How to Avoid Getting Hacked
A personal guide to cybersecurity
(SPOT.ph) Low-grade panic struck Philippine social media users when they learned about two things recently.
First, the existence of a Facebook group that calls itself “Duterte Cyber Warriors,” a group whose motto is “Protecting President Duterte Means Protecting the People and Our Country.” Their November 19, 2016 post had this to say:
“Sobrang kademonyohan ang ginagamit ng mga catholic school para linlangin ang mga kabataan. Ano kinalaman nila sa Martial law at hinihikayat nyo silang mag rally?
Sa mga taong nagmamahal sa ating bayan tulungan nyo po kami sa aming radikal na layunin para pigilan ang mga tao na lumalapastangan sa pag iisip ng ating mga kabataan. Ang inyong likod ay gumawa ng isang device para sa malawakang surveillance at guluhin ang kanilang komunikasyon para sa kanilang layunin.”
(So much malevolence by Catholics schools in misleading the youth. What do they have to do with martial law that you encourage them to join rallies?
People who love our nation, help us with our radical objective to prevent people who are corrupting the minds of our youth. I have made a device for widespread surveillance and disruption of their communications they use for their purposes.)
The admin or admins of the Facebook group describe it as a “Stingray” (a cellular mobile surveillance equipment used by law enforcement in the United States and other places), built using commercially available parts (Raspberry Pi 2 computer boards, TP-Link TL-MR3020 portable wireless routers that can operate on cellular mobile frequencies, and power banks) and programmed with open-source software (Kali Linux, a Linux distro used for network security assessments, ethical hacking, and penetration testing). Experienced local techs and makers agree that the build appears to be solid—“legit”—and can work as promised.
In the wee hours of November 25, 2016, Ateneo de Manila University alumnus Jan-Daniel Belmonte posted on his Facebook page: “Apparently, lots of university students and alumni were notified of suspicious activity on their Facebook accounts throughout this week. Some were even asked to download a supposed ‘malware scanner.’ I have an ongoing list of 144 people (so far) who experienced the incident.”
Despite the absence of evidence on the part of those whose social media accounts were compromised, there are people who think that these two occurrences are related, linking the Duterte Cyber Warriors to the cyberattacks. The Duterte Cyber Warriors have not openly claimed direct personal responsibility for the hacking of these social media accounts, making only cryptic statements on their Facebook page. Even those who may have been subject of attacks are not sure that it is the handiwork of the Duterte Cyber Warriors.
Whether or not the Duterte Cyber Warriors are responsible for what are perceived to be politically motivated cyberattacks bordering on cyberterrorism against anti-Marcos protesters, it is clear that the general public—particularly those who are active participants in protests or mass actions—should learn how to protect themselves from illegal surveillance and cyber-enabled terror attacks.
The most basic is the understanding that whatever is transmitted through information and communications technology can be intercepted, limited only by how easy a person makes it to allow a cybercriminal or cyberterrorist to do so. The harder you make it for the cybercriminal or cyberterrorist to enter your device, the more sophisticated will be the means required for him to do so; eventually, he will not have the resources to attack you effectively.
Therefore, some of the basic techniques for personal cybersecurity do not involve tools and technologies; rather, they involve conscious changes in our behavior. These include:
Always use strong passwords. Avoid passwords that can be interpreted by way of your personal data like birthdays, interests, and social relationships; these expose you to the potential for social engineering attacks.
Limit the visibility of your information such as phone numbers, email addresses, birthdays, and so on to people you know and trust personally.
As far as practicable, use two-factor authentication (2FA) for logging into emails, social media websites, and other online services requiring identification and passwords. If possible, activate login alerts and login approvals, which will help identify if you are being attacked, where from, and using what sort of devices.
If you do not personally know where a USB thumb drive was previously inserted, do not plug it in your device. People are already aware of the dangers of unprotected sex; people should be equally aware of the risks of unprotected USB thumb drive plugging—a sneakernet attack.
When you receive a suspicious invitation, email, SMS, web pop-up, application window with a link or button, don’t click the link or button; that’s like giving a warm welcome with wide open doors to an attacker.
Do not access public free WiFi services that are not protected by passwords or logins; at the same time, be wary of public free WiFi services that collect your information, such as your email address or the number to your cellular phone. Unsecure free WiFi services are often used as “honeypots” for ordinary people to leave information useful for subsequent or future cyberattacks. This is especially true for protesters who believe that there may be the risk of cybercriminals and cyberterrorists using free WiFi hotspots to perpetrate attacks.
If you can, instead of using public free WiFi services, use a My-Fi device or portable WiFi router that is secured with a strong password. For extra security (but which may impact your user experience), consider using virtual private network applications.
Cellular mobile transmissions are not encrypted, and can be “pulled” from the air and “pushed” to devices using technologies such as those allegedly being deployed by the Duterte Cyber Warrior group. As smartphones are essentially small personal computers, cyberattacks that can be made using honeypot free WiFi hotspots can be done using wireless-N routers. Do not immediately trust links embedded in SMS messages, attachments in MMS messages, pop-ups that appear on your smartphone, or even chat requests from strangers.
If you are not confident that your devices will be secure, despite all your efforts, go to the mass action with your smartphone turned off at least five kilometers away from the venue, and turn it on again after leaving and reaching a location at least five kilometers away. Organizations such as the Electronic Frontier Foundation also suggest that if you can, use a different cellphone, particularly an ordinary “dumb” phone, to keep in contact with your companions, or alternative means of communications such as encrypted amateur radio or wired communications.
Common sense and a healthy level of skepticism is your best first defense against cyberattack. Organizations like the Electronic Frontier Foundation, among others, have continually been providing best practices, such as “Surveillance Self-Defense,” towards ensuring personal cybersecurity.
What to do when your digital privacy is violated
An attack on your device, your social media account, your email, or other digital asset you have that involves unauthorized access falls under the purview of the Data Privacy Act, so you can report it to the National Privacy Commission. They have the legal mandate and the capability to investigate attacks. Should it be necessary, the National Privacy Commission can be assisted by the PNP Anti-Cybercrime Group, the NBI Cybercrime Division, and the Cybercrime Information Coordinating Council.
But what if it is not just you and there are many victims of cyberattack, particularly if the attacks appear to be politically motivated, and hence can be described as acts of cyberterrorism?
In that case, the full might of the State can and should be brought to bear to defend its citizens. The law allows the Armed Forces of the Philippines to assist in the fight against terrorism, and in the Intelligence Service of the Armed Forces of the Philippines and scattered among the service branches of the AFP are dedicated and skilled men and women with the capability to pursue cyberterrorists.
Your rights online are your rights offline; no State will ignore a terrorist bombing—in the same light, no State should ignore what appear to be politically motivated cyberattacks.
Protest without fear, but with constant vigilance
The Constitution guarantees the right of the people peaceably to assemble and petition the government for redress of grievances. When this right is threatened by politically motivated cyberattacks, it is the responsibility of the State to vigorously defend its citizens from such acts of cyberterrorism.
That said, personally practicing personal cybersecurity measures to protect yourself in daily life, up to and including days in your life that you decide to go to the streets in protest, is essential in an age of constantly evolving technology. Terrorists win when citizens cower in terror; cyberterrorists win when netizens refuse to act out of fear.
Your rights online are your rights offline, and the first line of defense for your rights is you.
Engr. Pierre Tito Galla, PECE, is a co-founder and co-convener of Democracy.Net.PH. A professional electronics engineer with nearly two decades of training and experience in the ICT sector, Engr. Galla has helped spearhead and push various ICT-related measures, such as the proposed Magna Carta for Philippine Internet Freedom, the enactment of the Department of Information and Communications Technology (DICT) law, draft regulations for quality of service standards for internet connectivity, and cyberdefense, cybersecurity, and social media policies for the private sector and for national and local government agencies, law enforcement , and the military.