#245 - Your Home Is Launching Cyber Attacks (And You Don't Know It) - Joseph Yap

[00:02:03] Introduction

Henry Suryawirawan: Okay. Hi everyone. Welcome back to another in-person podcast recording. Today I have with me Joseph Yap. He’s gonna share something very interesting today about cybersecurity. But we are not going to talk about cybersecurity as you may have heard it a lot of times, you know, with organizations and things like that. But this is actually at your personal home or your personal usage. So there are some statistics that I think kind of like mind blowing to me when he first shared it with me. So, yeah, I think let’s just discuss it later. So welcome, Joseph, to the show.

Joseph Yap: Thanks very much. Good to be here.

[00:02:40] How Can I Apply Journalism Skills to Tech Leadership?

Henry Suryawirawan: So, Joseph, in the beginning, I always love to maybe invite my guest share a little bit about your career, especially the turning points that you think we all can learn from you.

Joseph Yap: Okay. Yeah, so I started very much in communications and journalism actually. My initial background academically was more about journalism interviewing. Being on the other side of the table. I’ve changed career paths quite a bit along the way, but I found that for every change that I made, there was always something that I had learned before that I could leverage to a new role. So in terms of, yeah, turning points, I think changing career paths and finding that actually there’s stuff I can carry over from a previous role was quite helpful.

I’ve also found that over the 20+ years of corporate life, one of the biggest learnings that I had was thinking about people. It’s funny to say this out loud, but in the space that I’ve been, which is really to do with operations and supply chain, we often forget that businesses are run by people, organizations are run by people. My expertise of familiarity has been with processes and trying to simplify and stabilize things. But unfortunately, if you don’t think about the people aspect of that, things will always go wrong, right? So one of the big lessons that I had were from, yeah, a corporate career has always been to do with people.

And I think one of the biggest lessons that I had in my last 10 years or so was dealing with complexity. So going back to what I said about people, when you’re not managing processes with thinking about people and how much effort it can take someone to make a lot of micro decisions, how much fatigue they can put someone through.

I had an example where someone I worked with, she would wake up in a panic at 3 am in the morning to write something down. Because while she was thinking about something going to sleep, she fell asleep. And then she suddenly remembered that, oh my God, I need to do this tomorrow morning. And then she couldn’t go back to sleep.

So the process that they were working with was so complicated that there was so much burden on people to take the responsibility onto themselves. So one of the, yeah, lessons I had from corporate world was we have to work out how to make it easier for people not to deal with so much complexity and put the burden on themselves.

So when I think about the developing processes now, a lot of it is around, one, what is the value add? And two, how do I minimize the ability for human error for something to go wrong because of that? Yeah.

[00:06:14] Why Is Curiosity Essential for Tech Leaders?

Henry Suryawirawan: Well, thank you for sharing the story. I think sometimes we didn’t realize at work, right? We are so maybe stressful, anxious, right, thinking about what we need to do for work. And sometimes we just think it is like something, you know, like a habit or something normal. But I guess, the onus is for the leaders to actually think how to improve the process, not to make people’s life harder, I guess. And I like actually that you said that you have switched career path multiple times. Maybe one thing that piqued my interest is like you said you started from journalism. Is there any skill that from journalism that you take on and on in other multiple careers as well?

Joseph Yap: I wouldn’t say necessarily a skill but a desire to be curious and to learn. So I’ve taken on several roles where I knew nothing about the role when I first took it up. I mean, I give you an example. I led a procurement function for a while in a construction company. Never worked in construction. I did procurement before, but I ended up becoming the lead for timber in construction. Didn’t know anything about timber, didn’t know anything about construction. But it was really interesting to me. And I dove really deep into that subject matter. Within two years, I became the company subject matter expert in timber. And not only that, I helped the company win the Forest Stewardship Council Builder of the Year Award. So they went from not being on the radar to being the best known builder for green timber.

So I found that being a journalist helped me, gave me the skills to ask why, and to be curious and learn about something so that when, yeah, down the path, other career paths that I took, I had the skills and the, I guess the interest to chase the story down to ask why. Why is it like this? And be curious about it. So I think journalism helped me develop a few tool sets to be able to talk to people to be curious about what they do and why. Yeah.

Henry Suryawirawan: Yeah, I find asking good questions, asking questions, knowing the why seems simple, right? We think it’s stupid, like you come up with a lot of questions, but actually there’s a lot of insights just by coming up with the questions. And I learn a lot by interviewing people, right? Even in your preparation, you know, thinking of what questions, what good questions you would ask for the guest. I think it’s also very difficult. And good conversations will start from the curiosity that you mentioned, right? The questions that you ask.

Joseph Yap: Yeah. Completely agree.

[00:08:48] Why Is Singapore a Top Source for Cyber Attacks?

Henry Suryawirawan: So let’s just dive in into the topics that we want to discuss today, right? So I think in the first place, you wanna share something about Singapore state of cybersecurity. I think this is also coming from a report by Cloudflare. And it mentioned that Singapore is one of the top most DDoS attack sources country in the world. So tell us a little bit more about this mind-blowing statistics.

Joseph Yap: So I think I have to pause for the emphasis there. Because it’s not a target, it’s the source.

Henry Suryawirawan: Yeah.

Joseph Yap: And I found this super interesting ‘cause when I first, when it first came on my radar, Singapore was among the top 10, firstly, and then slowly increasing. In the… I think it was earlier this year, Singapore was the second country in the world where attacks were coming from. So it’s not attacks too. I mean, you hear a lot in the media about, you know, cybercrime, scams. Singapore lost a billion dollars last year to scams. But you never, nearly never hear about Singapore being a source of cyber attacks. You hear about Myanmar, Cambodia, the Golden Triangle, where all the scam centers are.

So when I first came across that information from Cloudflare, and keep in mind, it’s not just their report about it, it’s actually they have the data and the breakdown, the stats, right? So when I first looked at that, and I dug into it, the number one country in the world was, at that point, Indonesia, and then Singapore was number two. But you know, Indonesia is a much bigger country, much bigger population, okay. Singapore was a lot smaller.

But when you look at the breakdown of where the attacks were coming from, the number one source at the point in time was DigitalOcean, which is hosting VMs, you know, a lot of servers. Singapore is a lot digitalized services, so I get that. But then you look further down the track, it’s Singtel and then Starhub, and these are, this is where people’s internet connections are. And what that occurred to me was actually, it’s not one specific part of Singapore that’s that where the attacks are coming from. It’s across the entire trench.

So that was earlier this year. I looked up the statistics for the last six months, effectively in the top, I believe it’s top six, in the last six months, between Indonesia, Singapore, and Vietnam, 20% of attacks are coming from these three countries. And when you think about proportion versus the rest of the world, I mean sources of attack, Singapore rates above China. You look at the amount of technology that’s in China versus the Singapore and the size, but the attacks are coming from Singapore. I thought, huh, this is really interesting. It’s concerning ‘cause no one’s talking about it. But at the same time, it’s a very interesting space. And, you know, my curious mind goes, hmm, why? Why, what’s, what makes it so interesting? What makes Singapore so special or susceptible to being the source?

Henry Suryawirawan: Again, like, just the emphasis here, right? So because in the news we always hear about, you know, scam attacks, victims, right, of cybersecurity. You know, be it, I dunno, ransomware, whatever that is, right? But your emphasis here is actually the source of attack comes from Singapore. And this could come from your, our typical, you know, internet provider like Singtel and StarHub and DigitalOcean, which is like, kind of like a cloud SaaS service.

[00:12:11] What Makes Singapore Attractive for Launching Cyber Attacks?

Henry Suryawirawan: So maybe let’s understand why. Why? Why Singapore? Why Indonesia? Why Vietnam? Because we always associate cyber crime with, you know, top countries like North Korea, China, like US and things like that. So why is Singapore specifically or these three Southeast Asian countries, which seem harm harmless?

Joseph Yap: So I think the key point of clarification here is even though that’s where the attacks are being launched from, it doesn’t mean that there are, there’s a huge crime community in Singapore of hackers. They’re all controlling things, they are attacking from Singapore. But this is the launch. This is the launch points for the attacks. And also, again, specifically, a lot of these attacks are DDoS attacks at the moment, which means that it’s a distributed denial of service attack which is kind of coordinating hundreds of thousands of devices to all attack one point at the same time, to disrupt them, to try and shut down the traffic or to overload them. So that’s one specific type of attack. Singapore is in that list because primarily, and this is my expectation, ‘cause I haven’t interviewed a hacker to ask them why are you doing this? I think even if I tried, they probably wouldn’t get back to me. But my expectation is there’s two reasons why Singapore is such an attractive spot to be a source of attacks.

The first is capability. So since the eighties, the Singapore government has been very actively promoting information technology and information economy. Everything’s digitalized. There’s a lot of services that are online, you know, paperless society since, you know, for the last 40 years that trend has been consistently growing and it doesn’t look like it’s gonna slow down anytime soon. What that means is that everyone has access, everyone has multiple devices, and everyone is used to having that connectivity. One key example is if you look at, even for low income households, it’s almost like a minimum basic standard of living now. Even for a very, very low price, you get high speed fiber access. A lot of countries around the world, you don’t get that. You don’t get the benefit. ‘Cause fiber is, you know, gigabits per second, right? Compared to early dial-up, which is the very, very tiny fraction. So capability is one big factor.

The other one is Singapore is generally quite a law abiding society. So people are very well aware of following the rules and are well respected in the international community for being that law abiding society. And one of the examples I use is if you look at the passport, Singapore is one of the best countries in the world where you get to travel to many countries visa free. So the reputation of international standing there and expectations of safety, Singapore is a really good spot for that. Now unfortunately, if you are a cyber criminal and you don’t have to worry about the rules and you have access to the country, that also means that as a country, this is a really good spot to be attacking from, right?

This is my expect, this is my guess, my expectation, my hypothesis. So that’s why I think from the statistics that you’ve seen or that Cloudflare publish, it’s not one specific spot. It’s across the entire country. If you look at where all their attacks are coming from, it’s people’s houses. It’s servers. It’s anything that you can get your hands on.

I think the other thing I was gonna mention as well was there is a bit of a consumer culture to buy fancy new devices that are, oh, internet connected. I dunno how many devices everyone has in their house now. Average 20 to 40 internet connected devices. But now you’ve got washing machines, you’ve got fridges, robot vacuums, security cameras. This is the extra stuff on top of your routers, your smart TV, your smart speakers. There’s just more and more things that are being built with IoT and smart technology into it. I mean it’s just gonna grow. The attack surface is just gonna keep growing.

Henry Suryawirawan: Yeah. Yeah, I still don’t have any counts of how many smart devices or IoT devices in my house, right? I guess the last, I don’t know, maybe five, 10 years, IoT has been booming, right? So we can even see like doors, you know, controlled by internet now. Lights, whatever that is at home. I think people increasingly, you know, having these smart devices. And I think you point out about we have this culture, like always wanting new devices, new gadgets, new toys. I think that probably one aspect that drives, you know, this, you know, source of attack, right?

[00:16:39] How Many Devices in Singapore Are Already Compromised?

Henry Suryawirawan: But specifically I think still we haven’t answered the why, right? Because, okay, Singapore is well connected. We have good internet bandwidth, people have so many devices. Are you now saying that we are all being hacked?

Joseph Yap: Probably, yeah, quite, I guess quite frankly, if I looked at the statistics now, the last one of the last publicly known ones, a botnet that was recently revealed to be, I think the largest botnet, active botnet right now. They counted over 700,000 devices attacking at the same time. It hit 30 terabits per second. If you think about what that translates to, it’s like downloading all of Netflix within minutes.

Henry Suryawirawan: Wow.

Joseph Yap: That’s a massive amount of volume. And again, if you… just law of averages, if you take the total volume of the attacks and you break them down to the countries and the sources, I think I worked out Singapore was probably about 2% of that. So if you think about how many households there are here, one, 1.5 million households, 2% is quite a lot. And that’s just one bot at one point in time that could be identified. It’s not hard. So personally, when I’ve gone around to people’s houses to see what’s on their network, I’ve already found houses that have been compromised. So the either device has a back door or has already been hacked and people haven’t really paid attention to it or realized it.

One of the hardest things to do from a maintenance and admin point of view, unfortunately, is actually to see what’s on your network. It’s not hard in the sense of having access to your router. It’s hard in the sense of thinking that you even have to do it and then, you know, you just wanna connect to something and just leave it and you forget about it. The natural tendency, as I said earlier, is that for humans we just want to plug it in and have fun with it, but you forget that actually everything that you plug in has to be maintained.

One big learning that I had in the last 10 years or so was that physical things have an end of life. Devices have an end of life, but we don’t really think about that because my speakers still play music when I expect it to. Oh, it still works fine, but really it’s probably already been hacked because it was from 10 years ago.

Recently, actually two recent examples. D-Link, which are a very big brand for routers, just a few days ago, they reported, well, someone reported that there’s vulnerability, they can be hacked for a device that was launched in 2017. So it’s not that long ago, eight years ago. It was discontinued in 2021. It was a high-end router, but it’s now very hackable. And they’ve also said, we’re not gonna, they’re not gonna fix it. So people who have those routers, they’re not gonna be constantly thinking about, oh, I’m now exposed, I’m now, someone’s got a master key to my house, right, from my router. And they can enter my network. Because it works. It, you know, if I’m a user and it’s still working, I don’t really think about and consciously go out to pay attention to it. The recent one.

And the other thing I also learned recently was, the devices that we completely forget about. It’s fun to set up, but if you don’t find the value from it, you actually forget that it’s connected to the internet. One of the unexpected devices that came up my radar recently was a Thermomix. Oh, Thermomix cooker. So it’s wifi enabled. Someone’s worked out how to hack it. You need physical access to the Thermomix to actually hack it. I never thought that there would be even a point of attack. Like first of all, I don’t know how many people that use the device still use it with the wifi. But it’s one of those things where it has the capability, it’s got the parts for it. If you’re not constantly thinking about keeping up to date, maintaining it, managing it, then it can be used against you.

Henry Suryawirawan: And we, just now when you mentioned it, it is used for DDoS attack, right? And DDoS attack is just like sending garbage traffic. Even it could be like ping or whatever, right? So it is very easy to just send from any device endpoints, right? So that’s one thing.

[00:20:40] How Can I Tell If My Home Network Is Compromised?

Henry Suryawirawan: And I think this comes back to like, even including me, right? Sometimes we put a lot of focus on our laptops, our hand phones. I think those two are predominantly devices that we think is the most like, yeah, susceptible and our golden source, right? And we have so many other devices. I’m pretty sure many people don’t even think of, you know, updating the firmware, because it would even took a lot of effort to just, you know, go to the settings, update the OS, because it doesn’t do that automatically, right? Unlike maybe your laptop or your hand phone, it will just auto update and you just trigger yes, right? So I think this brings an awareness for us as a, you know, like, common people, I guess, to actually now think that we have so many devices at home that are probably prone, especially if we buy it a long time ago. The firmware is not updated. And even the provider has stopped providing the patches, right? So I think now we can kind of like map a little bit. So when we think about this now, right? What should we do? So I guess, this maybe come to your Otonata, right? The things that now you’re doing, right? So, yeah. How do we know that we are being hacked or not hacked?

Joseph Yap: I think in most cases it’s hard to tell. So I think one of the challenges with network devices is that if someone broke into your network, it’s different from someone breaking to your house. Even though there are a lot of parallels, right? If, and this is kind of where I started for myself as well. ‘Cause I was concerned about home security. And I had, you know, security sys, alarm systems, I had sensor lights. I had enough indicators to tell me if my security is compromised. But then I realized that my network is a whole different ball game, because if someone broke into the home network, it’s like they have access to your house but you don’t know that they’re there. It’s a bit like, I dunno if you’ve watched the movie the Invisible Man. It’s very freaky if someone is standing behind you, but you don’t know them and they’re there 24/7 watching everything that you do. They have access to everything that you have. It’s a scary thought, but it’s a good parallel compared to your physical security. This is your network security.

How can you tell? There are a few indicators of compromise. One of the ones that I find kind of anyone can do is look at your router and see what the traffic is. Firstly, see what’s connected on your network. You know, your most modern routers should show you everything is listed in the network. If something looks a bit suspicious, as in you don’t really recognize or you can’t find it, you go around everywhere. Maybe it’s your washing machine, maybe it’s the fridge, I dunno. But you can’t find out what that one device is and it’s sending data and it’s connecting. That’s the one you need to be concerned about.

Second one, similar to the router is check your firmware, right, as what you pointed out. Age is a big factor, a risk factor. If you’ve got a really old router, chances are there’s someone’s already found a way to hack it and has published it. If you haven’t updated the firmware, or in some cases you can’t, you’re not allowed to update the firmware. I’ve had quite a few routers in Singapore, unfortunately, where it’s convenient to keep the router because you’ve set up 50 devices on your wifi, and you’ve signed up to a new ISP, ISP is giving you a router, but, you know, ah, I don’t wanna have to reset up all the wifi again. I’m just gonna use the old router. Unfortunately, in a lot of cases, the firmware is fixed to a much older version. I’ve now physically forced quite a few routers of clients to forget the ISP version and follow the manufacturer’s version. But it’s so much effort to try and do that.

So firstly, you need to know about it. And secondly, you gotta put an effort to break out of that. So one, check what’s on your network. Two, if you can, make sure the router is recently up to date. The third one goes back to the first point. If you’ve got anything suspicious. So you mentioned the, my business, Otonata. We’ve now got something called a hack check. It’s a free service. Basically you take a photo of a device if it’s something that you are a bit suspicious about, we’ve now got AI to help you recognize what the device is and then also run it through our vulnerability database. And what that means is it will look through for that device, any known publicly disclosed vulnerabilities. So unfortunately, the database is now over 300,000 lines of products. But basically we can tell you that, hey, this product is there’s a risk of it having been hacked before for different reasons.

The worst one is the, what’s called RCE, Remote Code Execution, where it’s not just the mobile phones and the laptops, right? Smart TVs, especially old smart TVs, they’ve got a lot of processing power. ‘Cause if you think about something like what, running 4K and processing a 4K signal, it actually takes quite a bit of power. But if you got an older TV that hasn’t yet been up to date, I think the biggest risk we find are one, age. Two, things which have good processing power. But three, if it’s, how do I put this? It’s a dubious brand, a no-name brand. So sometimes you get OEMs that have kind of cobbled together different parts and, you know, a screen from here, processing board from there. Those are typically the ones where we found that there has been, you know, more cause for concern.

I’ll tell you a funny story, but one of the, before I got into cybersecurity, one of my friends was very proud of the fact that he bought a media player from a very small shop that was $50, but you could access everything. So I was like, I understand business enough to go, you’re not making money for $50. You have access to pirated movies, streaming from IP TV all over the world and it’s $50 for a lifetime? It reminded me of a quote that if you can’t work out what the product is, you are the product. So it occurred to me much later on that you paid them $50, their job is to feed you with dodgy content, but they’ve got access to your house. You are the proxy. You are the service. Doesn’t matter, the $50 doesn’t matter anymore. They’re selling access to your network to be able to access the rest of your network in your devices, in your house.

So yes, while, you know, your laptops and your mobile phones are the ones that you only think about. If you expand that to just go by the processor, your network connection, storage, power, your home could actually be a computer, right? Just different, just split out over different things, distributed computing. Your neighborhood could be a computer. And when you think about how connected everyone is from a wifi point of view, there’s actually now they found another form of attack called nearest neighbor attack. Whereby rather than attacking a target directly, they attack the neighbor, compromise that network, and because it’s wifi distance away, 24/7, they’re just knocking on the, checking every single door they can until they find an entry point in. So I find that in Asian countries, and this goes back to one of the hypothesis for why Asia is a hotbed for sources. My hypothesis is because everyone’s so dense within wifi points, it’s gonna be quite easy for someone to work out how to attack one location, find wifi around the area, use that to attack someone else’s house, use their resources to attack the neighbor and the neighbor and neighbor. So daisy chain the attack. When I do a scan of where I am now in a 24 hour period the wifi around me, I get over 800 points. So if you think about it, it’s almost like someone trying to break into your house, there’s 800 doors to choose from, and you can do it 24/7 because it’s distributed computing, right? Once you’ve broken into someone else’s house, there’s zero opportunity costs. All you need is a AI written bot to work out how to best maximize that location to attack everybody else.

So I find it really interesting. There’s a lot of vectors, it’s whole new cowboy territory. There’s a lot of vectors that are now gonna be AI augmented as well, because they’re going to, they’re finding… researchers are finding more and more new threats that kids, even kids are getting into it. It’s kind of disturbing. But the barrier to entry for hacking now is super low.

Henry Suryawirawan: Woa. I think you just open up a lot of things, right? So obviously there are many interesting things that we can pick, right? So the first thing I think, just to summarize, right, for us at home, please try to first figure out what networks are being used. Yeah. What device are being connected to your network, right? See if there’s any device that you don’t know. The traffic is a bit suspicious, right? And first, identify that. Check the firmware. Use your tool, I think, I believe it’s free, right? Available online and I think we can just take a snap and upload it and maybe it can tell whether there’s a risk or not.

When you mentioned about the media player, in fact, today, I read an article in Krebs that says Android Media Player, the typical thing for streaming, right, it’s actually a vulnerable for such things, right? So if those of you listeners who actually has this kind of device, that will be also one thing that to be suspicious about, right? So think about the repercussions of continuing using the device.

[00:30:13] Which Devices Are Hackers’ Favorite Entry Points?

Henry Suryawirawan: Okay, let’s say we have mapped it out, right? So but one thing I would like to understand, this is also for layman people to understand, right? So where does the attacker actually come in the first place, right? Because we have so many devices. Router is one, right? We have smart TV, we have maybe fridge, whatever that is. How does it actually go inside? Which point of attack typically is the most vulnerable, yeah?

Joseph Yap: So I think the two most likely sources are either one, your compromised IoT device, which is, you know, typically your media player, even your printer. And the other one’s gonna be your router. And like I said, I think as long as there’s a sufficient powerful processor in that device, and it is able to be compromised to get to RC, running code, that’s when it’s going to find everything. It’s doing everything else that a hacker would wanna do, which is look around for your network, look at what combination of devices that you have, and then work out what’s the next best spot to jump into. So that’s called lateral movement. If you look at the diagnostics of some of the larger attacks by the more state sponsored, those really powerful APTs, that’s really what they’re looking for. Lateral movement and persistence. Because what they wanna do is be able to… they don’t just break in and then they go steal everything. It’s not like robbing a bank. They wanna hide there ‘cause they wanna use it to leverage into something else.

And there have been few big cases, quite well known cases where, for example, in Medibank Private, which is a private health insurance. The government took two years and they worked out what actually happened. The database administrator’s home PC got hacked and they found the passwords that he had for the database. Over three months, they just slowly tested it and went, oh, we can get in, we can get in, we can get in. And they stayed inside the servers downloading 500 gigabytes of data. This is personal medical information.

So if you think about it, in the home network, what they’re really targeting for is movement across the network to see how many devices they can compromise and then staying inside the network and using that. And that’s what the persistence is. You kind of want to ex, you kind of expect that your laptop is safe. Especially Mac, like there’s a, there’s a reputation for Apple being very pedantic about security. But even now, you can see that if you just Google zero day, right, you’ll see that even Macs get compromised as well. No one is completely protected. Like there’s enough incentive for hackers to want to target Macs because of their reputation and because people expect it to be safe. But unfortunately, the reality is it’s still software. It’s still computer, it’s still made by people. And now worse with one extra computing resources and AI, it’s even easier now to customize a target and what’s the best way to attack the target based on what they have. So that lateral movement is one of the things that they’re typically going for. And DDoS is just the easy thing to do once you compromise a network.

[00:33:18] What Is a Residential Proxy and Why Should I Care?

Joseph Yap: What they’re finding now recently is that the hackers are using people’s houses and monetizing them. So there’s a term that really disturbs me now. It’s called residential proxy. It’s almost like giving someone, renting out someone else’s network access to someone who wants to hide the information in the news. If you look at, in the Singapore context, there’s very strong laws around loaning out your SIM, your SIM card, you get in a lot of trouble, right? And it’s because your SIM card is then used to commit crime, scam other people. And going back to the whole reputation in Singapore being a law abiding, when you see a number that’s a trustworthy number with a +65, you kind of expect, oh, you know, they should be protected. In that same context, the internet connection doesn’t have any of that.

Henry Suryawirawan: Yeah. Yeah.

Joseph Yap: Yeah. Unfortunately, if someone else is renting out your home network connection, the people that want to use that to hide whatever they’re doing can have all sorts of different reasons.

Henry Suryawirawan: What are typical use case that people are doing with this residential proxy?

Joseph Yap: So, at the moment, what the family friendly version is fraud, unfortunately, which is, you know, looking like it’s coming from, the traffic is coming from somewhere else. There’s much scarier things that people, ‘cause they’re renting it on the dark web. There are much scarier things that people can rent them out for that are not family friendly. When you think about pornography, the darkest things in the dark web that you don’t want people to be seen that you are accessing, that’s where residential proxies are becoming a service. So hackers are compromising it and they’ve gone from botnets, which are, you know, a bit more volatile to trying to come up with more stable, sustainable, they call it sustainable sources of income, which is to rent out other people’s houses.

That concept really disturbs me, because these people don’t even realize that they are, they’re being sold as a residential proxy. And it’s the people that bought the $50 media player that went, oh, I’m getting all this great content, but they’re actually now part of… Yeah, but it’s, I don’t think we’ve seen enough. I don’t think there’s enough cases yet where someone is, has been taken the court or arrested because their network has been compromised to the extent that they’re being used to facilitate a really bad cyber crime. But it’s not implausible. If your bandwidth is really great ‘cause you’re really like online gaming, for example, and there’s a whole bunch of traffic that happens after you’ve gone to bed, I don’t know what the liability, where the liability falls. But if it’s a SIM card, it’s very clear you’re the one that let your access out. But home networks, I don’t think we are quite, we’re quite clear on that yet.

Henry Suryawirawan: Yeah. And even like it’s very distributed, right? Again, like it’s very hard to trace actually how the traffic goes in the internet in, in while connected internet devices. And, yeah, again, just to remind people, if you buy this kind of media player, be cautious. Try to check further.

[00:36:27] How Do Hackers Actually Break Into My Network?

Henry Suryawirawan: You mentioned something about password, right? Again, I wanna understand the root cause how these attackers can actually go into your internet router or your, I dunno, media player, printer and all that.

Joseph Yap: Yeah.

Henry Suryawirawan: Is password like weak password the typical way they hack in or is like open ports or is there any other thing that they do?

Joseph Yap: There’s no, so in the… I’ll come up with the, I’ll go backwards a little bit in the context of what I do in terms of the service that I provide, right? What I try and do is, I look at how someone would compromise your network and use it against you and then protect from that. And what that means is the service that I do is it’s almost like going to your house, looking at all your doors and windows and going, that one, you’ve got a rusty lock there, someone’s gonna come in and break in. That one’s big enough to, that one, I know this brand of door or door lock, it’s been broken into.

Henry Suryawirawan: I like the analogy, yeah, okay.

Joseph Yap: So the network version of that is going into your home network. So I’ve got devices to actually plug into your network. It’ll do a initial scan to do an inventory, right? If I’m a corporate IT person and I take over the responsibility of the IT assets for a company, that’s the first thing you do. Do inventory and look at all the things that you have. Then one by one, I will test the vulnerabilities on that device. So going back to what I said earlier, we’ve got over 300,000 lists of items. They are known, they’re published. One of the, it’s a double-edged sword. One of the ethos for hack-for-vulnerability and security research is that when you find a way to hack something, you tell the manufacturer and you give them a chance to fix it. Unfortunately, not every manufacturer will fix it. Not every manufacturer cares. And in the meantime, until it’s resolved, this information is public. It’s known. So like I said with the D-Link example, they’re afraid they said they’re not gonna fix it. But what that means is the instructions for how to hack it are on Google.

Henry Suryawirawan: Oh no!

Joseph Yap: So that’s how, that’s, and like I said, the list of the database that I have, it’s just, it’s growing exponentially. But the services basically to look at the devices that you have, and then based on the vulnerabilities that we can test, we’ll test them and tell you this is how someone will hack into your network and this is what you need to do in order to prevent that.

In the context of the, what you are asking around what’s the most common way. The most common way that I, if I’m a hacker and I’m hacking a house, is to actually look at what devices you have and check the internet because it’s been published. ‘Cause that actual device has already had a publicly acknowledged way of accessing that and it’s got instructions.

Henry Suryawirawan: Oh wow!

Joseph Yap: Right, so unfortunately, based on that approach and that ethos, once you break into a network, it’s not hard to work out how to then take advantage of that. Easy passwords are, it’s a no brainer. It’s almost, there are tools that you can go online to actually see how challenging your password is. And that’s one of the things I recommend people do as well. Try password strength tester. Being a child from growing up with technology in the eighties, you used to come with a password that was easy to remember. Unfortunately, those are, it’s like closing, trying to cover a piece of paper as your front door. It’s completely useless. People just charge through cause brute force and distributed computing makes it so easy. So it’s almost like you don’t even want to talk about the simple passwords. The weak passwords being a factor because that’s already a given. You need to not have default passwords and simple to guess passwords. Unfortunately, in the clients that I’ve seen, it’s still happening a lot. “adminadmin”. I dunno how many devices I’ve seen with the username and passwords “adminadmin”.

What we’re finding now as well is even with what looks like random passwords, security researchers have now found a lot of hardware. Even though it looks like a random password, there’s actually algorithm to how they create the random password. So unfortunately, even with a modern router, it looks like it’s really weird and randomized. One of the cases was a researcher found that it is based on the MAC address. Because again, it’s designed by a person. It’s not, they had to come up with a way for them to scale it up and to make it within a scalable process and therefore that’s the algorithm they use. And someone worked out, I can reverse it and I can find everyone’s password. So there’s no one way, unfortunately, there’s no one way to protect. You gotta think about the flexible approach, right?

So one cybersecurity terminology is called living off the land, whereby if I am, if I can’t bring anything to the party and I can only attack this way, what can I use, what resources do I use within that space to be able to… You have to be creative, right? If you’re a hacker to just, you know, it’s like breaking into a bank with only a backpack or your watch. It’s almost like a MacGyver thing. Yeah, exactly. But the problem is now you have AI. AI can scrape everything, can search all this other stuff to help you. So yeah, passwords is like a, you don’t even wanna talk about it anymore ‘cause you need, it’s like minimum a very, very minimal standard. Don’t use default passwords. Change your default passwords.

And even on things like security cameras, it’s very common for security cameras to, because you feel like it’s a physical device plugged in, but you forget that actually it’s probably streaming video somewhere else. So a lot of times, some of the passwords are actually baked into the hardware as well. Brother printers, there were the mother-, I think it was the motherboard manufacturers, unfortunately, had a hardware password baked into it. There’s something like 6,000 different models of various printers that all have the same flaw and you can’t fix it from firmware update ‘cause it’s built into the hardware. So it’s cases like that where you have to do what you can with the password, but it’s not gonna be bulletproof either. There’s no one tried and tested way where hackers will keep going. They’re gonna be creative based on what you have and unfortunately they’re gonna use that against you.

So on that, what I try to espouse is something called the be the path of greater resistance. So in the cybersecurity world, there’s something called defense in depth where you want to not just have, that’s where your multi-factor authentication comes in. You don’t want to just have one level of protection. You want multiple ways of protecting. And even in home security, that’s a common parallel. There’s a story around a bear and chasing people in the woods. I won’t go into that one. But basically the idea is as long as you are a bit more difficult than someone else, you create a bit more resistance to being the easy target. You’re already better off, right? So I don’t know if anyone is unhackable, I don’t know if anyone is, even Fort Knox. I mean, if you got enough resources, you can break into anything, right? It’s just a matter of whether it’s worth it. So it’s a question of not necessarily trying to go crazy to protect a lump of coal. You wanna find the right balance between what you have at risk, and how much effort you put into protecting it.

Henry Suryawirawan: Yeah. So first of all, it’s like thanks for all sharing all these. I think it opened up a lot of our minds, our eyes, right? The first is like the scariest part is like so many devices with outdated firmware that are publicly disclosed, you know, in terms of vulnerabilities. And if the vendor, the provider doesn’t patch it, you know, it stays open, people can try it. Even like you mentioned the instructions are out there. And we all know now with like AI capability, you can just search and even try yourself, right? Hacking into others. Okay, that is…

Joseph Yap: Don’t try this at home.

Henry Suryawirawan: That itself is pretty scary. Second thing is you mentioned about password, right? So I also realized, or just realized when we, when you talk about brute force, I think all these devices don’t have something like a rate limiter or, you know, the ability to actually, you know, kind of like back pressure, you know, like where people are attacking you with so many traffic.

Joseph Yap: That’s right.

Henry Suryawirawan: So many attempts, so many times. It will just let it, right, until it breaks. And if you use easy password, even default password, it’s so much easy to just hack within minutes, I guess.

Joseph Yap: Yeah. The worst wifi password I found took three seconds. And this client was living on a very busy street. So I told him, you know, if I drove by your house slowly, I would’ve broken into your wifi. That’s how. It’s three seconds. Unfortunately, like I said, if you grew up in a time where brute force wasn’t a thing, rate limiting wasn’t a thing. We are in a whole different world now where it’s so easy. It’s almost like, you know. Our phones are so much more powerful now than a full size room computer was, you know, 30, 40 years ago. We, but our culture and our expectations technology are still kind of very backward.

So absolutely right. Like if you think about what I said earlier with age being a risk factor. With the smart TVs, I don’t know about modern ones. I would hope that there’s some kind of cool off mechanism, rate limits where, or too many, you’ve got the password wrong five times. Like you have it with your phone, right?

Henry Suryawirawan: Yes.

Joseph Yap: The more you try, the longer it takes before you can try again.

Henry Suryawirawan: I’ve never found one with any of these devices actually.

Joseph Yap: Exactly. So I don’t know. I don’t know if they they built that. But again, going back to age, I almost guarantee you 10 years ago, a smart device would not have any of those because you go, no one’s gonna try and brute force my TV. Because I just wanna put it on the internet. I wanna make it smart and make it accessible.

Henry Suryawirawan: Does it mean, is it possible now for you, because you mentioned like at one point in time you scan there could be like hundreds of wifi networks available. Like I just bring a device. It could be just mobile device. You just walk around and just stay for, I dunno how many minutes and see if you can… I, wow.

Joseph Yap: Yeah. I don’t really want to talk about it ‘cause I feel like people will get the idea to try it.

Henry Suryawirawan: Okay.

Joseph Yap: Unfortunately, the tools are there. That it’s not hard. And that’s kind of what concerns me. We are in an environment where the technology and the capability is very, very far advanced for misuse. And the expectation and understanding of security is very, very, very far behind. It’s just, the gap is just growing. It’s already big enough for corporates. You read about how many enterprises are being compromised and hacked on a daily basis. There’s nothing paying attention to the homes. And yet we know that from a DDoS point of view, they’ve already been significantly compromised.

So that’s the way I find it interesting personally because I’m going. How do I help people at least catch up a bit to the corporate? I’m not saying be a corporate, you know, to that extent. Because even then, quite frankly, they’re not keeping up to the level of threat. But take some steps, right? Be the path of greater resistance. Take some steps so it’s protecting yourself. And don’t make it so easy because it’s bad enough. The gap is huge enough as it is.

[00:47:47] Why Are Executives and High-Net-Worth Individuals Prime Targets?

Henry Suryawirawan: Coming back to that, right? Like the path of greater resistance and also like the number of point of attacks that hackers could leverage, so to speak, right? But interesting enough for your service, right? You kind of like target a lot for C-suites, executives, right? High-net-worth, lawyer. You also mentioned in the very beginning just now that personal medical, you know, information could easily be hacked simply because they went in from your home network.

Joseph Yap: Yeah.

Henry Suryawirawan: So tell us this, like if you’re part of this demographics or personas, so to speak, right? Are you, should you be more concerned? And why attackers love, you know, chasing them?

Joseph Yap: Yeah, absolutely. So if you think about from an economics perspective, what’s the incentive for someone to attack you? Quite a few times when I’ve had the conversation with people to tell them, hey, you’re at risk, sometimes the response I get is, so what they gonna do to me? Like, what are you gonna do? They go, they, you know, I don’t have money in my bank, for example, right? And what I found is there’s three threats that are quite common and more prominent in high-net-worth individuals.

The first thing is they’re attacking you directly, right? So they’re going after your, you specifically, your assets, your financial assets, your digital assets. For example, bank accounts, right? If they can… I’ve known of cases where they’ve been able to spoof someone’s bank account and show them a screen that’s not theirs and actually transferred the money somewhere else. Stealing passwords, stealing your family photos and holding that as ransom. I’ve heard of cases just this year where someone’s C-suite person has had their entire digital identity stolen. So social media accounts, family photos, bank transactions, financial records, travel plans all stolen and then sold on the dark web for identity theft. And the person didn’t even know about it. So he wasn’t even given a chance to pay a ransom to get it back. He was just, immediately his information was all sold and utilized against it. So you might be a target just by targeting you directly.

The second other source that I’ve seen is, it’s happened more in, I’ve seen in Australia where it’s tax fraud. So they file on your behalf. So they have enough information about you to file your taxes for you. It sounds convenient. But what they’re doing is they’re actually claiming a refund under your name. So they’re getting very big chunks of the money out from the tax office. The last one I heard was $24,000 as a refund. And they get the money transferred to their own account and then they disappear. But when you go to do your own tax claim, suddenly, oh no, I haven’t filed my taxes, I haven’t done any of that. It’s so much effort to undo that damage. I’ve got friends that couldn’t, that lost sleep because they felt personally violated. But on top of that, just the admin to be able to undo that and the loss to the, you know, the tax office is quite significant. It’s a very big deal.

The third one is what I talked about earlier which is access through you. So depending on what you have access to, C-suites are a very popular target because of the access to the organization. There’s a lot more efforts at trying to protect them through, you know, VPN, through, I’ve got friends who. They do the internet banking on the work computer and they do everything else on their home computer. Like keep, you know, keep all that separate. But it’s because they’re very big targets for leveraging their access. I already know of two people that have had their title, the office holder title used against them, against the organization. So what that means is one of them was saying he was the president of a sports club. His email got spoofed to ask the treasurer to send money. The easy way to do that was to go online and look at all the office holders ‘cause it’s public. It’s public information. It’s called open source intelligence, right? So C-Suites are very, it’s easy to see what they look like. It’s easy to find out who they are, where, what organization they are, what their role is.

And in more recent cases, and I’ll show you some links, but CFOs, CEOs have been spoofed with deep fakes, with AI technology, to mimic them and provide instructions to, hey, transfer $25 million. It’s me. I’m giving you the authority now on the video call in front of other deep fake members of the executive. And it’s, there’s more reasons to be targeting a high-net-worth individual from an economic incentive point of view.

Now, if you are a hacker just after a bot net, you don’t need to put in all the extra effort. But you have a whole different model there. And quite frankly, that’s why a lot of people have, that’s why they’ve been so successful. ‘Cause these people aren’t really looking after themselves. So I’m focusing on the people that have, one, more a bigger target, but are also more willing to get help to protect themselves because they know that they’ve got more risk. If I had a magic wand and unlimited resources, I would want to try and protect everybody. But the reality is, you know, you got a 80-20 rule, you gotta work with the target that are more responsive, but also higher targets until I can work out how I can scale this and make the umbrella bigger. And try and get, I guess, more people involved in looking after that.

There’s a similar parallel in what’s happening in the US. A lot of infrastructure, city infrastructure, so water systems, for example, they run with operational technology that was really, really old. And what’s happened is they’ve been hacked on a regular basis, but because they are, It’s such a fundamental service, I mean, imagine if you wanna turn on the tap and there’s no water. But at the same time, because it’s so old and outdated, it’s not fun, sexy to get into the industry of cybersecurity for water service. So they become really big targets. So there’s a big community now in the US for white hat hackers to volunteer their time to go help protect their local water utility. Because without that community, that kind of community approach, there’s no way to scale it up to be able to fit. And even then they’re only covering a small portion of it. They’re not covering everybody. So very, very big target base. Very hard to reach everybody at once. I’m focusing on the people that are more susceptible, but also are gonna be more willing to listen to, hey, this is how you’re gonna get attacked. This is how it can help you. And that’s why I’ve targeted the, yeah, executives. Ideally it’d be everybody. But, yeah, it’s not a, it’s a very big landscape at the moment.

Henry Suryawirawan: Yeah. I think that’s also very good awareness building, right? Because again, like we all like our gadgets, our devices, we just buy them, put it at home, you know. We forgot about it, especially if you’re these type of persona where you hold a lot of information. You know, could be medical, private, it could be your digital assets. I think these days a lot of people, hack into, I dunno, either your browsers and they just took your crypto for whatever reasons, right? In this world these days, I think if you simply have a lot of these assets, right? I would say just be mindful as well and yeah, probably do take care about the security of your network, right?

[00:55:12] Why Isn’t Singapore’s Cyber Attack Problem in the News?

Henry Suryawirawan: So with all these, right, how come in the news, there’s no, nothing, nothing at all mentioning about this, because this is happening, and it’s widespread. And if you’re saying that Singapore now is the top source country, why I’ve never heard anything about it?

Joseph Yap: That’s an interesting question. I have actually had a chance to ask someone in the government before. The response wasn’t what I was hoping for. But you’re absolutely right. I think at the moment there’s probably a level of concern but not necessarily clear understanding of what to do about it. So just a few months ago, I think the Minister of Law called out for the first time threats from APT that, and calling out the country, the source, is typically not in the culture for Singapore to be acknowledging.

Henry Suryawirawan: I was curious about that. Why? Yeah.

Joseph Yap: Calling it out unless it’s really, unless it’s like a real, really serious problem. What I think at the moment, unless there’s a clear line between the damage that’s being caused. Like I said with the SIM cards, it’s probably my best example. At the moment, it’s very, it’s a lot easier to see that, hey, if I don’t control the SIM cards and allow people to take advantage of that and use that for legal purposes, then that’s when the response, the societal response is, okay, we need to clamp down on it. We need to deal with it.

I don’t think that’s as clear cut yet with the internet technology and with, so I think, one, the attack is not so clear and two, therefore the response isn’t as harsh or as firm or as immediate and urgent. But when you can see the efforts that Singapore is working on at the moment, I think it’s clear that they are very concerned about the effect on corporates and businesses. ‘Cause that does link to the reputation of the country as well as being attractive place for businesses. So I think it’s a matter of time before, one, the attack scale up, before there’s more and more things that you can do with a compromised network. And then two, finding a strategy to be able to respond to that.

I use vaping as a parallel. So when vaping started happening, you know, there was a growing trend, growing popularity. It didn’t seem like it was that big a deal until they started putting more and more things into it. They started getting more visibility around the problem and it became very, very clear that, okay, we need a stronger response. And the government has then gone, right? That’s it. Zero tolerance. Clamp down on it.

I see a similar parallel to that with home cybersecurity. Unfortunately, the way the networks are working, it’s harder to… unless you’re China with a firewall. And even then people get around firewall. It’s harder to control things that flow in and out from the internet. It’s not like it’s a physical border. I think that’s where, again, if the threat is not clear and therefore the strategy for responding is not that clear, you have to quite frankly let things develop further and then see, okay, so how do they respond from that? But from my perspective, by that time, where we are, it’s already kind of we’re already late to the party. So it’s almost up to the people to try and take the personal responsibility to protect themselves. And quite frankly, it’s almost a going back to defense in depth. Even if you have a police post station near you, if you’re surrounded by police stations. And if there’s security guard in your state, it doesn’t mean that you should leave your front door open.

But when I say we collectively, you’re so used to a protected safe space that you don’t really think about what people could be doing and how they could be leveraging you. It’s to the benefit of the, you know, the people using the networks and access and hacking. So it’s almost like, I just think that we are not yet there in the point where there’s a very big, clear problem, but it’s got enough fires and smoke to indicate to me that this is gonna get worse. Yeah. It’s just gonna get worse. So in the meantime, I’m gonna try and help people be educated to be able to catch up and try and close a bit of their gap. But quite frankly, I expect the gap will still get bigger, especially with AI growing at the pace that it’s growing.

[00:59:26] Can Internet Providers Stop These Attacks?

Henry Suryawirawan: How about the telco, you know, the internet provider? They would have seen these traffic, right? Especially if it’s being used for DDoS attack. I’m sure like you will see the kind of like the targets, right? The target endpoints goes to somewhere and in one go. Like how about them? Like can they actually try to mitigate a little bit?

Joseph Yap: It’s hard. So at the moment when you look at the scale that they’re attacking it’s, you know, it’s within 14 seconds, for example. By the time the AI recognizes, oh, there’s something going on, it’s already over. But one of the interesting trends that I’m, that you’re seeing with DDoS attacks, they’re actually attacking ISPs as well. So it’s almost like if you… there’s a level of mischief in what they’re doing as well. It’s not always, you know, for commercial gain or economic gain. It’s also sometimes they just wanna piss someone off.

So ISPs actually, if you look at Cloudflare and the setup they’ve got, because they can, they’re tracking where all the IP addresses are, they can actually tell the ISPs, this is where your, yeah, this is where the attacks are coming from. I actually want to talk to the ISP to go give me a list of all the IP addresses. Every time I go to a house that I check, I can marry it out. I can tell you there’s already a compromised device there. I just don’t think at the moment the concern, the level of concern is warranting that for the ISPs to actually take that kind of action. But I feel like if, you know, magic wand, that’s what we need to be doing. We need to be going tell me all the ones that are, have been compromised ‘cause attacks coming from there, I’ll go send someone there and actually work out with what devices. One or many devices is actually contributing to this, right? Because the footprints are there. That’s the good thing in a way about the internet, right? Even though it’s all connected, interconnected and all digital, you should be able to see if you can see it’s coming to attack you, you can see where it’s coming from.

Henry Suryawirawan: Yeah, with the packets.

Joseph Yap: Yeah. So it’s really around be able to trace and follow that. But yeah, we’re just not in a position where, one, they’ve got the resource and the, I guess the social urgency to deal with that. Like I said, if it becomes a bigger, which I expect it’ll become a bigger problem, like with the SIM cards, then yeah, you’re gonna put in more and more steps to try and deal with it. But also if you look at the rate of growth of DDoS as a proxy, I don’t think any country in the world is prepared to deal with the level that they’re growing. And the Aisuru report that Brian Krebs was just discovering is hitting new records at…. Like this year they’ve gone from, I think it was 3.5 to now 30, 30 terabits per second. Like the pace at which they’re collecting devices and break and compromising networks is I don’t think any single government by itself can deal with that level of growth.

[01:02:16] What Can I Do to Protect My Home Network?

Henry Suryawirawan: So if government, maybe now not the right time for them to act in. The ISP is probably also not the right time. So it’s coming back to us now to protect ourselves, right? So thinking my head, typically in a corporate or maybe like we read in the news or some blogs, right? You would typically install anti-virus, anti-malware on your laptop. In corporate you will have like a firewall, you know, put in place. Is there such thing that we can do to our home network as well?

Joseph Yap: I think the short answer is there’s no one size fits all. Like I said, there’s no one path that people are following. In the early days with viruses, it was a lot clearer, right? You would get infected through an email or you would get infected through pirated software. Like there was clearer vectors for attacks. Now with the level of technology and how everything is a lot more interconnected now. And again, with AI giving you a very, very large range of access tools is not as straightforward as that. I think that’s where one of the philosophies that I push is to… “can doesn’t mean you should. So you shouldn’t just connect things. You shouldn’t just buy it ‘cause it’s got wifi. You shouldn’t just plug it in and not as, as any value.

I have a robot vacuum cleaner. It sends a crazy amount of data to the internet. It’s very frustrating that I know what it’s probably doing. It’s scanning on my neighbor’s wifi. It’s logging everything in my house and sending it to them, but I’ve kept it separate from my, the rest of my, all my devices. I get a lot of value out of having my robot vacuum cleaner run once a day, twice a day because it keeps my house clean. So I get benefit of doing that. My washing machine, on the other hand is wifi connected, but I get zero value out of that. In fact, I’m probably the service of how, the product. I’m giving them my product information. I’ve connected it as well because I wanted to not leave it open for someone else to try and connect to it, but I’m a lot more conscious around why I’ve connected it that way.

So going back to what you were saying with the anti-virus and anti-malware, there’s no clear one size fits all approach, what I try and challenge people to do is think about spring cleaning. Spring cleaning your network. Like look at all the things that you have at your network and go, do I actually get value? Does it improve my life to have wifi connectivity for this thing? If not, then either get rid of the thing or at least try and disable the wifi. Unfortunately, I’ve seen so many cases where people have connected things and forgotten about them to a point that even though they’ve been hacked, they don’t even realize it. And because they haven’t used it on a regular basis, it doesn’t add the value. You forget that you are taking on the risk without the benefit. So it’s all bad news having that some kind of connectivity.

So yeah, unfortunately there’s no one size fits all approach. You know, back in the day, it was just running antivirus. But now, the amount of different threat vectors are significant, the best thing to do is try and reduce your attack surface and try and keep as little entry points for, you know, someone to access your house.

[01:05:19] How Do I Protect My Network-Attached Storage (NAS)?

Henry Suryawirawan: Speaking about value, it reminds me one typical device that people have that is always connected and it’s kind of like valuable for them, which is the network attached storage. This could be your harddisk that you can access from anywhere, right? What should we do about it? We love it. We want it to be connected, but it also opens itself up for attacks.

Joseph Yap: And I think the challenge with network access storage is it’s very attractive for multiple reasons.

Henry Suryawirawan: Yeah. And typically we store like personal. Yeah, yeah.

Joseph Yap: One I’ve got, in Australia, ASX20, top 20 listed companies in Australia. I know one of them has been hacked before with ransomware on the NAS. I’ve several NASes as well. And one of the best targets, most attractive targets for ransomware because it’s your digital assets. I constantly tell people that if my whole house burned down, the only thing I need protected is the photos. Because you can’t replace that. You can replace everything else. Your passport, your ID cards, what certificates, whatever. You can get reprints. But you can’t get the photos back. So it’s a very, very attractive source. Unfortunately, going back to what I said about distributed computing, it’s got a processor, it’s got storage, and it’s got network. It’s…

Henry Suryawirawan: It’s got your asset as well.

Joseph Yap: Yeah, so it is a great target. And quite sadly, I’ve seen quite a few NASes now that when I run this vulnerability scan thing, because it’s so attractive, going back to what I said about the ethos, it’s constantly being hacked and new vulnerabilities are being found all the time.

One of the key things that people have to be doing is checking whether the firm has been updated for NAS. Right, you, that’s one of the, keep in mind that that’s one, it’s a gold mine. Like NASes have been found to be mining crypto. Because they’re on there 24/7. They’re constantly worrying and you just don’t know what’s happening. They’ve been very popular.

Trend Micro have something called Zero Day Initiative where they reward hackers, competitions for hacking the NASes, QNAP and Synology have been very, very popular. And there’s a Singapore company. Actually I’ll call them out on this podcast. STAR Labs. They’ve won what they call Master of Pwn which is there are a few competitions every year. They won the one in, I think it was Ireland, no, Berlin, I think, earlier this year where they’ve successfully shown how to hack into things.

So going back to what I said before, the workflow for security researchers to hack into something is to share the information with the manufacturer and then make it public. But ideally giving the manufacturer time to patch it. This happens a lot with NAS. It’s very… 2, 3 times a year, this happens. So if you have a NAS, absolutely take extra precaution with it. Check if the firmware is updating, up to date. If it’s old and it doesn’t update anymore, get a new one, unfortunately. Christmas, go shopping. But at the same time, be aware that it’s a very attractive target and just do the hygiene, like the digital hygiene that you need to. Don’t hold things that longer than you need to, right? Cause it can be used against you.

Henry Suryawirawan: It’s typically harder with NAS, because as you accumulate your data, your files, right, and to migrate it to something else.

Joseph Yap: Yeah.

Henry Suryawirawan: When you have terabytes, for example, you have terabytes of data.

Joseph Yap: I literally in my bag right now, I have a harddisk to put in the NAS that I just bought an hour ago. ‘Cause I want to, because I’m actually doing that. I’m, it’s outgrowing the capacity. So I just bought 16 terabyte harddisk. But yeah, absolutely. So once I do the migration, it’s part the Lean methodology that I applied to my process as well. Along the way, if you don’t need to hold, if it doesn’t add any value, get rid of it. It makes the migration easier, but it also reduces your attack surface. If you don’t have too much clutter and complexity, going back to some of the learnings that I took away from the corporate world. It just makes your life simpler, having less things to manage. Because it’s really fun to buy the new thing, plug it in, and get that 30 seconds of enjoyment. But the risk that you put on, take on for leaving it then and not tidying it up, it just grows over time. And I’ve already found NASes in my circles scanning that have been compromised. And the disappointing ones are finding where people know that they should have updated the password or changed the password and they haven’t. And I’d show them this took 30 seconds. Like…

Henry Suryawirawan: Yeah.

Joseph Yap: You are so close to, if you haven’t been hacked already, you’re so close to being hacked.

Henry Suryawirawan: Yeah.

Joseph Yap: It’s disappointing because when you, like I said, the value that I place on my digital assets is significantly high, so I want to take effort to protect it. But people don’t realize how easy it is for NASes and how attractive it is to be hacked.

Henry Suryawirawan: Yeah. I guess one of the main reasons why people don’t want to change password is like they might forget the password. They don’t know how to create strong password. And that’s why I think using password manager is like, maybe it’s like a must these days. Like if you have password manager, it can help you to kind of like, first, create a strong password. Second is kind of like save it, right? So that you can get access to it from time to time.

Joseph Yap: Absolutely. That’s one of the things I strongly recommend. Install password managers.

[01:10:41] How Is AI Changing the Cyber Attack Landscape?

Henry Suryawirawan: So I wanna touch on a bit about AI, right? So now we know about all these possibilities, the attack vectors, the potentials that you can do, right? Because I think it can be lucrative for someone who start going to the dark side and knowing about potential of this. And now with AI, kind of like, I would say superpower for them to kickstart doing this, I wanna understand the scale. How much has it really been in terms of increasingly hackers learning from AI and using its capability, to actually starting becoming like a, you know hacker?

Joseph Yap: So I don’t think it’s that obvious yet. But from just tools that I build as well, I use AI for coding, for understanding. Like I said, if I’m trying to think like a hacker, if I’m trying to replicate what they’re doing, I’m gonna be trying to use the tool to protect as much as I can for good. But it’s also very easy to go the other way, cause, you know. In a way, as far as AI is concerned, I could just as easily be a hacker, someone trying to break into someone’s network, because I’m asking it questions that a hacker would be asking it, which is you look at the, firstly, what is this? What device is this? Is there known vulnerability that I can use to attack it? And if not, for this type of device, what are the most common ways for, you know, it doesn’t have to be this brand, doesn’t have to be. But if there’s a common component, if there’s a common combination of components. If you think about the range of things you can ask an AI, you can ask it many, many different ways of how to, what’s the best way to attack this device. It’s not clear yet, like I said.

And as I mentioned earlier, Anthropic recently reported that they believe that it’s the resources are being put towards nefarious users for hacking and by creating a hacking, autonomous hacking agent. It’s not even someone querying anymore. It’s someone using AI to work out how to hack everything else, setting up an agent. So it’s a double-edged sword. What I’m trying to do is use the positive side of that sword and the AI to go, how do I help? How do I help rather than hurt? But as far as AI is concerned, it’s the same. It’s the same query, it’s the same skillset, right? You are asking it how to, I’m asking how to, how would someone hack it in order to protect it? They’re asking how would someone hack it? Full stop, right? To be able to get in. But it’s the same. It’s the same skillset.

And I think, weirdly, one of the things that was being reported as well was going back to the residential proxies. Apparently, there are LLMs being who are using the residential proxy to get around scraping rules. So it doesn’t look like they’re the ones scraping. So I don’t know how much of that is, you know, traceable back to the LLM, but it kind of makes sense when you think about it, right? Because they, they’re going, they wanna hide the activity and get as much data as they can, but not showing that it’s them. So they’re going to people’s houses and using the houses.

It’s a bit like Black Mirror, you know, it’s like Black Mirror kind of stuff. It feels very warped to be talking about or thinking that’s what they’re doing. But the reality is if it’s on the network and you can’t tell, they can get away with it. They, it’s hard for them to, I mean, they don’t, as long as they keep quiet about it, you know, you can’t tell it’s them doing it.

So AI is introducing new complexity, new challenges to cybersecurity, but it can also be like, I believe that AI for everything in the sense that, it’s a double edged sword, right? You can use it, you can use it for good, you can use it for harm. So I’m focusing on trying to leverage that for good. But there’s a lot of options for attacking. I mean, some of the recent cases, they’re just teenagers. Teenagers who are bored, they just miss, they’re just being teenagers, but they have access to crazy resources now with AI. Some of the best known ransomware gangs are run by teenagers. It’s, Scattered Spider is one of them. The other one was, yeah, that, like I think I mentioned 17-year-old kid that was arrested in the UK for hacking into a childcare network. They just, yeah, it’s crazy. I mean, if you think about 40 years ago, teenagers wouldn’t even have access to, you know, a fraction of these resources. But now you can ask ChatGPT, you can ask Gemini, you can ask Claude.

Henry Suryawirawan: It’s crazy. And again, I would imagine the lucrativity of this activity, right? Because like increasingly we have digital assets. Increasingly, we are well connected. Increasingly, there are so many devices that potentially kind of like lure you into, hey, please attack me. Please attack me. I think that might be one of the reasons why, you know, a lot of people trying out, right? And if they didn’t get caught.

Joseph Yap: Yeah. I again, I haven’t really met a hacker to ask to, but I’ve heard stories, enough stories, and you’re right. It’s very lucrative. One of the most disturbing ones I heard was, an interview with a ransomware negotiator. This is a corporate one but he was negotiating with a guy who attacked a children’s ICU unit. The guy, the hacker knew what he was doing ‘cause it was a, he was threatening to disconnect the life support for the child and kill the child. And he wanted to do it for money. He just wanted the money. When you think about how much technology now has operational technology, right? So outside of the home environment at the moment, but on the way here, I was just looking at LinkedIn where Singapore is now talking about cybersecurity standards for lifts. Smart lifts.

Henry Suryawirawan: Wow.

Joseph Yap: And it just opened my, it just suddenly blew my mind like, oh my God, I never thought about that. Can you imagine if you are being held hostage in an elevator, in the hospital when you’re trying to get to someone? That’s crazy. So we don’t recognize how many different things are now at risk, let alone in the home environment where, you know, you wanna feel safe in your home, own home. You wanna feel that your things are protected. But like I said, you know, it’s like Invisible Man. It could be someone watching you all the time, 24/7. And they’re not even watching you. They’re hiring an AI agent to watch you until you do something that they’re interested in and then they’ll come and pay attention. It’s not great, but it is the state of the, you know, the maturity of the society at the moment. We are very immature in the sense of cybersecurity, but we are also on the other side of the scale, very, very connected, right? So I feel like that’s an area of vulnerability.

Henry Suryawirawan: Well, again, this conversation itself is really I would say insightful, at least for me, right, to open up my eyes. And I’m sure many people here, if they listen, they understand the level of… how should I say, the level of risk that they’re exposed to. I think, hopefully, you know, they can do something, right?

[01:17:35] How Can Otonata Help Protect My Home Network?

Henry Suryawirawan: So maybe that’s also the time for you to say a little bit of words of Otonata. What can you provide to people if people wanna find how to get help, right? Because I’m sure many people are kinda like clueless, okay, now what? I need to do so many things.

Joseph Yap: Yeah. Yeah, so the web, I’ve got a website, Otonata. O-T-O-N-A-T-A.com. It’s inspired by odonata which is a dragonfly, and you know, it’s a silent bug hunter, which I like the imagery. But basically there’s a service on the, from the website, I call it Hack Check, which is, like I said, you could take a photo of your device. And it might not all necessarily recognize what the device is ‘cause there’s millions of them. But it gives you a chance to put in the brand and the model number. And what we’ll do is we’ll scan the database and give you a very quick response. So that’s kind of the, the one of the easiest things you can do in terms of understanding, or at least even if you’re mildly curious about your device and whether or not there’s a known vulnerability, try it out. ‘Cause it’s pretty easy, it’s free. But if you are more serious about wanting to, I guess get your risk profile clearer and understand what your actual risk is, we have a service that will send a device to your house. You just plug it in and we’ll do a full scan for you.

There’s a much more premium version, which is someone, I will go to your house and plug it in for you and tell you how to protect your house and actually help you configure your house to manage your risk. And I think that’s one of the key things I took away from a corporate environment, which is it’s all about balancing the risk but we forget that the same principles apply everywhere even at home. So it’s a conversation about finding what you have at risk and then taking the right efforts to protect it. ‘Cause in some cases, some of the stuff is not worth protecting. If it’s a D-Link router and you have a NAS that you really want to protect and secure, if it’s all outdated D-Link router, just get rid of it. Like it’s not, it’s not worth taking extra steps to protect against that, if the solution is just to entirely replace it.

What I find is that there’s no one size fits all formula, which is why the service has different scales. It can be as simple as telling you this is at risk, to telling you, giving you better visibility of your network to actually helping you change and take all the steps that you need to protect yourself. Because no one network is the same. I’ve never seen a house that has exactly the same configuration as another one that I’ve seen before.

Henry Suryawirawan: Yeah.

Joseph Yap: Yeah, so the website gives you that, one, that simple hack check, but also more about the service and what you can do. Typically, a scan takes about two, three days, because it tries to look for all the devices and network. And then it tries to, like I said, knock on every door, check every window to see whether something can be broken into. But the mitigation might take a bit longer depending on what the issue actually is. It might mean having to redesign your network. ‘Cause it’s, like I said, in some cases I’ve seen over 50 devices on the network. I’ve got more than 50 devices on my network. And my network is segmented to manage my risk profile.

So it’s not always gonna be the exact same solution for everybody. It’s gonna be what do you, how do you wanna live your life with your devices, right? How do you wanna be comfortable with what you use? And this is the solution that would give you the best protection while still keeping it convenient. Because you don’t wanna, like I said, you don’t wanna go crazy having three locks on your front door, two locks on your window. Every time you wanna open a window you gotta do magic tricks, you know, to do that, right? It’s finding the right balance of risk.

So yeah, that’s what Otonata does. It gives you very tailored advice around what are you trying to achieve with what you have, so that you don’t have to worry about it. Like going back to what I said at the start. Having a lot of small decisions to make can be very fatiguing. Unfortunately, when we accumulate devices, we sign ourselves up to the obligation of looking after all these things. But we don’t do any of that. ‘Cause it’s boring. It’s so tedious. So I’ve taken my operational background expertise, applied a more scalable process to managing it for you.

The last part of the service is actually offline monitoring. So the starting point of the Otonata service is do a inventory of what you have, do a vulnerability scan of all the ways someone could attack you. Mitigate what your profile should look like based on what risk you want. But after that, we’ve exited your premises, but I know exactly all the devices that you have. And what we can do is, as new information comes about from a vulnerability point of view, we can go, hey, you’ve got this device. Last week, it was established that this is how you would hack into it. We can tell you. So it’s almost like I don’t actually have to be at your house anymore, but I know all the stuff you have and I can, I’m proactively looking out for all your things.

In supermarkets, there’s recalls where if you bought a dodgy food item, right? They go, oh, you gotta bring this one back. It’s not safe for you to eat, et cetera, et cetera. No one pays attention to recalls for your devices, unfortunately. Firstly, no one even has recalls for devices ‘cause they want to keep it quiet. They don’t want you to think about the brand being affected. But we’ll do that for you. ‘Cause it’s, I’ve got the processes automated, it’s scalable. I have hundreds and thousands of devices. I can check them on a daily basis. It’s not something that I would expect anyone to be, oh, today I gotta check everything on my list, right? So that’s why I’ve automated and taken away the fatigue of having those micro decisions.

So it’s really that step process: having your inventory list built, doing a vulnerability scan, mitigating the risks and then doing offline monitoring. And for me, like I said, that gives you enough protection to be more resistant. It’s not gonna be, I can’t guarantee that you won’t get hacked. But I can tell you that compared to 99.9% of the population, you are in a much better spot already just by doing these things.

[01:23:39] What Are Real-World Examples of Home Network Compromises?

Henry Suryawirawan: Right, right. Wow. So very comprehensive. I’m sure if people would want to protect themselves better, they can check out your website, right? And maybe engage you. Is there any kind of like, I dunno, like good stories? Good, you know, like service that you did for us just to learn, be curious, like what kind of service that you have saved, for example, in terms of, you know, big profiles or maybe those kind of stuff, if you can share?

Joseph Yap: At the moment, so because of my target audience, it’s more discreet. That’s part of what I, what I bring to the table as well. I have worked with people who were embarrassed to have had vulnerabilities that were fairly basic. IT leaders who had “adminadmin”, thought leaders. Like I said, ASX 20 CEOs that have had devices that have been ransom hacked that they didn’t know about. I wouldn’t share any direct stories. I think what for me, it’s more the amount of creative situations that have been, I guess publicly disclosed in, even in the last three years. One, I was just talking to someone about today was politicians being caught in compromising positions through cameras. IP cameras. So it’s a bit scandalous, right? When you think about the, you know, people in high positions and being caught, found dirty. But if you zoom out a bit further and you go, how did someone get access to that material in the first place? And does it mean that everyone has access to everything? It’s quite concerning. So it’s a bit juicy. Yeah, it’s a bit, it’s a good source of gossip. But it risks missing the point of how vulnerable we are as a society.

Henry Suryawirawan: Wow.

Joseph Yap: Right. So like I said when you hear the more serious cases around critical operational technology being compromised, it’s very raw. Like, you know, people’s actual lives are being affected. But at the same time, you gotta zoom out and go how do we stop this from happening to, you know, people we care about? It is a bit distance when you see someone else, being attacked and affected. But when it actually hits you, it’s a, you know, it’s, yeah, it’s very concerning. So, yeah, sorry, I don’t have a juicy story to share.

Henry Suryawirawan: It’s okay. I think that’s quite revealing enough for us to understand the kind of impact that, you know, we might get affected, I guess one day, right? When this becomes like a more riskier attack vectors. Possibilities are more endless, right? So I think thanks for sharing that.

Joseph Yap: I was gonna say, I think with the automation and if you project a bit further to what the trends are with the Tesla robots, with the humanized robots, with self-driving cars, I think once there’s a much bigger overlap between physical, the physical world and the digital world. And you can extend it to Neuralink like how people’s brains are gonna be connected and wired up. That’s why I’m trying to get the message out now earlier, because by the time we get there, it’s not just gonna be your digital assets that are risk, it’s gonna be your physical wellbeing. I mean, they’ve already shown cars to be hacked while being driven.

Henry Suryawirawan: Wow.

Joseph Yap: Right. So you extend that further. If you are not taking steps now to protect some of the basics hygienes, when you get to a point of having a humanoid robot helper in your kitchen or your self-driving car is driving you to work, you’re gonna set yourself up for a world of pain because some of these basics haven’t been embedded into your normal. You can’t expect them to be covering every possible threat, right? So that’s why I think we are not there yet, but given the trends of how things are converging with networked physical devices, it’s gonna get scary. So, you know, as much as possible start learning the basics to prepare yourself for when, yeah, you’ve got a robot driving a car and your child to, I don’t know, whatever activity they’ve got, right? All of that is kind of susceptible.

Henry Suryawirawan: Yeah. So yeah, probably now it’s not enough to just understand physical safety anymore. Digital safety, definitely very important. And we should not just focus a lot on, you know, identifying scams, you know, these deep fakes, which is kind of like now the trends, right? But obviously these kind of attacks is also one thing that throughout this conversation I learn a lot. And hopefully people start having that awareness. You know, try to do something. Or even understand why all these becomes risky over the time as well. So I think thanks for sharing that.

[01:28:20] 3 Tech Lead Wisdom

Henry Suryawirawan: I know we’ve talked a lot. We’ve got only one question that I would like to ask you to wrap up our conversation. I call this the three technical leadership wisdom. So just think of it like advice that you wanna give, maybe, you know, pieces of wisdom that you wanna share to the listeners here today. Yeah, what would that be?

Joseph Yap: So sourcing from Lean. Like I said, first one, I would reiterate is “can doesn’t mean should”. Like a lot of times we’re not deliberate enough or we get caught up with a shiny new thing that we don’t really think about the value that it adds. Go back to Lean principles, 5S. Clear out the things that you actually don’t need to reduce your footprint. Reducing your footprint also means reducing your attack surface. A lot of times I, quite frankly, I’ve still got devices that I know I need to clean up. I just haven’t got around to do it. But if you’re not even thinking about it, then you are constantly gonna be leaving yourself open for no benefit, right? So can doesn’t mean should. Like I almost, if that’s the one thing like for people to take away from.

But if you can also be more aware of your digital hygiene. So things that we access, things that we put up on the cloud, they’re all our digital assets, our footprints. It’s almost like having, you know, basic dental checkups. There are things that we take for granted as minimum standards of hygiene for ourselves, for our self-care. Think about that being applied to your digital life, right? So in terms of your data, in terms of your passwords, your admin, your router firmware. There should be a list of things that you need to be doing on a yearly basis. Like you go to a dentist once or twice a year. There needs to be that level of self-care for your digital footprint, right? There has to be a level of digital hygiene. If you don’t do, if you’re not even thinking about it all, you won’t do any of it. Just put some thought and time into what should you do and then create a process that gives you a reminder once a year, something. In Australia, they remind you to change your smoke alarm batteries when there’s daylight savings. So there’s a kind of a mnemonic around the relationship between time and having to do something, right? Create something like that for your own digital hygiene. Whether it’s deleting your photos that you… screenshots for example of information. Like stuff like that where you actually consciously go through cleaning up house every now and then.

And like I said, thinking in mind around your cybersecurity posture is be the path of greater resistance. Even if you’re not doing everything I talked about, even if you’re not taking crazy steps to protect your house and your assets, do something that makes it, that pushes you along in the distribution curve, right? Makes it a little bit harder than the next guy, because 700,000 devices right now on the botnet. Those are already at the, this is, that’s the easy stuff, right? There was people not doing anything about it and going, you know what? Hack me, I don’t care. Those are the people, you don’t wanna be in that group. You wanna be in the ones that have a stronger password. You wanna be in the ones that have paid attention to the firmware and made it a little bit harder because then at least you’re not as exposed. Especially if you’re high, if you’ve got stuff to lose, if you are a higher net worth individual. Like I said, you don’t want to lose your digital assets, your bank accounts, your financial. You don’t have financial losses, you don’t have emotional turmoil and losses because someone’s compromised you. So path of greater resistance, whatever steps you can take towards being that. By all means, take a first step and see how far you can go. If you need help, give me a call.

Henry Suryawirawan: I really love that. Very, how should I say, fit into the theme as well, what we discussed, right? So, again, thank you so much, Joseph, for sharing all this. I think again this is a very good awareness session for all of us. If people love this conversation, they would like to connect with you, ask you more questions, is there a place to reach out?

Joseph Yap: Yeah, my website. So Otonata. O-T-O-N-A-T-A.com.

Henry Suryawirawan: Alright. Alright, so that’s a wrap. So again, thank you so much for coming here.

Joseph Yap: Thank you. Thanks for having me. That was fun.

– End –