Cybersecurity Bootcamp | Module 3

Online Security
Class Pointers

● Please switch on your webcams! Communication is 70% body language.

● This is not a webinar. This is an interactive, hands-on training workshop, where
everyone participates!
● Keep your mic constantly muted (to prevent background noise)
● Unmute your mic to speak up and ask questions
● Always clarify your doubts. Don’t be shy!
● Feel free to ask any questions. This is a safe zone for everyone, no matter your starting
level.

© 2022 Vertical Institute

Class Pointers
● Use the ‘Raise Hand’ or ‘Thumbs Up’ function!

Step 1:

Step 2:

© 2022 Vertical Institute

Agenda
Tutorial Activity
• Password security • Password strength checker
• Brute-force attacks • Enable multi-factor authentication in accounts
• Commonly used passwords • Adjust privacy settings for social media accounts
• Previously exposed passwords • Check for activities online of accounts
• Password strength • Search for information of a company using
• Account security Open-Source Intelligence
• Email accounts
• Social media accounts
• Bank accounts
• Open-Source Intelligence (OSINT)

© 2022 Vertical Institute

 How long does it take to crack the password “abcdefgh”?

A. Seconds
B. Minutes
C. Hours
D. Days
E. Weeks

© 2022 Vertical Institute

Vertical Institute
 How long does it take to crack the password “abcdefgh”?

A. Milliseconds
B. Seconds
C. Minutes
D. Hours
E. Days
F. Weeks

© 2022 Vertical Institute 6

Vertical Institute
Password Security
How fast do hackers crack your password?

© 2022 Vertical Institute

Topmost common passwords

© 2022 Vertical Institute

How do hackers break passwords?

Brute-force attack

Exposed passwords

Try commonly used

passwords

© 2022 Vertical Institute

 11

Brute-force
attack: lock
combination

© 2022 Vertical Institute

How do hackers break passwords?

© 2022 Vertical Institute

 13

#: Password
1 password
2 123456
3 12345678
4 1234
How do hackers
5 qwerty
break passwords?
6 12345
7 dragon

Commonly used 8 baseball

passwords 9 football
10 letmein
11 monkey
12 696969

© 2022 Vertical Institute

 Remember
Kali Linux? ● /usr/share/nmap/nselib/data/passwords.lst
● Commonly used password list

© 2022 Vertical Institute

How do hackers break passwords?
#: Password MD5 Length L U N Meter

1 password 5f4dcc3b5aa765d61d8327deb882cf99 8 8 0 0 check

2 123456 e10adc3949ba59abbe56e057f20f883e 6 0 0 6 check

3 12345678 25d55ad283aa400af464c76d713c07ad 8 0 0 8 check

4 1234 81dc9bdb52d04dc20036dbd8313ed055 4 0 0 4 check

5 qwerty d8578edf8458ce06fbc5bb76a58c5ca4 6 6 0 0 check

6 12345 827ccb0eea8a706c4c34a16891f84e7b 5 0 0 5 check

7 dragon 8621ffdbc5698829397d97767ac13db3 6 6 0 0 check

8 baseball 276f8db0b86edaa7fc805516c852c889 8 8 0 0 check

9 football 37b4e2d82900d5e94b8da524fbeb33c0 8 8 0 0 check

10 letmein 0d107d09f5bbe40cade3de5c71e9e9b7 7 7 0 0 check

11 monkey d0763edaa9d9bd2a9516280e9044d885 6 6 0 0 check

12 696969 7d0710824ff191f6a0086a7e3891641e 6 0 0 6 check

© 2022 Vertical Institute

Database attack
UserId Username Email Password

1 Alice alice@gmail.com 5f4dcc3b5aa765d61d8327deb882cf99

2 Bob bob@gmail.com e10adc3949ba59abbe56e057f20f883e
3 Michael michael@gmail.com 25d55ad283aa400af464c76d713c07ad
4 Joe joe@gmail.com 81dc9bdb52d04dc20036dbd8313ed055
5 Tracy tracy@gmail.com d8578edf8458ce06fbc5bb76a58c5ca4
6 Stephen stephen@gmail.com 827ccb0eea8a706c4c34a16891f84e7b
7 Mike mike@gmail.com 5f4dcc3b5aa765d61d8327deb882cf99

© 2022 Vertical Institute

How do hackers break passwords?
#: Password MD5 Length L U N Meter

1 password 5f4dcc3b5aa765d61d8327deb882cf99 8 8 0 0 check

2 123456 e10adc3949ba59abbe56e057f20f883e 6 0 0 6 check

3 12345678 25d55ad283aa400af464c76d713c07ad 8 0 0 8 check

4 1234 81dc9bdb52d04dc20036dbd8313ed055 4 0 0 4 check

5 qwerty d8578edf8458ce06fbc5bb76a58c5ca4 6 6 0 0 check

6 12345 827ccb0eea8a706c4c34a16891f84e7b 5 0 0 5 check

7 dragon 8621ffdbc5698829397d97767ac13db3 6 6 0 0 check

8 baseball 276f8db0b86edaa7fc805516c852c889 8 8 0 0 check

9 football 37b4e2d82900d5e94b8da524fbeb33c0 8 8 0 0 check

10 letmein 0d107d09f5bbe40cade3de5c71e9e9b7 7 7 0 0 check

11 monkey d0763edaa9d9bd2a9516280e9044d885 6 6 0 0 check

12 696969 7d0710824ff191f6a0086a7e3891641e 6 0 0 6 check

© 2022 Vertical Institute

What is password hashing?

Hashing turns your password (or any other piece of data) into a short string of letters
and/or numbers using a hashing algorithm. If a website is hacked, cyber criminals don't
get access to your password. Instead, they just get access to the “hash” created by your
password.

© 2022 Vertical Institute

What is password hashing?

Password Hash Hashed value

© 2022 Vertical Institute

Password hashing exercise

https://www.md5hashgenerator.com/
© 2022 Vertical Institute
What is salt for password?

Adding random data to the input of a hash function to guarantee a

unique output, the hash, even when the inputs are the same.

© 2022 Vertical Institute

What is salt for password?

https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/
© 2022 Vertical Institute
 Create Secure Passwords

Follow these guidelines to security

● Have at least 8-16 characters
● Be a mix of numbers, symbols, capital
and lower-case letters
● Not a dictionary word
● Do not reuse passwords
● Change passwords regularly

© 2022 Vertical Institute

Vertical Institute
 Exercise. Check password strength

https://www.security.org/how-secure-is-my-password/

© 2022 Vertical Institute

 Password Checker from Cybersecurity
Agency of Singapore (CSA)

https://www.csa.gov.sg/gosafeonline/Resources/Password-Checker

© 2022 Vertical Institute

Vertical Institute
How to remember all these passwords?

© 2022 Vertical Institute

Mobile Device
Password Manager iCloud Key Chain
iPhone

© 2022 Vertical Institute

iPhone

Turn on iCloud Keychain on your iPhone, iPad, or iPod touch

https://support.apple.com/en-us/HT204085

© 2022 Vertical Institute 28

Samsung

Samsung Pass is a secure and easy way

to use your biometrics to sign in to
websites and apps on your phone.

Once you scan your fingerprints, you can

sign in without typing in your ID and
password. With Samsung Pass, there's no
need to memorise all those IDs and
passwords for all your accounts.

https://www.samsung.com/sg/support/mobile-devices/what-is-sam
© 2022 Vertical Institute sung-pass-and-how-to-register-it/
Vertical Institute
 Roboform
Bitwarden
A password manager is essentially an encrypted
digital vault that stores the login information you
use to access apps on mobile devices, websites
and other services.

© 2022 Vertical Institute

Password Manager: Roboform

© 2022 Vertical Institute

Password Manager: BitWarden

© 2022 Vertical Institute

Change your exposed passwords now!

“The US is worried that hackers are stealing data today so

quantum computers can crack it in a decade”

https://www.technologyreview.com/2021/11/03/1039171/hackers-quantum-comp
uters-us-homeland-security-cryptography/

© 2022 Vertical Institute

Why do we need Multi-Factor Authentication?

● Usernames and passwords are regularly exposed

● An additional factor to authenticate is necessary to prove the user is who they claim
they are
● Stops hacker from gaining further access into the account without step up
authentication

© 2022 Vertical Institute

Exercise: Enable multi-factor authentication

https://myaccount.google.com/security?pli=1

© 2022 Vertical Institute

Exercise: Enable multi-factor authentication

https://account.microsoft.com/security/

© 2022 Vertical Institute

Account security
 Account Recovery
Forgot your password
1. Follow the steps to recover your Google Account or Gmail.
• You'll be asked some questions to confirm it's your account. Answer the
questions as best as you can.
• If you have trouble, try the tips to complete account recovery steps.
2. Reset your password when prompted. Choose a strong password that you
haven't already used with this account. Learn how to create a strong password.

Forgot the email address you use to sign in

1. Follow the steps to find your username. You’ll need to know:
• A phone number or the recovery email address for the account
• The full name on your account
2. Follow the instructions to confirm it’s your account.
3. You’ll see a list of usernames that match your account.

© 2022 Vertical Institute

 Exercise:
Publicly Available
Information
- Facebook https://www.facebook.com/settings?tab=privacy

© 2022 Vertical Institute

 Exercise:
Publicly Available
Information
- YouTube https://www.youtube.com/account_privacy

© 2022 Vertical Institute

Identity Theft

© 2022 Vertical Institute

Prevent Identity Theft

01 02 03 04
Check credit Monitor Keep Keep
card report account financial personal data
regularly statements information private
safely

© 2022 Vertical Institute

 Check credit card
report and monitor
account
statements

© 2022 Vertical Institute

 Keep financial
information
safely

© 2022 Vertical Institute

 One woman had the shock of her life when she
Signs your bank noticed that nearly $300 had been deducted from her
account or credit bank account.
card may be
compromised And to add salt to injury, this entire fiasco started off
with her doing what most of us would have done
— ignoring a one-time password (OTP) message.

https://www.asiaone.com/singapore/woman-ignores-otp-message-and-loses-almo
© 2022 Vertical Institute
st-300-online-fraudsters
 3-D Secure ● Is an OTP required for all online purchases?

© 2022 Vertical Institute

 3-D Secure ● Is an OTP required for all online purchases?
● No. OTP for online payment is required only at
merchant websites that support the 3-D Secure
(3DS) authentication protocols which provide
extra security for online transactions.

© 2022 Vertical Institute

 3-D Secure

© 2022 Vertical Institute

 What to do?
● Quickly call up the bank to disable the card and
to report on the fraudulent charges

© 2022 Vertical Institute

 Card fraud ● Credit cards and pins copied during use of
alert credit card
● Refrain from using cards with magnetic strip
authentication

© 2022 Vertical Institute

 Local and
overseas fund ● Set proper authorization limit
transfers ● Disable use of overseas transaction
/Bill payments

© 2022 Vertical Institute

 Keep personal
data private

© 2022 Vertical Institute

 Strange email outbox

Signs your online

Friends complaining you
account has been are sending strange
compromised messages

Getting unknown emails

© 2022 Vertical Institute

Signs your online account has been compromised

Receiving SMS of unauthorised login

© 2022 Vertical Institute

Signs your online account has been compromised

Unknown outbox or sent emails

© 2022 Vertical Institute

Signs your online account has been compromised

Strange activities on your social media accounts

© 2022 Vertical Institute

 Strange email outbox

Signs your online

Friends complaining you
account has been are sending strange
compromised messages

Getting unknown emails

© 2022 Vertical Institute

Exercise: Check your online activity
https://myactivity.google.com/myactivity

© 2022 Vertical Institute

Exercise: Check your online activity
https://account.live.com/Activity

© 2022 Vertical Institute

Exercise. Check
your Facebook
•Tap on your profile picture in the top left of Facebook to go to your
profile.

activity
•Tap below your profile picture, then tap Activity Log.
•Tap Category at the top of your activity log to review activities
like:
•Things you've posted.
•Posts you've hidden from your timeline.
•Photos and videos you've posted or that you've been tagged in.
•Friends you've added or removed.

© 2022 Vertical Institute

Open-Source
Intelligence (OSINT)
 Open-Source
Intelligence
(OSINT)

© 2022 Vertical Institute

 Domain name
of a company

https://null-byte.wonderhowto.com/how-to/use-maltego-target-company-email-addresses-may-be-vulnerable
-from-third-party-breaches-0184453/

© 2022 Vertical Institute

 Find hacked
employees

https://null-byte.wonderhowto.com/how-to/use-maltego-target-company-email-addresses-may-be-vulnerable
-from-third-party-breaches-0184453/

© 2022 Vertical Institute

 Email
discovery of a
company

https://null-byte.wonderhowto.com/how-to/use-maltego-target-company-email-addresses-may-be-vu
lnerable-from-third-party-breaches-0184453/

© 2022 Vertical Institute

Exposed passwords

https://null-byte.wonderhowto.com/how-to/use-maltego-target-company-email-addresses-may-be-vu
lnerable-from-third-party-breaches-0184453/

© 2022 Vertical Institute

Completion of an open-source investigation

© 2022 Vertical Institute

Open-Source Intelligence Phases

Data harvesting Data analysis

Source Data processing

Results delivery
identification and integration

© 2022 Vertical Institute

Exercise. Search Yourself

1 2 3
Enter your name in Enter your email in Enter your phone
Google search Google search number in Google
search

© 2022 Vertical Institute

Phishing in financial
services
 Scams type related
to financial services

© 2022 Vertical Institute

Phishing attacks in financial services

Baiting users to click on a link

Stealing user data by pretending to be from a bank

Tricking users into installing fake bank apps

© 2022 Vertical Institute

Vertical Institute
 Phishing email masquerading as a
financial services company

© 2022 Vertical Institute

Phishing scams in Singapore affecting financial services customers

● At least 28 victims have lost about S$114,000 since May this year after
giving their personal details and one-time passwords (OTPs) to
scammers, SPF said in a news release.
● Victims of the latest spate of phishing scams fell prey to scammers after
receiving phone calls or SMSes from people posing as bank employees.
● Those who received phone calls were asked for their personal details, such
as their Internet banking username and password.
● The police said this was done "under the pretext that the bank required their
personal information to verify transactions performed ... or that the victim
was under investigation for transferring large sums of money to another
bank".
https://www.channelnewsasia.com/singapore/spf-warning-bank-employee-impersonation-scams-2728071
© 2022 Vertical Institute
Phishing scams masquerading as a financial services company

https://www.channelnewsasia.com/singapore/spf-warnin
g-bank-employee-impersonation-scams-2728071

© 2022 Vertical Institute

Verify identity of caller

Ask for their name Drop the call Call the official hotline Request to be routed to
and email address presented in the the caller if the caller
bank’s website exists in the bank

© 2022 Vertical Institute

Scams type related to
financial services
Fake SMS masquerading as a financial services organization

© 2022 Vertical Institute

Fake SMS masquerading as a financial services organization

© 2022 Vertical Institute

Fake SMS masquerading as a financial services company

© 2022 Vertical Institute

Fake website cloned from a financial services company’s login page

© 2022 Vertical Institute

Job scams

● Asking you to make payment first to secure the job

● Asking you to download an app from a 3rd party site
● Giving you quick cash gain and requesting you to deposit more later on

© 2022 Vertical Institute

Job scam
I was approached by a lady name Wendy Eng from telegram she texted me several times if I'm interested to know about a job with daily commission of $10-$200.
I didn't reply but she was persistent so I give her a chance to share. Subsequently, she referred me to her agent, jacelyn. She added me into a telegram group chat
of 12 people and shared that i have to register a login via the website and the step by step guide to do the hotel rating and withdrawal of commission. The first set
was free of charge as the company have top up $105 for new user to trial and complete a set of 35 Hotel ratings. I received my commission of $11 and was told to
withdraw via paynow.

Group members started messaging me to tell me how long they have been into this and how it have help them build some passive income. I was skeptical but they
assured me its legit and encourage me to renew in order to complete another set of 35 hotel ratings. After much thoughts I renewed, The admin mention I need to
deposit $105 so that I could start (reason: It is the same as booking a hotel and complete the rating) And i could withdraw the $105 plus commission after i
complete 35 ratings. Payment mode via paynow.

So I embarked on my second set of rating. At the 17th ratings , i was given a deluxe package which is 5x the commission I thought I was lucky. However, the
system did not allow me to continue and my deposit become negative. I asked the admin and was explained that it is a system assign bonus, in order to continue i
need to deposit more money to the froze account and I deposited $400 to continue. at the 25th rating I have another deluxe package and my deposit became
negative, admin again explained i need to deposit $600 to continue, and i did. again at the 32th rating I was given another deluxe package, same thing my
DEPOSITs become negative and was told to deposit another 2.5k. I came to realised that something is not right and threaten to report to the police, they say I can
go ahead as they have lawyer to support the case and was advised to deposit so that I can finish my set of 35 ratings to withdraw all my deposits and commission.

I didn't continue anymore and ignore all the chats and telegram.

https://www.scamalert.sg/stories-details/Story-06Jul2022224556PM

© 2022 Vertical Institute

Loan scam

Licensed moneylenders cannot advertise their services online, including social media, via
messaging apps, SMSes or cold calls. Some of these scammers will misuse legitimate
companies' details such as name, licence numbers, or even create fake websites in their
name to fool users. In order to ensure that you do not get scammed, only contact licensed
moneylenders through the details shown on this
website: https://rom.mlaw.gov.sg/information-for-borrowers/list-of-licensed-moneylenders-in-
singapore/.

Licensed moneylenders are NOT allowed to disburse loans remotely but only at the
registered office location.

© 2022 Vertical Institute

Common types of online scams
• Car Rental Scam
• Cold Call Supplier Scam
• Cyber Extortion Scam
• Home/Room Rental Scam
• Impersonation Scam
• Inheritance Scam
• Internet Love Scam
• Investment Scam
• Job Scam
• Loan Scam
• Online Travel Vacation Scam
• Software Update Scam
• Spoofed/Hacked Email Scam
• Social Media Impersonation / Whatsapp Takeover Scam

© 2022 Vertical Institute

 That’s a lot of scams!

© 2022 Vertical Institute

Always verify before you do anything

● Verify the identity of the caller

● Verify the identity of the website
● Verify the email
● Verify before you do anything

© 2022 Vertical Institute

One-Time Password (OTP)

● Used as part of Multi-Factor Authentication

(MFA)
● Do not share your OTP to anyone
○ Could be a fake caller disguising as
the bank to use OTP to verify your
identity

https://www.scamalert.sg/scam-signs-otp-requests

© 2022 Vertical Institute

Vertical Institute
Bring Your Own Device (BYOD)

● Users can use their personal devices to access corporate network and data like email,
shared folders and websites
● Risk at user’s device
○ Ensure that device is not rooted
○ Device supports work profile
○ Device is able to isolate between work and personal data
○ Security mechanisms to be configured at user’s mobile device

© 2022 Vertical Institute

 How long does it take to crack the password “abcdefgh”?

A. Milliseconds
B. Seconds
C. Minutes
D. Hours
E. Days
F. Weeks

© 2022 Vertical Institute

 How long does it take to crack the password “abcdefgh”?

A. Milliseconds
B. Seconds
C. Minutes
D. Hours
E. Days
F. Weeks

© 2022 Vertical Institute

 Why should we use passwords longer than 8
characters with upper, lower cases and symbols?

A. So that it takes a longer time for the hackers to crack

B. Beautify the passwords
C. Test our memory

© 2022 Vertical Institute

 Why should we use passwords longer than 8
characters with upper, lower cases and symbols?

A. So that it takes a longer time for the hackers to crack

B. Beautify the passwords
C. Test our memory

© 2022 Vertical Institute

 Why should I privatise my personal
information?
A. Protect against hackers stealing my data and building a blueprint of my identity
B. Prevent disclosure of personal information
C. Prevent identity theft
D. All of the above

© 2022 Vertical Institute

 Why should I privatise my personal
information?
A. Protect against hackers stealing my data and building a blueprint of my identity
B. Prevent disclosure of personal information
C. Prevent identity theft
D. All of the above

© 2022 Vertical Institute

Checking my account activity regularly helps flag out suspicious activities

A. True
B. False

© 2022 Vertical Institute

Checking my account activity regularly helps flag out suspicious activities

A. True
B. False

© 2022 Vertical Institute

How to prevent identity theft?

A. Check credit card report regularly

B. Monitor account statements
C. Keep financial information safely
D. Keep personal data private
E. All of the above

© 2022 Vertical Institute

How to prevent identity theft?

A. Check credit card report regularly

B. Monitor account statements
C. Keep financial information safely
D. Keep personal data private
E. All of the above

© 2022 Vertical Institute

You see an advertisement on Facebook for loan with low interests

A. Register interests for the loan if you are in need of money

B. Report the link as licensed moneylenders are not allowed to advertise online

© 2022 Vertical Institute

You see an advertisement on Facebook for loan with low interests

A. Register interests for the loan if you are in need of money

B. Report the link as licensed moneylenders are not allowed to advertise online

© 2022 Vertical Institute

You clicked onto a link from your bank, the URL looks different but the login
page looks exactly the same. What do you do?

A. Enter your username and password to login

B. Close the browser’s tab and go to the official banking app or website to login
to check on the transaction

© 2022 Vertical Institute

You clicked onto a link from your bank, the URL looks different but the login
page looks exactly the same. What do you do?

A. Enter your username and password to login

B. Close the browser’s tab and go to the official banking app or website to login
to check on the transaction

© 2022 Vertical Institute

You are in contact with a job recruiter who asked you to receive money from a bank and transfer the amount to
another bank account. You will receive 5% commission for helping do the transfer. What do you do?

A. Do not run the transaction as it may be part of money laundering

B. Run the transaction through as this is an easy money job

© 2022 Vertical Institute

You are in contact with a job recruiter who asked you to receive money from a bank and transfer the amount to
another bank account. You will receive 5% commission for helping do the transfer. What do you do?

A. Do not run the transaction as it may be part of money laundering

B. Run the transaction through as this is an easy money job

© 2022 Vertical Institute

What have we learned today?
Activity
Tutorial
• Password strength checker
• Password security
• Enable multi-factor authentication in accounts
• Brute-force attacks
• Adjust privacy settings for social media accounts
• Commonly used passwords
• Check for activities online of accounts
• Previously exposed passwords
• Search for information of a company using
• Password strength
Open-Source Intelligence
• Account security
• Email accounts
• Social media accounts
• Bank accounts
• Open-Source Intelligence (OSINT)

© 2022 Vertical Institute

 Thank You!

© 2022 Vertical Institute