rise of TCS or a Wipro. These companies were primarily building enterprise software to automate something what was manual. Automation was the key objective.
For the last five years there has seen a significant change. Going digital isn't office automation anymore. It is now actually enhancing customer experience and providing competitive advantage across all sectors and companies. Even for an offline product, for example — retail stores. You can now walk in and customise your entire experience. You can take a selfie and try on a dress. This was never thought about before.
There is a massive dependence of people on technology and digital. People are now moving from being passively involved with digital to being actively involved. Since this transition is happening, hacks are getting sophisticated too. Hacks which were previously on the passive side are now being attempted on the active side.
For example, if a large e-commerce company gets hacked for just 10 seconds, it’s a direct balance sheet impact and a reputational loss, which is the more of an intangible impact.
Saket Modi, co-founder and CEO of Lucideus, an IT Risk Assessment and Digital securities provider gave us more information about online threats in this new-age internet world.
"We are evolving from passive usage and moving on to active use of digital transactions. Today we do almost everything online — from banking to social media and even online dating," he said.
"And the dating apps that we are talking about here are not the Tinders of the world, which are still acceptable to the society. We are talking about the grey side of our internet activities — online stuff we do in our bedrooms and in private. We speak on the likes of AdultFriendFinder, Ashley Madison, and a few too many adult entertainment and dating websites like these. In a way, we use these “adult” services against the moral ethos of the society and seeing the number of people registered in such apps, it clearly shows the interests amongst people. FriendFinder Networks says it has more than 600 million registered users across some 40,000 websites in its network," he continued.
Due to the transformation of passive to active in digital, both in commercial as well as personal space, hacks have started to happen on the active space of digital, both commercially and personally. The meaning of “hack” is soon changing.
Previously hack meant being attacked by viruses or some cartoon figures dancing on your screen, or probably files automatically duplicating itself, and alike. Other form of hacking also meant stealing of debit card or credit card details apart from the data also being leaked on the internet.
Till then, hacks still had an impact to the financial side of one’s life or a business, but the impact of hacks are shifting to the ‘trust side’ where hackers are trying to penetrate into the part of your life, which can hurt you the most even more than your bank account being hacked. Identity theft, privacy invasion and being digitally held captive are some examples.
"Today we have started depending and using Internet without even knowing what it actually is. Let’s take the example of Snapchat. A large number of people use it to send intimate photographs of themselves. The key utility of Snapchat over WhatsApp and why it scores more over the other is that pictures or messages (sensitive information) disappear within a pre-set time, but what people do not realise is, it stays on the Snapchat servers, probably forever," said Modi.
"This is a huge problem and people have started using the Internet and are dependent on it. They have started sharing their personal and most intimate experiences, things about their sex lives via both dating and normal apps. Do you remember the Apple iCloud breach? The hack was not because it was a dating app, but a gold mine of intimate pictures of celebrities, which were found, backed up online by the celebrities themselves. Technology has become an extension of your own identity and people trust it without knowing the pros and cons.
Coming back to the question, reason why hackers are shifting their attention to dating websites is that the target is most vulnerable in such places. It’s about hunting for the most delicate part of the target and it is their own self, their intimate memories in the digital. And majority of these ‘intimate digital lives’ exist on websites like AdultFriendFinder or Ashley Madison. That’s were a hacker finds his gold mine, where he can extort the user for his nude pics," he continued.
So what are kind of information are hackers mining for?
"That is the beauty of data — data is like crude oil. It is on your intelligence what you make out of it. Data by itself is dead but it comes to life if you apply the right kind of science to it. Essentially the hackers are looking at raw and real data, which they can use to extort money, potentially damage the reputation or the personal life of a person. And the funny part is most of these websites take money from you to delete your account. But the recent infamous hacks show that the accounts which were paid to be deleted still exist on the database.
This data can be used by hackers to extort not only money, but do multiple other things with it — exactly — like crude oil," explains Modi.
What next? Modi had more to say.
"Let’s first understand what happens with data once it is with a hacker. The hackermight have a completely different intention when scouting for information online. There's a good chance that someone hacked into AdultFriendFinder with a different set of motive, where according to the hacker he might have had the right intention. However, the moment he spills the leaked information online, that’s when common people can use it, hackers can tamper it and rogues can do multiple things with it."
"People send panic emails to the breached websites, requesting to delete the accounts which could cause personal issues to them. But what people do not realise is that there is not one copy of the master database. The moment a hacker dumps it on the internet there are hundreds of copies made within seconds, and are distributed around the world."
"There are multiple hazards possible here. For example, the hacker can call the user and tell — “I know the number of hook-ups you have done in the past six months, based on data from AdultFriendFinder and if you don’t give me “X” amount of money, I will share the information with your wife,' highlights Modi"
During the interaction with Saket Modi, he went on to give us some more information on our queries. With regards to generic questions that users could have to ensure online privacy and security, here are his expert opinions:
DC: What are the security flaws in such websites? How do you help?
SM: It is important to understand that all web applications are same, there is technically no difference between a dating website compared to any other social media website. Application layers on any website by itself, has multiple possible vulnerabilities. At the application layer, the 10 most popular vulnerabilities are called OWASP TOP 10. OWASP is a body which releases the top 10 vulnerabilities every year, showing the top 10 ways to hack into a website.
Lucideus as a company works with multiple large companies to assess their web applications and while doing so we refer to the OWASP TOP 10 vulnerabilities along with our own set of vulnerabilities that we test and the list is long. Similarly, the second stack is the infrastructure stack and this layer, we go ahead and provide multiple forms of security assessment. In a website, what you talk to is called a socket, which is basically an IP + port. For example, if you have to visit Facebook.com, there is nothing called "Facebook" that exists on the Internet — it's only an IP address that exists, in the world of Internet.
First you go to a DNS server where your machine asks for the IP addresses of Facebook. Once you have that, your IP address will directly try to connect to the IP address which belongs to Facebook. Once you reach a server, with an IP address, you need a port number where the data packet needs to go to. The reason why this is explained is — every open port has a service (software) that is running behind an open port. Generally how it happens is — a packet came, entered the IP and went to a certain port, behind which there is a service running. Now services are exploitable. There are multiple types of web services, popular ones being “Apache”, "TOMCAT" etc. There are multiple zero day exploits released in the past which make these services vulnerable. These are publicly available in websites like “exploit-db.com”, where if you simply search the name of your web service, you will find multiple exploits pluggable with your web service.
Then the entire server is running an OS, which will also have multiple vulnerabilities. Similarly there are multiple types of exploits that we try to penetrate and test our customer's web spaces from.
DC: To what extent can we be assured of about our privacy over the internet?
SM: You can be as sure of your privacy over the internet as in the physical world. That means there is nothing called 100% privacy. But does that mean we stop using the Internet, absolutely not! It's time to use the Internet more intelligently and with more awareness. It is important to understand how internet works and use it then.
DC: From an organisation perspective, how can such security flaws be patched?
SM: From an organisational perspective, there are multiple things that needs to be done. First and foremost being, having the right understanding of why cybersecurity is important at the top management. As long as cybersecurity is seen as a cost centre and something that is just a line item in the CFO’s expense sheet, it will never ever be taken seriously. It needs to be seen as something which is aligned with the company’s IT objective, which in today’s age has to be aligned with the business objectives.
We are at an era where companies like Sony, Target and Ashley Madison have fired their CEOs because of hacks, even after spending millions of dollars on cybersecurity. Therefore, it has to start from the top. If the top management doesn’t care about it, there will be no budgets, if there are no budgets there will not be a good internal team to assess the security and till the time the internal team is not strong, it will not be able to hire the right external team or buy the right tools or resources and give the right report of the organisation's current security stature.
DC: From a user's perspective, what security tips would you suggest?
SM: We can give you a list of basic technical tips like: (a) Use an incognito window while visiting websites like AdultFriendFinder, which is potentially very impactful to your privacy. (b) Use a VPN tunnel. (c) Use two-factor authentication wherever possible. (d) Whenever you enter your password or any other form of credentials, no matter what, it should have a green icon on the top-left which says “https”, and is not striked-out. (e) Make sure your OS and antivirus is updated with the latest version that is available.
However, even after ensuring all of this, you can still be hacked. The super mantra that we will share here is — always uses the Internet believing that it is totally ‘hackable’. It is not a technical solution, but the moment you can do this, you will be more careful and aware of what you are doing.
DC: Should one create a temporary ID/login for such type of online use so that one can prevent being hacked completely?
SM: It’s just not for this, for most of the things you do online, you should never use the same id or password. For example you can use PasswordManager, KeyChain for Apple and LastPass, basically it lets you integrate a lot of passwords and you just have to remember just one password.
DC: If my data/info from these websites is leaked, since the servers are overseas, how can I sue the hacked website being in India? Whom do I approach?
SM: There is absolutely nothing that you can do. It does not fall in our jurisdiction. However, the only way you can go about is to approach the International Court, which by itself is a very lengthy process.
Lucideus is an IT Risk Assessment and Digital Security Services provider. It’s a trusted standard for companies that need to protect their brands, businesses and dignity from debilitating cyber attacks. They build and deliver information security platforms and services, both generic and customised to pro actively secure, continuously monitor and reactively respond to cyber threats to your company's technology stack. Their objective is quantify digital risk to inculcate a knowledge-based culture of safe and secure use of technology, such that risk becomes an informed business decision leading to minimal disruptions to your business and life.