Module 3

Cybersecurity Bootcamp | Module 3
Online Security
Class Pointers
● Please switch on your webcams! Communication is 70% body language.

● This is not a webinar. This is an interactive, hands-on training workshop, where
everyone participates!
● Keep your mic constantly muted (to prevent background noise)
● Unmute your mic to speak up and ask questions
● Always clarify your doubts. Don’t be shy!
● Feel free to ask any questions. This is a safe zone for everyone, no matter your starting
level.
© 2022 Vertical Institute

Class Pointers
● Use the ‘Raise Hand’ or ‘Thumbs Up’ function!
Step 1:
Step 2:

Agenda
Tutorial Activity
• Password security • Password strength checker
• Brute-force attacks • Enable multi-factor authentication in accounts
• Commonly used passwords • Adjust privacy settings for social media accounts
• Previously exposed passwords • Check for activities online of accounts
• Password strength • Search for information of a company using
• Account security Open-Source Intelligence
• Email accounts
• Social media accounts
• Bank accounts
• Open-Source Intelligence (OSINT)

How long does it take to crack the password “abcdefgh”?
A. Seconds
B. Minutes
C. Hours
D. Days
E. Weeks

Vertical Institute
A. Milliseconds
B. Seconds
C. Minutes
D. Hours
E. Days
F. Weeks
© 2022 Vertical Institute 6

Vertical Institute
Password Security
How fast do hackers crack your password?

Topmost common passwords

How do hackers break passwords?
Brute-force attack
Exposed passwords
Try commonly used

passwords

11
Brute-force
attack: lock
combination


13
#: Password
1 password
2 123456
3 12345678
4 1234
How do hackers
5 qwerty
break passwords?
6 12345
7 dragon
Commonly used 8 baseball
passwords 9 football
10 letmein
11 monkey
12 696969

Remember
Kali Linux? ● /usr/share/nmap/nselib/data/passwords.lst
● Commonly used password list

#: Password MD5 Length L U N Meter
1 password 5f4dcc3b5aa765d61d8327deb882cf99 8 8 0 0 check
2 123456 e10adc3949ba59abbe56e057f20f883e 6 0 0 6 check
3 12345678 25d55ad283aa400af464c76d713c07ad 8 0 0 8 check
4 1234 81dc9bdb52d04dc20036dbd8313ed055 4 0 0 4 check
5 qwerty d8578edf8458ce06fbc5bb76a58c5ca4 6 6 0 0 check
6 12345 827ccb0eea8a706c4c34a16891f84e7b 5 0 0 5 check
7 dragon 8621ffdbc5698829397d97767ac13db3 6 6 0 0 check
8 baseball 276f8db0b86edaa7fc805516c852c889 8 8 0 0 check
9 football 37b4e2d82900d5e94b8da524fbeb33c0 8 8 0 0 check
10 letmein 0d107d09f5bbe40cade3de5c71e9e9b7 7 7 0 0 check
11 monkey d0763edaa9d9bd2a9516280e9044d885 6 6 0 0 check
12 696969 7d0710824ff191f6a0086a7e3891641e 6 0 0 6 check

Database attack
UserId Username Email Password
1 Alice alice@gmail.com 5f4dcc3b5aa765d61d8327deb882cf99

2 Bob bob@gmail.com e10adc3949ba59abbe56e057f20f883e
3 Michael michael@gmail.com 25d55ad283aa400af464c76d713c07ad
4 Joe joe@gmail.com 81dc9bdb52d04dc20036dbd8313ed055
5 Tracy tracy@gmail.com d8578edf8458ce06fbc5bb76a58c5ca4
6 Stephen stephen@gmail.com 827ccb0eea8a706c4c34a16891f84e7b
7 Mike mike@gmail.com 5f4dcc3b5aa765d61d8327deb882cf99

#: Password MD5 Length L U N Meter
1 password 5f4dcc3b5aa765d61d8327deb882cf99 8 8 0 0 check
2 123456 e10adc3949ba59abbe56e057f20f883e 6 0 0 6 check
3 12345678 25d55ad283aa400af464c76d713c07ad 8 0 0 8 check
4 1234 81dc9bdb52d04dc20036dbd8313ed055 4 0 0 4 check
5 qwerty d8578edf8458ce06fbc5bb76a58c5ca4 6 6 0 0 check
6 12345 827ccb0eea8a706c4c34a16891f84e7b 5 0 0 5 check
7 dragon 8621ffdbc5698829397d97767ac13db3 6 6 0 0 check
8 baseball 276f8db0b86edaa7fc805516c852c889 8 8 0 0 check
9 football 37b4e2d82900d5e94b8da524fbeb33c0 8 8 0 0 check
10 letmein 0d107d09f5bbe40cade3de5c71e9e9b7 7 7 0 0 check
11 monkey d0763edaa9d9bd2a9516280e9044d885 6 6 0 0 check
12 696969 7d0710824ff191f6a0086a7e3891641e 6 0 0 6 check

What is password hashing?
Hashing turns your password (or any other piece of data) into a short string of letters
and/or numbers using a hashing algorithm. If a website is hacked, cyber criminals don't
get access to your password. Instead, they just get access to the “hash” created by your
password.

What is password hashing?
Password Hash Hashed value

Password hashing exercise
https://www.md5hashgenerator.com/
What is salt for password?
Adding random data to the input of a hash function to guarantee a

unique output, the hash, even when the inputs are the same.

What is salt for password?
https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/
Create Secure Passwords
Follow these guidelines to security

● Have at least 8-16 characters
● Be a mix of numbers, symbols, capital
and lower-case letters
● Not a dictionary word
● Do not reuse passwords
● Change passwords regularly

Vertical Institute
Exercise. Check password strength
https://www.security.org/how-secure-is-my-password/

Password Checker from Cybersecurity
Agency of Singapore (CSA)
https://www.csa.gov.sg/gosafeonline/Resources/Password-Checker

Vertical Institute
How to remember all these passwords?

Mobile Device
Password Manager iCloud Key Chain
iPhone

iPhone
Turn on iCloud Keychain on your iPhone, iPad, or iPod touch
https://support.apple.com/en-us/HT204085
© 2022 Vertical Institute 28

Samsung
Samsung Pass is a secure and easy way

to use your biometrics to sign in to
websites and apps on your phone.
Once you scan your fingerprints, you can

sign in without typing in your ID and
password. With Samsung Pass, there's no
need to memorise all those IDs and
passwords for all your accounts.
https://www.samsung.com/sg/support/mobile-devices/what-is-sam
© 2022 Vertical Institute sung-pass-and-how-to-register-it/
Vertical Institute
Roboform
Bitwarden
A password manager is essentially an encrypted
digital vault that stores the login information you
use to access apps on mobile devices, websites
and other services.

Password Manager: Roboform

Password Manager: BitWarden

Change your exposed passwords now!
“The US is worried that hackers are stealing data today so

quantum computers can crack it in a decade”
https://www.technologyreview.com/2021/11/03/1039171/hackers-quantum-comp
uters-us-homeland-security-cryptography/

Why do we need Multi-Factor Authentication?
● Usernames and passwords are regularly exposed

● An additional factor to authenticate is necessary to prove the user is who they claim
they are
● Stops hacker from gaining further access into the account without step up
authentication

Exercise: Enable multi-factor authentication
https://myaccount.google.com/security?pli=1

Exercise: Enable multi-factor authentication
https://account.microsoft.com/security/

Account security
Account Recovery
Forgot your password
1. Follow the steps to recover your Google Account or Gmail.
• You'll be asked some questions to confirm it's your account. Answer the
questions as best as you can.
• If you have trouble, try the tips to complete account recovery steps.
2. Reset your password when prompted. Choose a strong password that you
haven't already used with this account. Learn how to create a strong password.
Forgot the email address you use to sign in

1. Follow the steps to find your username. You’ll need to know:
• A phone number or the recovery email address for the account
• The full name on your account
2. Follow the instructions to confirm it’s your account.
3. You’ll see a list of usernames that match your account.

Exercise:
Publicly Available
Information
- Facebook https://www.facebook.com/settings?tab=privacy

Exercise:
Publicly Available
Information
- YouTube https://www.youtube.com/account_privacy

Identity Theft

Prevent Identity Theft
01 02 03 04
Check credit Monitor Keep Keep
card report account financial personal data
regularly statements information private
safely

Check credit card
report and monitor
account
statements

Keep financial
information
safely

One woman had the shock of her life when she
Signs your bank noticed that nearly $300 had been deducted from her
account or credit bank account.
card may be
compromised And to add salt to injury, this entire fiasco started off
with her doing what most of us would have done
— ignoring a one-time password (OTP) message.
https://www.asiaone.com/singapore/woman-ignores-otp-message-and-loses-almo
st-300-online-fraudsters
3-D Secure ● Is an OTP required for all online purchases?

3-D Secure ● Is an OTP required for all online purchases?
● No. OTP for online payment is required only at
merchant websites that support the 3-D Secure
(3DS) authentication protocols which provide
extra security for online transactions.

3-D Secure

What to do?
● Quickly call up the bank to disable the card and
to report on the fraudulent charges

Card fraud ● Credit cards and pins copied during use of
alert credit card
● Refrain from using cards with magnetic strip
authentication

Local and
overseas fund ● Set proper authorization limit
transfers ● Disable use of overseas transaction
/Bill payments

Keep personal
data private

Strange email outbox
Signs your online

Friends complaining you
account has been are sending strange
compromised messages
Getting unknown emails

Signs your online account has been compromised
Receiving SMS of unauthorised login

Unknown outbox or sent emails

Strange activities on your social media accounts

Strange email outbox
Signs your online

Friends complaining you
account has been are sending strange
compromised messages
Getting unknown emails

Exercise: Check your online activity
https://myactivity.google.com/myactivity

Exercise: Check your online activity
https://account.live.com/Activity

Exercise. Check
your Facebook
•Tap on your profile picture in the top left of Facebook to go to your
profile.
activity
•Tap below your profile picture, then tap Activity Log.
•Tap Category at the top of your activity log to review activities
like:
•Things you've posted.
•Posts you've hidden from your timeline.
•Photos and videos you've posted or that you've been tagged in.
•Friends you've added or removed.

Open-Source
Intelligence (OSINT)
Open-Source
Intelligence
(OSINT)

Domain name
of a company
https://null-byte.wonderhowto.com/how-to/use-maltego-target-company-email-addresses-may-be-vulnerable
-from-third-party-breaches-0184453/

Find hacked
employees
https://null-byte.wonderhowto.com/how-to/use-maltego-target-company-email-addresses-may-be-vulnerable
-from-third-party-breaches-0184453/

Email
discovery of a
company
https://null-byte.wonderhowto.com/how-to/use-maltego-target-company-email-addresses-may-be-vu
lnerable-from-third-party-breaches-0184453/

Exposed passwords
https://null-byte.wonderhowto.com/how-to/use-maltego-target-company-email-addresses-may-be-vu
lnerable-from-third-party-breaches-0184453/

Completion of an open-source investigation

Open-Source Intelligence Phases
Data harvesting Data analysis
Source Data processing

Results delivery
identification and integration

Exercise. Search Yourself
1 2 3
Enter your name in Enter your email in Enter your phone
Google search Google search number in Google
search

Phishing in financial
services
Scams type related
to financial services

Phishing attacks in financial services
Baiting users to click on a link
Stealing user data by pretending to be from a bank
Tricking users into installing fake bank apps

Vertical Institute
Phishing email masquerading as a
financial services company

Phishing scams in Singapore affecting financial services customers
● At least 28 victims have lost about S$114,000 since May this year after
giving their personal details and one-time passwords (OTPs) to
scammers, SPF said in a news release.
● Victims of the latest spate of phishing scams fell prey to scammers after
receiving phone calls or SMSes from people posing as bank employees.
● Those who received phone calls were asked for their personal details, such
as their Internet banking username and password.
● The police said this was done "under the pretext that the bank required their
personal information to verify transactions performed ... or that the victim
was under investigation for transferring large sums of money to another
bank".
https://www.channelnewsasia.com/singapore/spf-warning-bank-employee-impersonation-scams-2728071
Phishing scams masquerading as a financial services company
https://www.channelnewsasia.com/singapore/spf-warnin
g-bank-employee-impersonation-scams-2728071

Verify identity of caller
Ask for their name Drop the call Call the official hotline Request to be routed to
and email address presented in the the caller if the caller
bank’s website exists in the bank

Scams type related to
financial services
Fake SMS masquerading as a financial services organization

Fake SMS masquerading as a financial services organization

Fake SMS masquerading as a financial services company

Fake website cloned from a financial services company’s login page

Job scams
● Asking you to make payment first to secure the job

● Asking you to download an app from a 3rd party site
● Giving you quick cash gain and requesting you to deposit more later on

Job scam
I was approached by a lady name Wendy Eng from telegram she texted me several times if I'm interested to know about a job with daily commission of $10-$200.
I didn't reply but she was persistent so I give her a chance to share. Subsequently, she referred me to her agent, jacelyn. She added me into a telegram group chat
of 12 people and shared that i have to register a login via the website and the step by step guide to do the hotel rating and withdrawal of commission. The first set
was free of charge as the company have top up $105 for new user to trial and complete a set of 35 Hotel ratings. I received my commission of $11 and was told to
withdraw via paynow.
Group members started messaging me to tell me how long they have been into this and how it have help them build some passive income. I was skeptical but they
assured me its legit and encourage me to renew in order to complete another set of 35 hotel ratings. After much thoughts I renewed, The admin mention I need to
deposit $105 so that I could start (reason: It is the same as booking a hotel and complete the rating) And i could withdraw the $105 plus commission after i
complete 35 ratings. Payment mode via paynow.
So I embarked on my second set of rating. At the 17th ratings , i was given a deluxe package which is 5x the commission I thought I was lucky. However, the
system did not allow me to continue and my deposit become negative. I asked the admin and was explained that it is a system assign bonus, in order to continue i
need to deposit more money to the froze account and I deposited $400 to continue. at the 25th rating I have another deluxe package and my deposit became
negative, admin again explained i need to deposit $600 to continue, and i did. again at the 32th rating I was given another deluxe package, same thing my
DEPOSITs become negative and was told to deposit another 2.5k. I came to realised that something is not right and threaten to report to the police, they say I can
go ahead as they have lawyer to support the case and was advised to deposit so that I can finish my set of 35 ratings to withdraw all my deposits and commission.
I didn't continue anymore and ignore all the chats and telegram.
https://www.scamalert.sg/stories-details/Story-06Jul2022224556PM

Loan scam
Licensed moneylenders cannot advertise their services online, including social media, via
messaging apps, SMSes or cold calls. Some of these scammers will misuse legitimate
companies' details such as name, licence numbers, or even create fake websites in their
name to fool users. In order to ensure that you do not get scammed, only contact licensed
moneylenders through the details shown on this
website: https://rom.mlaw.gov.sg/information-for-borrowers/list-of-licensed-moneylenders-in-
singapore/.
Licensed moneylenders are NOT allowed to disburse loans remotely but only at the
registered office location.

Common types of online scams
• Car Rental Scam
• Cold Call Supplier Scam
• Cyber Extortion Scam
• Home/Room Rental Scam
• Impersonation Scam
• Inheritance Scam
• Internet Love Scam
• Investment Scam
• Job Scam
• Loan Scam
• Online Travel Vacation Scam
• Software Update Scam
• Spoofed/Hacked Email Scam
• Social Media Impersonation / Whatsapp Takeover Scam

That’s a lot of scams!

Always verify before you do anything
● Verify the identity of the caller

● Verify the identity of the website
● Verify the email
● Verify before you do anything

One-Time Password (OTP)
● Used as part of Multi-Factor Authentication

(MFA)
● Do not share your OTP to anyone
○ Could be a fake caller disguising as
the bank to use OTP to verify your
identity
https://www.scamalert.sg/scam-signs-otp-requests

Vertical Institute
Bring Your Own Device (BYOD)
● Users can use their personal devices to access corporate network and data like email,
shared folders and websites
● Risk at user’s device
○ Ensure that device is not rooted
○ Device supports work profile
○ Device is able to isolate between work and personal data
○ Security mechanisms to be configured at user’s mobile device

A. Milliseconds
B. Seconds
C. Minutes
D. Hours
E. Days
F. Weeks

A. Milliseconds
B. Seconds
C. Minutes
D. Hours
E. Days
F. Weeks

Why should we use passwords longer than 8
characters with upper, lower cases and symbols?
A. So that it takes a longer time for the hackers to crack

B. Beautify the passwords
C. Test our memory

Why should we use passwords longer than 8
characters with upper, lower cases and symbols?
A. So that it takes a longer time for the hackers to crack

B. Beautify the passwords
C. Test our memory

Why should I privatise my personal
information?
A. Protect against hackers stealing my data and building a blueprint of my identity
B. Prevent disclosure of personal information
C. Prevent identity theft
D. All of the above

Why should I privatise my personal
information?
A. Protect against hackers stealing my data and building a blueprint of my identity
B. Prevent disclosure of personal information
C. Prevent identity theft
D. All of the above

Checking my account activity regularly helps flag out suspicious activities
A. True
B. False

Checking my account activity regularly helps flag out suspicious activities
A. True
B. False

How to prevent identity theft?
A. Check credit card report regularly

B. Monitor account statements
C. Keep financial information safely
D. Keep personal data private
E. All of the above

How to prevent identity theft?
A. Check credit card report regularly

B. Monitor account statements
C. Keep financial information safely
D. Keep personal data private
E. All of the above

You see an advertisement on Facebook for loan with low interests
A. Register interests for the loan if you are in need of money

B. Report the link as licensed moneylenders are not allowed to advertise online

You see an advertisement on Facebook for loan with low interests
A. Register interests for the loan if you are in need of money

B. Report the link as licensed moneylenders are not allowed to advertise online

You clicked onto a link from your bank, the URL looks different but the login
page looks exactly the same. What do you do?
A. Enter your username and password to login

B. Close the browser’s tab and go to the official banking app or website to login
to check on the transaction

You clicked onto a link from your bank, the URL looks different but the login
page looks exactly the same. What do you do?
A. Enter your username and password to login

B. Close the browser’s tab and go to the official banking app or website to login
to check on the transaction

You are in contact with a job recruiter who asked you to receive money from a bank and transfer the amount to
another bank account. You will receive 5% commission for helping do the transfer. What do you do?
A. Do not run the transaction as it may be part of money laundering

B. Run the transaction through as this is an easy money job

You are in contact with a job recruiter who asked you to receive money from a bank and transfer the amount to
another bank account. You will receive 5% commission for helping do the transfer. What do you do?
A. Do not run the transaction as it may be part of money laundering

B. Run the transaction through as this is an easy money job

What have we learned today?
Activity
Tutorial
• Password strength checker
• Password security
• Enable multi-factor authentication in accounts
• Brute-force attacks
• Adjust privacy settings for social media accounts
• Commonly used passwords
• Check for activities online of accounts
• Previously exposed passwords
• Search for information of a company using
• Password strength
Open-Source Intelligence
• Account security
• Email accounts
• Social media accounts
• Bank accounts
• Open-Source Intelligence (OSINT)

Thank You!

Module 3

Uploaded by

Copyright:

Available Formats

Module 3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 3

Uploaded by

Copyright:

Available Formats

Cybersecurity Bootcamp | Module 3

● Please switch on your webcams! Communication is 70% body language.

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute 6

© 2022 Vertical Institute

© 2022 Vertical Institute

Try commonly used

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

Commonly used 8 baseball

© 2022 Vertical Institute

© 2022 Vertical Institute

1 password 5f4dcc3b5aa765d61d8327deb882cf99 8 8 0 0 check

2 123456 e10adc3949ba59abbe56e057f20f883e 6 0 0 6 check

3 12345678 25d55ad283aa400af464c76d713c07ad 8 0 0 8 check

4 1234 81dc9bdb52d04dc20036dbd8313ed055 4 0 0 4 check

5 qwerty d8578edf8458ce06fbc5bb76a58c5ca4 6 6 0 0 check

6 12345 827ccb0eea8a706c4c34a16891f84e7b 5 0 0 5 check

7 dragon 8621ffdbc5698829397d97767ac13db3 6 6 0 0 check

8 baseball 276f8db0b86edaa7fc805516c852c889 8 8 0 0 check

9 football 37b4e2d82900d5e94b8da524fbeb33c0 8 8 0 0 check

10 letmein 0d107d09f5bbe40cade3de5c71e9e9b7 7 7 0 0 check

11 monkey d0763edaa9d9bd2a9516280e9044d885 6 6 0 0 check

12 696969 7d0710824ff191f6a0086a7e3891641e 6 0 0 6 check

© 2022 Vertical Institute

1 Alice alice@gmail.com 5f4dcc3b5aa765d61d8327deb882cf99

© 2022 Vertical Institute

1 password 5f4dcc3b5aa765d61d8327deb882cf99 8 8 0 0 check

2 123456 e10adc3949ba59abbe56e057f20f883e 6 0 0 6 check

3 12345678 25d55ad283aa400af464c76d713c07ad 8 0 0 8 check

4 1234 81dc9bdb52d04dc20036dbd8313ed055 4 0 0 4 check

5 qwerty d8578edf8458ce06fbc5bb76a58c5ca4 6 6 0 0 check

6 12345 827ccb0eea8a706c4c34a16891f84e7b 5 0 0 5 check

7 dragon 8621ffdbc5698829397d97767ac13db3 6 6 0 0 check

8 baseball 276f8db0b86edaa7fc805516c852c889 8 8 0 0 check

9 football 37b4e2d82900d5e94b8da524fbeb33c0 8 8 0 0 check

10 letmein 0d107d09f5bbe40cade3de5c71e9e9b7 7 7 0 0 check

11 monkey d0763edaa9d9bd2a9516280e9044d885 6 6 0 0 check

12 696969 7d0710824ff191f6a0086a7e3891641e 6 0 0 6 check

© 2022 Vertical Institute

© 2022 Vertical Institute

Password Hash Hashed value

© 2022 Vertical Institute

Adding random data to the input of a hash function to guarantee a

© 2022 Vertical Institute

Follow these guidelines to security

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

© 2022 Vertical Institute

Turn on iCloud Keychain on your iPhone, iPad, or iPod touch

© 2022 Vertical Institute 28

Samsung Pass is a secure and easy way

Once you scan your fingerprints, you can

© 2022 Vertical Institute