I’m currently
exploring Science Education Technology Life

Public Toilets, Public WiFis and other Free Things

You shouldn’t be any more comfortable with public WiFis than you are with public toilets.

If you turn on the WiFi on your device right now, depending on where you are, you will find somewhere between three and perhaps a hundred available connections. Each of those connections acts as both mouths and ears, and there’s no telling the number of ears that could be plugged into them.

If you’re reading this blog, say at an airport, waiting to board a flight, you will find an open WiFi connection that travellers can use without requiring a password. If you’re at a hotel, you might find one for guests. Let’s look at the airport WiFi; you have hundreds, or even thousands, of people connected to it, some are checking their mails, some are watching movies, some are catching up with office work en route their destinations, some are running financial transactions, and some are simply…listening. They are harvesting as much information as possible, to do as much damage as possible in as little time as possible. The boarding announcement for a flight is made and a few hundred people shutdown their devices and proceed for boarding, looking around to be sure they are leaving nothing behind, yet not knowing that the “invisible” that they have left behind is worth far more than the visible that they have taken with them. Some have left behind passwords to the corporate networks of the companies where they work, some have left behind access information to their bank accounts, some have left behind proprietary information on the next product they are working on, some have left behind very private information that was meant for only their spouses. They have boarded the plane and are airborne; the rest of the story will be on the news—a ransomware attack with payment demanded in bitcoins.

Now this was possible, not because it was an airport WiFi, but because it was a WiFi, and the users had little or no understanding of how wireless bullets are fired in cyberwarfare, which is what we’re going to see now—how attackers use WiFi to fire their shots (again we might go just a bit technical here).

Man-in-the-Middle Attack: This is very common with unsecure (open) or poorly secured WiFi connections. All the attacker has to do here is plug into the network and find vulnerabilities which he can exploit to deploy tools to intercept users’ communications. If these communications are encrypted, he simply decrypts them using other cheap tools, and at the end he has a bag full of login credentials, banking information and other personal data.

Evil Twin: Here an attacker sits in a public place and transmits his own free wireless signal, but gives it the same name with a known WiFi network in that place. So if you’re at the airport, for example, you could see two WiFis bearing the name “Airport Guest”, however, what you wouldn’t know is that one of them is an evil twin. Of course your most natural tendency would be to connect to the one with the strongest signal, which most likely would be the attacker’s, who is seated just a few metres away. So you connect to this network and believe you’re on the airport’s WiFi, but you are right in the centre of his palm, and everything you do he both sees and keeps.

Packet Sniffing: Packets are “capsules” in which the information you send over the internet travel. When this communication is done over a WiFi connection, these packets can be captured by anyone on the network using very simple tools. An attacker capturing the packets can decrypt them if they are encrypted and have everything in plain text for his use—usernames, passwords and all.

Session Hijacking: An attacker on the same WiFi network with you can “clone” your device by changing his device ID (called a MAC address) to the same as yours, then get into an active session that you have running and act as you from that point on—except he will be acting much faster than you. (See the chapter on Hijacked for more on this).

Other Random Attacks: Malwares, spywares and a cocktail of viruses could be dropped on your device by an attacker sharing the same network. Of course these malwares have been programmed to execute malicious codes that will achieve the objectives of the attacker, whether it is simply to spy on you persistently, or to spread itself across your corporate network when you get back to the office, or to encrypt your files and demand a ransom; the malware, once safely deployed, would take its place and do its job. In this case, unlike other naïve WiFi users at the airport who left behind the invisible, you are not leaving anything behind, but you’re taking with you the invisible. Again we will watch the news for the rest of the story.

Marching Orders

1. Don’t be any more comfortable with public WiFis than you are with public toilets.
2. Use a licensed VPN on your connecting device to add a layer of encryption.
3. If you see multiple public WiFis bearing the same name, forget about connecting; dump the idea all together, except you can verify from the owners which is which.
4. Do not perform any financial transactions over open WiFi connections.
5. Do not perform any task that requires user login or authentication over open WiFi connections. Don’t login to your office network, school portal, not even to a candy store. If the task you intend to undertake requires login, forget about it, find other ways to work online or offline and then login when you have a more secure internet connection.
6. In all your communications over such networks—which should be few to none—do not share any sensitive information.
7. Do not configure your device to remember public networks and connect to them automatically; ensure that this is disabled, otherwise your device could automatically connect to an evil twin from your pocket on your next visit.
8. Configure your personal WiFi connection with maximum security, this should include very strong passwords, possibly disabling broadcast of your WiFi name, and other security features available on your device.
9. As always, sound the battle cry to those around you—“Be careful what you do after you click ‘Connect’; you might be ranting on the same ship with the attacker.”

Blessed are the Slow to Click

It is not an unusual sight to see a full-grown man, face buried in his device, happily clicking away like a child let loose in a toy store on Christmas Eve. Each new click adds to the excitement, and the cyclical arrangement of the internet ensures that his clicking won’t be ending any time soon. Perhaps this is you online, in a virtual world where one click leads to another. The first click is always the easiest, the last click is always the hardest.

Let’s repaint this picture in the context of war, which is what this really is. You’re in a field with landmines buried inches beneath the ground; they are out of sight and sprawl across the entire field. You take your first step into the field and nothing happens, you take the next and nothing happens, then the next, and the next, and the next. Six steps away from where you started, everything is fine. But you’re still extremely cautious and sweaty with each step you take because you don’t know what the next step will cost you, you are fully aware that it could be Step 7, right foot, left foot and Boom!

Online advertisers estimate the average cost per click across industries to be $2.3—that’s what it costs them, not you. The truth is, you don’t know what the next click will cost you. It could be Step 3, right click, left click and Boom! The internet is a field of landmines, and each time you get on it, every click you make is a step deeper into it; very few things will help you like having a sporadic click restraint. Companies have lost millions of dollars because one man ran out in the field and never got to run back in, he stepped on a landmine and that was it!

The wise online are slow to click.

Marching Orders

1. We are just a few clicks away from the next attack; your job is to make sure those clicks don’t come from you.
2. Think before you click. Don’t make the mistake that many make; take your mind with you when you go online, you’ll be needing it there, and besides, no one else can use it here while you’re away.
3. Count your clicks as you would count your steps in a field of landmines, and when you find yourself in what I call Spiral Surfing, where one click leads to another and to another and to another, then you must have a threshold point at which you abort and break the chain.
4. Have a single digit provision for the number of permissible clicks in any uncertain direction when you’re online.
5. Sound the battle cry to those around you—“Connection established? You are now in a field of landmines.”

Don’t Sleep Deep on Christmas Eve

For reasons that should be obvious, the staccato of gunfire is usually an unexpected interruption of the calm tunes of Silent Night, Holy Night or Kol Nidre, especially in areas that are hot for attacks or counterattacks. Timing is crucial in launching a successful surprise attack; the choice of time is as important as the choice of weapons and tactics. This is why most military attacks are carried out at night; the posture of the target by day is certainly different from the posture by night, and such nocturnal attacks give little time to marshal whatever forces there be.

Holidays have been a choice time for surprise attacks in warfare, from the Battle of Trenton in 1776 to the Tet Offensive of 1968 and the Yom Kippur war of 1973. Again the reason for this is obvious—the overall security posture of an army on a national holiday is quite different from its posture on other days. The mental conditioning of a people on a religious holiday is very different from other days. When you’re getting dressed for church on Christmas morning, the last thing on your mind is a bomb falling from the sky; the aroma from the kitchen, the lights on the tree and the Christmas tunes playing at the background makes it almost impossible for your mind to accommodate any thought that isn’t blissful. The invading army knows this, and so they haven’t spent the days leading up to Christmas shopping; they’ve spent it fine tuning their plans for a Christmas morning strike.

Attackers in cyberwarfare seem to have bought into this as well, choosing holiday seasons as prime time to launch surprise attacks, especially against companies and businesses. On Christmas Eve, everyone is out of office, the Chief Information Security Officer of your company is out of the country with his family, every member of your Incident Response Team is scattered around the globe, and the last thing they are expecting is a call from work. Apparently, if anything goes wrong, your response time wouldn’t be optimal. The attackers know this, and they choose it as the best time to launch their attack.

Now, there are two general means by which attackers launch a holiday attack. The first is to spend sufficient time prior to the holiday planning the attack, deploying the various methods we’ve seen in this book, yet without launching an offensive. They check for vulnerabilities, gather open source intelligence, look for watering holes, and do all they can to fine tune the plan. Then on the eve, or the day, of the holiday they launch the offensive, the goal being to move in, act fast and take over your infrastructure before you can be alerted that you’re under attack and appropriately respond to it.

The second is to spend sufficient time prior to the holiday seeking to gain access into your network and place what is called a Logic Bomb in it. A logic bomb is a ticking time bomb that is placed unnoticed in your network and detonates at a set time, or when a preconfigured condition is met. Like a regular time bomb, it does absolutely nothing destructive until it explodes, and this often makes it hard to detect; your network could function as normal, there might be no unusual processes running, your computers might work with no noticeable drop in performance, everything could be just fine…until Christmas day. Again, this logic bomb could be dropped in your network by several methods—a mercenary within the organization could work with the attackers to drop the bomb, a casual insider could click a link, or any other means could be used by the attacker to get it in. However, whether they choose to drop a ticking time bomb that detonates on Christmas morning, or they choose to move in with their tanks on Christmas Eve, the fact remains that it will be a Christmas to remember, and not for the food and hearty conversations around the table, but for the crack of gunfire in cyberspace that changed everything in an instance.

Marching Orders

1. Realize that there is no holiday in cyberwarfare, and the adversary is not as preoccupied with the turkey as you are, so it’s best to keep one eye on the oven and the other on the screen.
2. Don’t set out-of-office responders on your email during big holidays. Attackers could gather open source intelligence on people working at an organization and shoot them emails to see what comes back. You don’t have to announce your absence to the world, it doesn’t stop them from sending you mails anyway.
3. If you head an organization, set up a Holiday Offensive Team (HOT) that will actively monitor and protect your cyber infrastructure on holidays.
4. For days leading up to big holidays let the alarm ring over and over in the ears of everyone; no one should be ignorant of the possibility of a holiday attack, rather they should anticipate and plan for it.
5. As an organization, strengthen your technical security controls—intrusion detection, intrusion prevention, remote monitoring systems and the likes—even more at holidays. You could reduce account privileges or even deactivate certain accounts during such holidays.
6. As usual, sound the battle cry to those around you—“Heighten your guard on holidays. ‘Merry Christmas’ is indeed a wish.”

Blowing Up Your Own House Could be a Terminal Plan

Remote wipe is a functionality that enables you wipe off every shred of information on your device from a remote location. Typically, if your device gets stolen, some of the first things the new possessor would do would be to check for banking apps and other apps that can be used to perform financial transactions on the device, check emails, messages and other communication apps for information that can be used for malicious activities including initiating or progressing with certain conversations on your behalf or forwarding certain information to other destinations for next steps, and a long list of other things that would advance his malicious intentions. If you do not have a self-destruct plan for that device, you are toast! With remote wipe, all you will do is login from another device, establish connection with your stolen device and blow it up to high heavens, pulverizing everything you have on it. You sure might not get your device back, but you would have minimized the exploits and systematic attacks that would have followed your losing possession of it.

The goal of this short chapter is to get you comfortable with the idea of blowing up your own things, and here’s how to go about it.

Marching Orders

1. Schedule automatic cloud backup for all your devices and ensure that it runs frequently. Without this the blow up plan would be too costly.
2. Configure remote wipe on your devices. To do this, simply run a search on “How to configure remote wipe for <insert device name>”. Follow the steps you find and you should be fine; in some cases you might have to install a software for this on your device.
3. In the event of a missing or stolen device (for which you have confirmed it isn’t misplaced somewhere in your room!) prepare to blow it up.
4. Once you have performed a remote wipe, you can get a new device and restore your backup from the cloud. Remember to configure remote wipe and scheduled backups on the new device as well.
5. As usual, sound the battle cry to those around you—“Blowing up your own stuff must be part of your battle plan, else it is incomplete.”

A Loaded Pistol for Your 5th Birthday! (On Devices in the Hands of Kids)

It’s a sad picture in war-torn countries to see 10-year-olds holding riffles. As a matter of fact, in some of these countries, children could gather live ammos just playing on the streets. These armed children are meant to join in the defence of territories, mainly territories under the control of rebel groups. Whatever the narrative of a country, and however deplorable the war situation might be, nothing justifies an AK47 in the hands of a 10-year-old. As a matter of fact, a gun in the hands of a 10-year-old doesn’t make the territory more secure, it only makes it more dangerous.

Now, in the heat of cyberwarfare, I see a lot of children with smart mobile devices—phones and tablets. As it is, every internet enabled device is a gateway into the battlefield where no one is 100% safe. To have a child own one of these is to grant her unhindered access into the war zone. We might argue and explain that we have active parental controls on these devices—blacklists, whitelists, firewalls, and other features the manufacturers have put in place. How about giving your 5-year-old daughter a loaded pistol and be at ease because it’s on safety? It doesn’t make sense. And it doesn’t make sense to give your 5-year-old an access point into a terrain where bullets and bombs are flying around, believing that you have an impregnable firewall around her. Remember what we said at the beginning of this book? We’re at war and there’s no DMZ. In a war situation where we can’t evacuate children, the wisest thing to do is to equip them, not to arm them. Equip them with knowledge of what to do if they find themselves in certain scenarios; equip them with knowledge of the attack methods of the enemy and how to escape unscratched. But once you get them an internet enabled device, with parental controls, you have moved away from equipping them to arming them.

Another angle to this is that when you give a kid a device to connect to the internet, you are actually sharing your network with a 5-year-old who knows nothing about the dangers of sporadic clicking. The same way your child could open the door to strangers at home, she could also open the doors to strangers in cyberspace. You shouldn’t be at ease sharing the network with a 5-year-old. So at what age would it be appropriate to give a child an access point to the battlefield? That’s a whole debate on its own, and we are not going into it here; right now we are too busy conscripting that we can’t pause for family debates. Whatever the case, the bottom line is this, you don’t want your 5-year-old out there in the midst of the dust and chaos of war; if she’s hit by a stray bullet, you would have yourself to blame, and at that point your much-trusted parental controls would release some updates to patch their vulnerabilities, but there will be no updates to patch her wounds.

In light of this, what must you do?

Marching Orders

1. If you’re a parent or guardian, do not let children own internet enabled devices any more than you will let them own a gun on safety.
2. Supervise children if they are to access the internet for any reason and get them out as quickly as possible.
3. Children must be equipped for cyberwarfare, and much of their equipping should be knowledge based.
4. Cybersecurity should be included in curriculums right from elementary school or earlier.
5. If you are a cybersecurity professional, you could consider putting together some awareness camp or other fun events for kids. You might even consider developing a cybersecurity board game.
6. Again, as always, sound the battle cry to those around you—“There’s nothing safe about a gun on safety in the hands of a 5-year-old.”

Battle Protocols at the Gates (A Word on Login Forms)

When terrains get more and more unsafe, security checks will of necessity be multiplied. As I drive around certain regions in Sub-Saharan Africa, I encounter military checkpoints almost at every 3 miles. There are dos and don’ts at these checkpoints that guarantee the security of whoever it is that seeks passage. As cyberwarfare gets more intense, such checkpoints are also being multiplied, and thankfully so. If you’ve had to do anything of medium to high importance online today, you must have passed through one or two of these checkpoints, they are called login forms. Like physical gates, the most basic function of login forms is to keep the bad guys out and let the good guys in (just like we saw with passwords), and there are certain protocols that will improve your security as you seek to gain access at these gates.

A Day in the Life of a Surfer

Monday morning, just after coffee.

You need to get some transactions done—send some money to your mom, pay some bills and wire some funds to your suppliers—so you go online and “drive” up to your bank. As you approach the bank you meet the gates locked, and that’s a good thing, it will be unsafe to have it otherwise; so you’re greeted by a login form asking you to identify yourself. You pull out your ID and password (hopefully the classified ID, as we saw in a previous chapter), then they ask you what year your grandmother died and you tell them, and within seconds you’re in and attending to the things you came to do.

Next, you need to check on a few friends who live on Facebook, so you drive up there to say hi and again you’re greeted by locked gates. You enter your ID and password (hopefully not the same ID you used at the bank), but you consider a few things—you visit here quite often and wouldn’t want to keep doing this each time you come, so you tell the guys at the gates to keep them open and not border asking questions whenever you come visiting in the future with this particular vehicle (aka your device); you do this by clicking on “Keep me signed in” as you proceed to see your friends.

When you’re done, you decide to go to the bookstore and get yourself some copies of that good book on equipping every employee for cyberwarfare, so you drive up to Amazon and, as expected, the gates are locked and your ID and password is needed. With all the cyberwars going on, you’re already used to these checkpoints. You again supply your ID and password and are granted access. But as soon as you drive in, your browser throws up something interesting—“Save username and password for this site.” That sounds like a stress saver, you click Save.

Finally you decide to go to school and turn in your overdue assignments, so you drive up to Coursera, and yet again you are greeted by locked gates. But then you see this little button that says “Sign in with Gmail”. Looks like this will save you a lot of stress typing in your email and password, so you click on it and voilà! You’re in. You submit your assignments and you’re done for the day, it’s time to go back home.

Now let’s evaluate everything that happened at each gate.

At the bank

We don’t see any additional information being requested apart from your ID, password and the answer to a security question. That is all you used to gain access. You have your life’s savings in there, and you feel just an email and a password plus the year your grandma died is good enough to keep the bad guys out and let you in? The protocol at such gates should have an extra layer of security; you should enable what is called a Multifactor Authentication (MFA), either by having a one-time password sent to your phone or by generating it from a virtual or hardware token. In times of war, the eyes of rebel groups are where the money is, and you can be sure they are hitting harder on those gates than on any other.

At Facebook

By checking the “Keep me signed in” box, you told the guys at the gates to always let you in and never ask questions whenever you come around with that particular car (in this case the particular device you are surfing with). Now the danger in doing that is this: what happens when you hand over your car to someone else and she decides to drive to Facebook? Or what if a friend (or foe) finds your car keys and drives up to Facebook with it? If, for any reason, someone else is on your computer, the guys at the gates will see the car coming from afar, smile like happy storekeepers and let him in without asking questions, just as they have been instructed, and the intruder will have full access to act as you on that platform.

At Amazon

You told your browser to save your username and password. What you actually did was instruct the guys at the gate to keep a copy of it for future use. The implication of this is that if anyone else uses that browser to visit that site on that device, the guys at the gates will bring out a copy of your credentials and say, “Here, we already have what you need to get in.” That’s what happens when you visit a site and your email and password is already filled out on the form, just waiting for you to hit Enter. Not only will the intruder have full access to your account, she could also click the “Show Password” button at the gates if it’s available and then copy it out for future access on other browsers and devices.

At Coursera

You clicked on the button that said “Sign in with Gmail”. That is called Federated Identity, and it really takes off the stress of reaching down for your ID and password to gain access. But by using that button, what you are saying to the guys at the gates is, “Hey, the folks at Google know me, you can check with them and they’ll confirm.” So guys at the gates check with the folks at Google and the folks at Google say, “Yes, yes, we know him, we trust him.” Then they come back to you at the gates and say, “Boy! You sure are something! If they trust you at Google, then we trust you too. Go on in and enjoy your stay.” While this might not be altogether bad in itself, the issue is that at every point you do this, you are widening the circle of trust. So when you keep clicking this button at different gates in different places, the circle of trust keeps getting wider and wider. However, in the time of war, trust is a luxury you should be slow to share. No one needs a wide circle of trust at war; it only increases the odds of betrayal. Different platforms have their various levels of compliance to federated identity security standards, and your circle of trust would only be as strong as the weakest link in that circle; once that weak link is broken, there is no telling the level of lateral damage.

At Every Place You Visited

Finally, did you notice one common omission at all the places you visited? You didn’t logout from any of them; you left the gates wide open and drove away! Who in the world does that! Well, over half the world does that. Not locking your gates behind you in war-torn cyberspace is certainly dangerous practice, and you wouldn’t want to expose yourself by such act of neglect.

Now let’s wrap this up. There are battle protocols at the gates that you must be aware of as one who is unavoidably and inescapably involved in the ongoing war at cyberspace. Compliance with these protocols will make you more effective at dealing with the enemies at the gates who are trying to force their way in right after you. Apply these principles and your defence will be heightened. Let’s take our orders.

Marching Orders

1. Wherever possible, enable multifactor authentication at sign-in, especially for highly sensitive platforms like banking portals.
2. Avoid checking the box on the login form that keeps you signed in on platforms, it might not be convenient to keep signing in each time you come, but convenience is not what we seek at war.
3. As much as possible do not store passwords and login credentials in your browser; always decline popups that come up right after you login with such suggestions.
4. Keep the circle of trust as small as possible; don’t use the “Sign-in with [any 3^rd party]” button indiscriminately.
5. Whenever you’re done, logout; don’t just close the browser—LOGOUT. Any login without a corresponding logout is a risk factor.
6. Change your passwords from time to time, especially on your two or three most sensitive platforms. For ease of management you can use the password generating framework we discussed in the post on passwords, and change your password every 30 days by adding the name of the month to the new password. So your Instagram password, for instance, in January will be something like this: A2A4ixmargatsni+JAN

February: A2A4ixmargatsni+FEB

March: A2A4ixmargatsni+MAR and so on.

Do this only for your most sensitive platforms, lest it becomes too cumbersome to manage. Finally, as always sound the battle cry to those around you—“You stand or fall by what you do or fail to do at the gates.”

Hijacked

While we are still on gates and access, it would be good to look at the possibilities of being hijacked after you’ve made it through the gates. Normally, when you drive past the gates, your assumption is that you are safe; you don’t keep looking over your shoulders as you go about your business. Since everything was fine at the gates, you become more relaxed and lower your suspicion as you freely run your transactions, purchase your book and submit your assignments. But the fact that the check was solid at the gates doesn’t mean the terrain is completely safe; checkpoints don’t end the war, they simply provide checks while the war persists, and an attack can take place on either side of the gates—your activities within the gates can literally be hijacked! How does this happen? Let’s back track a little. You are driving up to your bank to run some transactions and you are greeted by locked gates (the login form). You provide your credentials, the guards look through them and confirm that they are legit, so they print you a visitor’s tag with a unique visitor’s ID and other information that allow you go in without being kicked out by other guards within the premises in the middle of your transaction. This visitor’s tag is what we call a Session Token. Now, picture that by some clandestine means, a malicious adversary was able to get a copy of your visitor’s tag, say he was not too far away with his high focus camera zooming in and taking snapshots of the tag as it was being printed out and handed over to you (of course the actual methods of getting this information are more technical than this, but that’s not our focus here). Now he has the same tag you have that lets him go about your business without being kicked out too. He hijacks your session and goes to work, gathering the spoils of war—either transferring funds or stealing information or running other transactions. Note that you might be done before him and leave (especially by simply closing the tab without logging out), but he’s still in there executing operations on your behalf; by the time you realize what has happened, he would have been long gone, leaving behind the ruins of his attack.

Session hijacking is a very common form of attack in cyberwarfare, and there are several ways that an adversary could steal session tokens; he could exploit some vulnerabilities in the destination site and drop a script there that copies the tokens when you come in, he could also intercept communications in your browser using certain tools and gain access to your session information. Whichever method he uses, yours is to be aware of this possibility beyond the gates, and to establish counter measures to avert its occurrence.

As a Conscripted soldier, here is what you must do.

Marching Orders

1. Use a licensed Virtual Private Network (VPN) to fully encrypt your activities online.
2. Always ensure your browser is up to date (you can run a search on “Updating my Firefox browser” or whatever browser you use to get this done).
3. If you’re logged in and working, and a popup suddenly comes up telling you that your session has expired after some time of inactivity, and requesting you re-enter your password to continue your session, don’t use the popup; you can refresh the page and sign in again. While such popups could be legitimate at times, it also could be a hoax by attackers to hijack your session, and since you can’t be absolutely sure, then better be safe than sorry.
4. Always logout completely and close the browser when you’re done with your session. Never close the browser without logging out.
5. As always, sound the battle cry to those around you—“Stay alert! An attack could take place on either side of the gates.”

Become a Pro at Drowning Phishermen

From: [email protected]

To: Femi Reis

Dear User,

You just requested a password change at PayPal.com. Please use the link below to reset your password. If this wasn’t you, please click here to report this activity and update your password immediately to avoid any possible compromise.

Thank you for using PayPal.

Such emails drop in my box often; I am sure they aren’t strange to you either. I thought we should start from where all awareness trainings start and most awareness trainings end—Phishing.

There’s a concept in warfare called Information Warfare, it’s a type of Military Deception (MILDEC) where the target is disinformed to make decisions that are to his own detriment. History is filled with battles in which victory and defeat were exclusively determined by MILDEC. It is what attackers in cyberwarfare seek to achieve with phishing (pronounced fishing). Phishing emails contain information that generally appear to be in your best interest, but with the goal of getting you to make a decision and take an action to your own detriment. In cyberwarfare, a staggering three billion phishing emails are fired daily, some of these are random shots while some are fired with pinpoint precision to very specific targets (this is called spear phishing). Picture you receive an email from “PayPal” notifying you that you just successfully logged in to your account from EL Paso. El Paso?! No way! You are in faraway Nairobi and haven’t even made any attempt to login to your PayPal account. This sure is an indicator of compromise, you think to yourself. At this point your palms are sweaty, there’s $5,087.42 in your PayPal wallet; you must stop this activity before a cent of it disappears! Thankfully, PayPal has provided a link in the mail for you to immediately arrest the situation; you can change your password promptly to lock the intruder out, and then report the case to enable them investigate further. So you click on the link and it brings you to a password reset page, you enter your old password and your new password and successfully perform the reset. “Phew! That was close,” you whisper under your breath, but on the other side of the globe, in a little room with five men on their laptops, one of them jumps up, throws his fist in the air and shouts, “Yes! That was spot on!” The other four keep phishing without breaking focus. A few minutes later you receive a transaction invoice from PayPal for $5,000; your wallet balance is now $87.42. You’ve just been drowned by a phisherman! Like in the battles fought in Arab deserts and African jungles, MILDEC has once again delivered in cyberspace.

Phishing is a common attack method in cyberwarfare. Here the attacker sends an email with the aim of getting you to take an action that will appear to be in your best interest, but will actually be tantamount to unplugging the pin of a grenade right in your own house. The question then is, how can you tell when this is happening to you? Let’s go back to the email we started with.

From: [email protected]

To: Femi Reis

Dear User,

You just requested a password change at PayPal.com. Please use the link below to reset your password. If this wasn’t you, please click here to report to activity and update your password immediately to avoid any possible compromise.

Thank you for using PayPal.

The first thing you should check here is the sender’s email address. In this case it is from [email protected][1]. The root domain is the actual sender. Let me explain. The root domain is the last word, or group of words, that comes just before “.com”. So in this case the root domain is a compound word (two words joined together with a dash to form one word), which is security-paypal. That is the actual sender. This email is not from PayPal; it is from security-paypal (security dash paypal)—whoever that is. Many times this dash is introduced to trick you into believing it is a subdomain of PayPal. Again let me explain what a subdomain is. If we had [email protected], the root domain here is paypal, which is the singular word that comes just before “.com”. The subdomain is security, which is always separated from the root domain with a dot, not a dash. Subdomains are not separated with dashes, they are separated with dots; if you have a dash, it is still one word and it forms the root domain. So if you have [email protected], it is not coming from you.com, it is coming from me-you.com; if you have [email protected], this is coming from you.com; the last singular or compound word before the “.com” is the actual sender.

Now attackers, however, sometimes find a way to manipulate this and actually spoof a proper email address, spelt with the actual root domain to launch the attack, so another thing you should look out for is the greeting. Are you greeted by name? If this mail is coming from a company with which you have a valid account, you shouldn’t be addressed as “Dear user”; you should be addressed by name. But then again, that’s not an automatic green light that confirms everything is fine; phishing could be targeted with precision such that it bears the name of the intended recipient, as was the case with Podesta. You could be greeted by name and still be dealing with a phisherman, so there must be other things to look out for. How about the grammar and spellings? Most phishermen are given to silly typos and errors in grammar, so looking out for this could be a good indicator; an email from PayPal shouldn’t be muddled with typos. But yet again, this phisherman could be an Ivy League graduate and have his mail well worded and his hook well baited; it thus means there must be other things to look out for beyond the wording, and here’s a final one. Every phishing email wants you to take an action—either click on something or reply with something. If there are links or buttons in the mail on which you are advised to click, those links will not be pointing to paypal.com; they will be pointing to the attacker’s den. The Reset Password button wouldn’t point to paypal.com, it would point to death, and here’s how you will know. Without clicking on the link or button, simply hover your mouse over it, if you’re working on a computer, and the link will be revealed at the bottom left corner of your screen; you will see that it doesn’t point to paypal.com but to a different domain. If you’re working on a mobile device, press and hold the button or link (DO NOT CLICK ON IT) and select the option that says “Copy link address” (or however it is worded on your device), you can then go open a writing environment such as a blank compose environment and paste the copied address there, you would see where the link points to. There are, however, cases were links are rewritten in emails such that they don’t show the actual domain spelt out plainly when hovered on. If you are in doubt whether this is the case, you can copy the link and scan it using any online URL scanner. Simply run a search for “online URL scanner” to find one.

Now, if you look out for all the indicators we have walked through and none of them exists—in other words the sender email appears legitimate and there is absolutely nothing in the mail that suggests it isn’t coming from PayPal—still DO NOT CLICK THE LINK. Whatever secure action the mail recommends you take, go to your browser or app, login to your account and take the action from there—in this case resetting your supposedly compromised password. As long as it wasn’t initiated by you, never take an action from a mail even if you are convinced it is from a legitimate source; close the mail, go to your account and perform the action from there.

If the email is requesting that you reply with information or execute an action or financial transaction which is in your line of duty, adopt what I call an MFC policy—Multifactor Confirmation. Never supply information or carry out any sensitive action or transaction based on an email without reaching the sender through a second means—especially via phone call—to confirm the mail. If it’s not from a known sender, do your due diligence; be sure not to send any sensitive information in response to a mail from out of the blues that you know nothing about. You can never be too suspicious at the peak of warfare. There are about 4.6 billion active internet users worldwide; with 3 billion phishing emails fired each day (21 billion each week), the odds are high that some of those bullets will come your way. To treat every unsolicited mail with suspicion is thus a wise approach in warfare.

Note, however, that all the actions we have seen here are simply meant to keep you from drowning, but that’s not our ultimate goal; you shouldn’t be content with sailing away to safety when you can as well drown the phisherman before you leave. So how do you do that?

  Marching Orders

1. Treat every email you’re not expecting as suspect.
2. Except where it is impossible not to, do not click on anything inside, or attached to, an email, especially when you are not 101% sure of its source.
3. Report every phishing email through the appropriate channels. (You can forward the email to Anti-Phishing Work Group at [email protected], or, if it’s a PayPal phishing email, to [email protected]. You could also run an online search on reporting phishing for your specific email client, such as “Report phishing on Gmail” or “Report phishing on Yahoo”, or whatever reporting framework your organization or institution might have in place. The goal is to get the phishing email to various points of action.)
4. After you’ve done the necessary reporting, select the email in your box and mark it as spam (don’t delete it, mark it as spam).
5. If the mail is requesting that you reply with sensitive information, reach out to the sender by other means, if it is someone you know, to clarify the request. If it is not someone you know or have alternative means of reaching out to, reply with probing questions that will further reveal the sender’s intentions and identity without raising his suspicion of your intent to drown him in the process. Sustain the conversation long enough to turn the tables, and be sure to blind copy the relevant authorities on all such mails.
6. Finally, sound the battle cry to those around you—“Every link in an email could be a grenade pin; think before you pull.”

[1] As at the time of this writing www.security-paypal.com is not a registered domain name.

Develop a Personal Incident Response Plan (PIRP)

Soldiers never have to guess about what to do at war; hundreds of hours of drills at peacetime have not only carved what they are to do in every situation into their minds, it has committed it to muscle memory such that they default to it without much vacillation. In many cases, the heat of battle doesn’t give you the luxury of time to ponder, deliberate and decide; seconds could spell the difference between life and death, and you must know exactly what to do way ahead of time. This level of ultra high proactiveness can only come by developing a plan and walking through it prior to the sounds of shelling and gunfire.

In cyberwarfare this is also critical, and one plan that is crucial in achieving this is what is called an Incident Response Plan. The IRP, in its simplest form, tells you what to do when things get ugly. While every troop goes into battle with the preparation that should keep them from being hit, they also take with them the plan that should keep them moving if they get hit, and thus minimize the resulting disaster. That is the IRP. While a disaster might be unplanned, your response to it must always be planned. And that is why I advocate that every individual—not just organizations, but every individual—should have a Personal Incident Response Plan (PIRP) that they are very familiar with. Now let’s see what this plan looks like in plain battlefield language.

Developing Your PIRP

1. Prepare: Face the fact that you might be hit, and the strike could range from mild to severe, and then equip yourself with sufficient cyber intelligence to handle the situation should it occur. Going through this book certainly gives you a good deal of equipping. Identify what your most critical information, data, applications and files are and where they are located—on your mobile device, in a folder on your computer, in the clouds, wherever. In cybersecurity these information and files are called Critical Assets; in plain battlefield language they are your vital organs—your heart, your lungs and kidneys. You need to know where they are and prepare to protect them if ever there’s a show down.
2. Indentify: The first thing here is to determine if you’ve been hit or if there’s been a compromise that could be a precursor to the big blow. Your goal here is to understand what in the world is going on. Have I been hit? Where was I hit? How bad is the wound? Are any of my vital organs affected? Who hit me? Could a second blow be coming? You ask yourself these questions in rapid-fire mode and gather the answers as quickly as you can.
3. Contain: Stop the bleeding and stop it fast. While you’re trying to identify what exactly has happened, you must also realize that you’re bleeding at the same time. If you dwell on the identification step, trying to get every single piece of information, you will soon lose consciousness. You need to stop the bleeding. What must I do to mitigate the spread of this attack? What should be shutdown or taken offline? What processes can be safely aborted? What can be safely deleted? Can I run a scan to identify all the affected files, folders or endpoints (devices)? How can I safely isolate them from the rest of my assets? As you find and implement the answers to these questions you will be containing the spread of the attack and reducing the bleeding.
4. Eradicate: Here you get rid of the root cause of the incident. Beyond getting the shrapnels out of your flesh, you must ensure that the root cause which exposed you to the explosion in the first place is completed taken out. What were my vulnerabilities? Were there software packages I failed to update? Did I fail to patch my operating system? Did I download an untrusted file? Did I install a malicious software that could have created a backdoor for the attackers? You must ensure you eradicate every single strand of the root cause. Minimizing and eradicating your vulnerabilities is what reduces your chances of being hit again.
5. Recover: Here you have to get things back to normal and move on. Recovery must be rapid in warfare; you can’t afford to stay down for long after you’ve been hit, lest you be fully captured or completely crushed. Recovery must be rapid; get back on your feet and move on. Restore backups of whatever you’ve lost, test your devices to be sure they’re running optimally, change whatever access credentials you need to change, get back to business—you’re at war!
6. Lessons Learned: This is a critical component of your PIRP. It is easy to forget the whole drama after the dust has settled; the Lessons Learned component ensures this does not happen. Here, you go over everything that just happened and ask yourself the hard questions. Where did I miss it? What could I have done differently that would have averted the attack? What part of my response plan could have been better? How long did it take me to move from ‘Identify’ to ‘Recover’? Why did it take me so long? How can my response time be shortened? Could the attack have festered a while before detection? The goal here is to learn your lessons and get more battle-ready. You will use your findings from this phase to upgrade your PIRP and prepare better for the battles ahead.

Marching Orders

1. Prepare your Personal Incident Response Plan following the steps we’ve seen in this chapter.
2. Create a mock incident scenario and walk through your PIRP to see how it runs.
3. Practice your PIRP sufficiently enough to make it your mental default.
4. As usual, sound the battle cry to those around you—“A soldier never guesses at war; draw your plan and run your drills.”

Disappearing Act in Warfare (The Power of Offline)

From time to time, it is helpful to disappear from the scene for a day or two or more. The chaos of battle could be mind numbing if it is never interrupted by seasons of calm. The sustained noise of war has such an effect on the mind that isn’t good for your wellbeing. It helps to block out this noise from time to time in order to preserve your sanity. Aside that, it also helps to be untraceable for a while, to lose your tail, to vanish from the scene and leave more questions than answers. You achieve this through the power of offline. We have over-explored the power of the internet to the exclusion of the power of not being on it. In warfare, there could be as much power in your absence as there is in your presence; not being seen is as much a strategy as being seen.

Take a day off cyberspace, take all your personal devices offline and quieten your mind, pull your thoughts together and sharpen your focus. If you have a dumb phone, this could be a good time to use it, otherwise just turn of all your connections on your smart devices—WiFi, hotspots, mobile data—for the duration of your offline period. In cyberspace, to varying degrees, you double as both the hunter and the hunted; in whatever capacity you disappear from the scene it keeps the other side guessing, if you disappear as the hunted, it gets the hunter wondering, and if you disappear as the hunter, it gives the hunted a false sense of safety—it works either way. The more randomness you can add to your offline practice, the more unpredictability it adds to your pattern and strategy, and all this is in addition to the fact that when you get back online you return with more focus and clarity for effective warfare.

Now if you’re an adept internet user, one of the things that will keep you from exploring the power of offline is FOMO—Fear of Missing Out. You would consider a thousand and one things that you would miss out on if you go offline for 24 hours, but what I discovered is that many of the FOMO considerations are not mission-essential; they are mostly the 80% distractions that have occupied the engagement time and space of average users. I have discovered that when you schedule an offline, the vital organs hardly surfer, the 20% non-negotiable mission-essential functions are hardly ever hit by the blow. But if you still struggle with FOMO, then I would recommend a staggered implementation. Schedule an offline for just 3 hours and then come back and check your vital organs; has any been damaged? On a different day schedule a 6-hour offline and then come back and check your vital organs; any damaged? Do it again for 10 hours on a different day, and then 12, and go on that way till you hit a 24-hour offline. I bet you will find your vital organs intact, and the exercise will give you better control of your engagement on the battlefield, it will heighten your focus and give you the power to ignore more CATs that prowl around. Commit to applying this strategy and you will be amazed at the enormous benefits that are locked in the power of offline.

Marching Orders

1. Schedule an offline to both help sharpen your focus and add randomness to your usage patterns.
2. During your offline, stick to phone calls and SMS as your primary means of communication.
3. After your offline, identify what virtual weight you can safely shed. You will progressively discover that some things are not as indispensible as they appeared at first.
4. As usual, sound the battle cry to those around you—“At times the best thing you can do with the internet is turn it off.”

Wisdom for Your Devices (1)

Knowing that he will have to carry his gear everywhere he goes, the soldier ensures that every single item he packs in it is mission-essential; he can’t afford any ounce of weight that isn’t critical to his survival on the battlefield. Literarily, every item in his gear can save his life at some point; those things that can’t will have to stay off, because in wartime, needs are defined by absolute necessities.

Unfortunately, we have not packed our devices for smart warfare, we have stuffed them with nice little things that not only have no bearing on the mission, but even have tendencies to get us hit. When it comes to installing applications on your device, you must realize that you are packing your gear for war. Every additional app you install, no matter what it does, actually broadens your attack surface. Let me explain. Picture a phone that has zero applications installed on it, all it has is its operating system; any exploit that an attacker will carryout on that phone must come from a vulnerability that he finds on the operating system—that’s the only window he has. Now let’s install a communication app on the phone; the attacker can launch an attack by seeking and exploiting vulnerabilities on the operating system and the communication app. He now has two windows—the attack surface has broadened. Add a third app, three windows. A fourth app, four windows. Every additional app actually broadens the potential attack surface. Thus a device with no app on it is technically safer than one with five, and that with five is technically safer than that with ten, all other things being equal. In battlefield language, your behind is potentially further exposed with each additional app you install. But you certainly will not carry a phone with no application on it any more than a soldier will carry a gear with no item in it. So how must you then pack your device? Two principles come to play here—the Principle of Least Functionalities and the Principle of Least Privileges.

The Principle of Least Functionalities

Like I said, you must choose your apps the same way a soldier will choose items for his backpack, and the question to ask is this: “Is this application mission-essential? On a scale of 0 to 10—10 being the highest—how critical is this app to my overall mission?” The Principle of Least Functionalities demands that you install only the least amount of apps necessary to perform mission-essential functions—whatever your mission is. If the answer to the essentiality question is No, Low, or Maybe, then the app is best left in the app store.

The Principle of Least Privileges

This demands that after you have installed the least amount of apps you need for mission-essential functions, you go a step further to give these apps the least amount of privileges or permissions they need to carryout those functions. Typically, by default, apps will request all the permissions in the world, including permission to control your life—which is hardly ever listed but almost always granted. But note that there’s a difference between the permissions an app requests and the permissions an app requires. Almost in all cases, the requested permissions are usually far more than the required permissions. The Principle of Least Privileges implies that you will only grant that app the permission it needs to perform the function you need it to perform, every other permission must be denied.

You can always tell when an app shouldn’t need a requested permission to function by simply assessing what the app is meant to do. How many times have you downloaded an app, say a calculator app, and when you run it it tells you, “Calculator needs permission to make and manage phone calls”? No way! What in the world does Calculator have to do with making and managing phone calls! Such permission is completely disconnected from the task the calculator is meant to perform and thus should not be granted. Some apps stubbornly insist that you grant such unrelated permissions before you can use them; there’s only one thing to do with such apps—delete them! Get rid of them and look for alternatives that would perform the required function without requesting unreasonable permissions.

Now, before we wrap this up, another thing you might want to check when downloading an app is the app’s size-to-function ratio. For instance, an app that is meant to function as a basic calculator shouldn’t be anything larger than 20MB in the app store, as a matter of fact it should be much smaller. If an app has a very high size-to-function ratio, then that app is doing more than advertised. If our Calculator app is 80MB, then you wouldn’t want to know the other things it is calculating! Don’t download such apps; if the size is significantly out of proportion with the intended function based on your commonsense assessment, leave the app alone, it’s safer in the store than on your phone.

Marching Orders

1. Harden your device. Go through your list of installed apps and ask yourself the essentiality question—“On a scale of 1 to 10 how critical is this app to executing functions that are essential to my mission?” You should review the tenancy of any app on your device that doesn’t make an 8. By deleting such apps, you will be further shrinking your attack surface and be saving your gear from unnecessary clutter.
2. Carryout a permission audit. Go through every single app installed on your device and check the permissions granted. Identify the allowed permissions that have no direct correlation with the function of the app and deny all such permissions; only allow permissions that are directly connected to function. If you encounter stubborn apps that insist on having unrelated permissions before they work, uninstall them completely and replace them with alternatives, if they are mission-essential.
3. Periodically implement these principles—Least Functionalities and Least Privileges—to ensure your gear is battle-ready.
4. Finally, as always, sound the battle cry to those around you—“The extra app in your gear could be an extra exposure in your rear.”

How Safe is Our World with a Password like Yours?

A good password, like a good door lock, is meant to perform at least two functions—let you in, and keep others out. If it performs one of both functions effectively and fails to perform the other, it’s not a good password. Have a look at this.

Username: Conscripted

Password: xaw24bQ#!@3bZv~9-Cd7_rJq$90*+k!00#&`~0

This password is extremely good at keeping others out—others including Mr. Conscripted himself! If it were my door lock, I would be sleeping outside tonight. But then, on the other hand, let’s have a look at this.

Username: Conscripted

Password: abc123

This password will certainly have no problem letting me in, but it would let the rest of the world in right after me, or even before! If it were my door lock, I wouldn’t have anything left in my house. A good password, like a good door lock, must let you in and keep others out. In the heat of battle, break-ins are common occurrences, and your passwords are the minimum defense you have against them.

6 Degrees of Separation: How safe is Mr. President with a Password like Yours?

You might have heard of the concept of 6 degrees of separation, it states that the maximum social distance between you and any other human on earth is six people. In other words, there are a maximum of six steps in your social network between you and any other person in the world. What this means is that you know somebody who knows somebody who knows somebody who knows somebody who knows somebody who knows the Pope. And if you want to pass a personal message directly to the Pope, all you have to do is find this chain, and your message will get to him in person—from the lips of his personal friend. Now the dark side of this is, what if that message wasn’t actually coming from you but from someone with malicious intentions who successfully acted as you and followed that chain? When I first learnt about the 6 degrees of separation, I decided to investigate it personally and see if I could trace a 6-degree connection between me and the president of America at that time. Interestingly, I found it without much difficulty. If an email comes from me and follows that path, it will get to Mr. President, and it won’t be coming to him from me but from someone he knows personally and perhaps trusts greatly.

There’s a 6-degree connection between you and Joe Biden or Donald Trump or Barack Obama or George W. Bush. An email coming from you, going through the right path, will get to any of these people. So how safe is the President with a password like yours? It might seem a bit exaggerated, but your password could actually be the entry point to a national disaster. Your weak password could bring down an entire institution or cripple an entire industry! Your password could spell the difference between victims and survivors in cyberwarfare.

Another dangerous thing about having weak passwords is that an attacker could break into your email, scroll through your inbox to see the various services you are subscribed to, then go to the login portal of any of these services and request a password reset. The password reset link will be sent to your email, the attacker will come back to your inbox, click on the link, reset your password, and gain entry to the portal to operate fully as you.

As it is, you already have assets on the battlefield, your personal information are there, your health records are there, your intellectual properties are there, even your money is there. None of these things is absolutely safe at war, any of them could be stolen in a successful attack. The very least—and by very least I mean the barest minimum—you can do to secure them is to use strong passwords. Other things might be out of your control, your bank’s cybersecurity infrastructure could be broken, your email service providers could be breached, many other things could happen that are out of your control, but one tiny thing that is within your control in securing yourself and your assets in cyberwarfare is your password, and you must get it perfectly right.

Never Repeat, Always Remember: Developing a Password Generating Framework

Passwords require a measure of complexity to do their jobs well. Creating strong, complex passwords that you can always remember without ever having to repeat on any two platforms is not an easy feat, you’d have to have a memory like Boris Konrad to pull that, yet this is the basic requirement in using passwords—make them complex, don’t reuse them across platforms, don’t write them down, and make sure you never forget them. The only way you can do that with ease is to develop a password generating framework. Complex passwords are generally required to have a combination of uppercase letters, lowercase letters, numbers and symbols, and a stipulated minimum length. I created a simple password generating framework specifically to help people get through this (Note: It might look difficult at the beginning, but it soon becomes a piece of cake). Here’s an example of a password generated to meet all the requirements above with this framework.

Username: Conscripted

Password: A2Z4ixkoobecaf+

This password is built with a 3-component framework. The first component is A2Z4ix which is the constant password initializer. The second component is koobecaf which is the reversed name of the platform for which you are creating the password (in this case facebook). The third component is the special character or symbol. With this framework you only have to remember two things: your password initializer at the beginning, which should contain at least one uppercase letter and a number, and the special character at the end, which could be any symbol of your choice. These two things are constants and don’t have to be changed; the only variable is what’s in the middle.

So if you’re creating passwords on several platforms with this framework, they would look something like this:

Instagram: A2Z4ixmargatsni+

Twitter: A2Z4ixrettiwt+

Quora: A2Z4ixarouq+

Reddit: A2Z4ixtidder+

You will never have to repeat passwords on any two platforms, and you can have a hundred different passwords that you will never forget!

We need you to do this for the sake of all of us; you can’t be Conscripted and do otherwise. From the last data breach we had, we already are concerned about how safe we are with a password like yours. Is this something you would do?

Marching Orders

1. Always use passwords that are complex enough to keep others out and recallable enough to let you in.
2. Don’t use the same password across multiple platforms.
3. Create your own password initializer and special character and use it to create your password generating framework.
4. Go right now to all your critical platforms where you have repeated passwords and change them to the unique passwords generated by your framework.
5. Finally, sound the battle cry to those around you—“Our world could be destroyed with a password like yours.”