FBC Board Member Viivi Avellan interviewed cybersecurity expert Mikko Niemelä

”To be extra safe, you can separate the network that you use for your work laptops and the network that is used by other home devices.”

Tips for cybersecurity

In the second week of April, the majority of us in Singapore continued working. But instead of working in the office, we continued our tasks remotely from home. Some of us started to use Zoom, Meets, or other applications for the first time. All this communication would not have been this easy 20 years ago – but with this number of devices, applications, and connections, we are also more vulnerable to all kinds of problems, and one issue is uninvited guests: hackers. They can approach us via phone calls, emails, or other ways we couldn’t even imagine.

I decided to ask some questions from the Finnish cybersecurity expert Mikko Niemelä. Niemelä is the CEO of Cyber Intelligence House, a cyber intelligence agency that he established in Singapore in 2015 to help organizations and individuals detect and monitor their cyber exposure. He is also the Founder of Silverskin, a cyberattack company he established to help organizations test and improve their cyber resilience. So I felt Mikko could give me some detailed answers.

We started the discussion with WiFi.

During these Covid-19 times, people are using several devices via WiFi. Are there some issues we should take into consideration while using WiFi at home? Mikko says our home WiFis are generally safe, but not extremely safe.

”The risk that comes with WiFi is that someone else can listen to your network traffic and potentially infiltrate into your systems. Your home office’s network security depends on what other devices are using it. If you have a smart TV or a video streaming box or any device that is connected to the internet, you are at a greater risk. These devices usually develop weaknesses over time and they can be exploited by hackers. If hackers get access to your devices, they also have access to your network.”

Oh! So what should we do?

”To be extra safe, you can separate the network that you use for your work and laptops and the network that is used by other home devices.”

The most popular way to take part in meetings from home is by using a video conference platform. Are there some actions we should avoid?

”First of all, you can’t be sure if the video is being recorded or not, so think about the content that you’re sharing. What kind of information is okay to share through video and what should be communicated through other channels. Calls through Signal or WhatsApp are generally safe, and more confidential matters can be discussed without video. Recorded videos might end up online so keeping that in mind helps in deciding what to share. Some people prefer covering the camera. That is, at least, a certain way to block the camera from recording video. However, it doesn’t block audio.”

Can I ask you what video platform you use?

”I like to use Jitsi Meet for video or calls as it’s designed with security in mind, doesn’t require you to create an account, and works with all browsers and platforms. It’s also very quick in terms of setting up a chat room that your friends can join, and you can later protect it with a password.”

Besides video calls, we do send a lot of messages. Which messaging platforms are the safest?

”Telegram and WeChat are known to store all the data they process. WhatsApp is end-to-end encrypted, however, taking a backup of your WhatsApp messages exposes them to third parties. Signal is recommended by security experts, and I use it as well. Jitsi Meet & Signal are my choices when I get to choose the software. ”

Which are the main things offices have to take into consideration to protect their data?

”Not much of companies’ data actually resides in the office. Typically most valuable data is stored inside a printer, sometimes companies have a server that acts as data storage. Generally speaking, you can use the same security design for your office as your would use for a cafe. People are using their laptops and connecting to external services somewhere in the cloud. If you have local ICT assets such as fileservers etc in the network, then it gets more complicated. The first rule is not to allow any guest devices (including your employees’ personal devices) to connect to the same network. They should be using a guest network. In the future, we’ll see more security architectures where people treat every network as an untrusted network/public network. That means the focus should be on securing endpoints (laptops, mobile devices…), having antivirus protection, using strong passwords, etc.”

What should we take into consideration when we’re setting passwords?

”You should have a different password for every account you have. That’s the only true protection you can influence yourself regarding external systems. Beyond that, it is up to the owner of the system how well you protect your data.

That sounds too much work! How on earth can I remember all those hundreds of passwords?

”Password managers are extremely useful when you have multiple passwords, and you can’t remember them all. If you are concerned about their level of security, given that nearly all of them have been hacked, a poem or a shopping list would serve well as a password. It would do a better job in minimizing the chances of being hacked than the typically-advised uppercase and special character tweaks.”

I have received an increasing number of weird calls during the Circuit Breaker. How can we recognize a scam call?

”Because people work remotely, they have fewer chances of verifying the origins of an email or a call. People get used to deciding on whether something looks fishy or not by themselves and don’t involve others in the organization. These impersonating calls might ask for your particulars such as confidential personal data. If you suspect them to be hackers or scammers you can turn the question upside down and ask them about your information. Legitimate callers should have your profile and information about you. Also remember that there are not many times when people are requesting any personal information over the phone. Also, the simple question: “ how do I know you are legit?” is a good question to ask. You can give them a wrong date of birth or other information that they should know and see if they say it’s not correct.

Now we do our shopping online. What are the main issues we should take into consideration when ordering online with our credit cards?

”First of all, you should be able to verify that the vendor is real and not a scammer. Companies that ask for your credit card directly and do not offer third party payments such as PayPal or Google Pay or Apple Pay are suspicious. You can usually use third party payment methods, so you don’t need to share your credit card details with the vendor. Also never use your debit card online. When money is taken directly from your account, you can’t get it back. With credit cards, there’s a better chance you’ll be able to cancel the transaction and report fraud.”

And then after we have finished shopping, those items will be delivered to us. It looks like there are some scam messages in the last-mile delivery services. Saying ”track your parcel” and then suddenly asking for some small amount of money for the delivery service. Is there any trick that helps us recognize a fake message about the delivered parcel?

”This sounds like a well-crafted phishing email. If a ’track your parcel’ link asks you to log in or give any information or money, it’s most likely fake. All reputable couriers provide tracking without setting up an account. If you are staying at home anyway, maybe there’s less need to track your parcels during this pandemic.”

I have heard some people saying, ”put your mobile into airplane mode so that nobody can listen to us”. Is there any truth in that?

”Malicious apps or malware can record your actions and sounds through your phone. It is very unlikely to happen, but it’s still possible. Airplane mode deactivates network traffic so the data can’t be transferred. However, recording can still happen.”

Back to the Covid-19 scene. Several countries have created some tracing applications for citizens due to Covid-19. How does this kind of tracing apps works?

”I think Singapore was the first country to publish a personal tracing app and its software code. From that, we can learn that the modus operandi of these applications is to use Bluetooth to detect other devices that have the same app (and it’s on). When they detect another device, they will exchange tokens, which are identification codes. If someone gets infected, they can upload all tokens collected to a government service. By using those tokens, government employees will receive phone numbers of the users who have exchanged tokens and also the timestamps of when it happened. That helps them in tracing by speeding up the process of contacting other people involved. And yes, a lot of privacy issues have been discussed around this topic. Still, in general, you are giving other people your contact details for tracing purposes by using this application.”

Some people are sceptical about these tracing applications. For me it is challenging to understand how this application works. I want to do my part to help the Singaporean Health officers track the virus, so I have downloaded it. Stay Safe!