Singhealth has been hacked and its data breached. So, what does it mean for the other smaller companies and SMEs?

I’m a web developer and programmer and I deal with many local (Singapore) companies. Since my post some days ago about this singhealth hack topic, I have had some queries. This article is me again trying to explain things, with even more layman-term than usual. It’s quite shocking to note this: many of the companies, small, medium and even big companies are seriously lacking in security factors. I don’t completely blame them. IT security is something that is forever changing its goalpost. Many people still have the impression that IT security is just to get a good antivirus software! That’s what I gathered after talking with a manager of a small hotel.

Yes, companies are busy with their list of so-many to-dos and action tasks to improve their profits and how best to make money and then to … err, make even more money. There is basically no time for “frivolous” matters like IT security or anything like that. “Look, we’re running fine for years. Nothing has happened so far. So, we’re good.” Yes, I’ve heard this line too. I wish I can just accept this wishful thinking too. But reality is not like that, and increasingly becoming not so.

Do you know that, for some websites, an unethical hacker can just use the form on your website (for example the Contact Us form), type a command into one of the fields and wipe out an entire table of the database? For example, the entire table containing details of your signed-up members.  Yes, it’s possible. And another thing to take note: the reason most hackers don’t hack into many websites, and the reason why many websites are not hacked, is not because it’s not technically possible. It’s just not worth it, or there is no just rewards for it. Or the real-world laws deter the hackers. That’s all. Technically, much of IT systems are fair game to hackers. And when I say “hackers”, I do not mean some special group of elite people. Many “normal” people now know some form of hacking one way or another. I’m not a hacker, I’m a web developer and programmer. I know some “hackings” of my own too.

So, what can you, a website owner or a systems owner do?

You don’t have to think big. Just take small baby steps, but do take the steps, that’s all. Start small. Is your website still running on http? If you don’t know what that means, type your URL into the browser and look at the complete URL that it displays. Does it looks like this?

And when you click the green lock, does it open to be something like this?

Then, it’s okay.

Or is your website looking like this?

OMG, BBC, is that really you?

If the latter, then that’s one baby step you have to take. Few years ago, having your site on https is some luxury, nice-to-have feature. It is no longer so. It is a must now. (What does https mean?) Let me tell you in layman terms what that means. Let’s say you have a Contact Us form on your website: http://www.mywebsite.com and someone types in their Name, Address, Email, etc and clicks Submit. What happens?

The whole set of typed-data is taking a journey, as-it-was-typed, from the typer’s device, via his wifi/3g network, and to your website server. Actually I missed out some other points in this whole journey, but that’s the summary. That means, anybody standing and snooping in the way of all this wireless journey can easily see all this data, as-it-was-typed, using the myriad of tools, which are widely available already now.

In a real-world analogy, when you key in the Pin number in the ATM, you would cover or ensure no one else sees what you type. Just imagine you holding up the keypad and letting the people around you who are snooping to see the Pin you type in. You wouldn’t do that, but that’s exactly what you are making your website customers do, when your website is still running on http.

A Contact Form is actually a mild example. Can you imagine your signed-up members typing their username and password into your website to log in, and those details travel naked down the internet route, and anyone can see it as they are? That’s how open it will be!

Some might think I’m actually making a joke or an exaggeration above. Did you know that the singhealth data breach was done, not by some internal staff, not by accessing some internal system, but some hacker just used one of those customer-facing systems to do what he did? So, I’m not cracking a joke here.

Now, what happens if your website is now https://www.mywebsite.com. It’s the same journey that the data will take. But before it takes that journey, that means when your website customer clicks the Submit button, the full-set of data are encrypted BEFORE it takes that journey. It remains encrypted until it reaches the safe domain of the destination server, where it’s decrypted and handled as it should be.

It’s just a simple concept, just that it’s not widespread as it should be.

So, first things first. If you worried about IT and website security and you don’t know what to do, take THIS baby step first. Make the shift from http to https if you are not doing so already. There are some who know how to do this themselves. And there are others who don’t. If you’re the latter and you need help, either for this security step or for other security concerns, you can contact me via this ( Name: Anees Khan, Email: khan@getcha.com, Whatsapp/Phone: 6591097721, Singapore. Website: https://www.getcha.com ). I’ve been in this line for 23 years and I’ve seen my fair share of IT nonsense by hacking attempts, and over time, I have devised my own ways of handling all these nonsense. I even have ways to re-instate things almost-immediately should a hacker win this time round and bring down the whole system.

Don’t be worried sick, don’t panic, just take small baby steps and soon you’ll be in a better position. Baby steps are better than no steps at all. That’s how all positive things get done, right?

• Tags: singhealth breach, singhealth hack, website security