WebSafe Services Samoa: Thinking Like Hackers For Your Safety

The key to keeping the digital things you care about most safe is to think like a hacker.

If the task seems daunting, fear not, help is much closer than you think.

With your safety in mind two Information Technology (I.T.) experts have built a new business that offers the knowledge and technical skills you need to keep your systems and loved ones safe in cyberspace.

Cyber Security Specialist Malaeulu Jobenz Manoa, whose age we will not share due to the security risk it poses online (per his advice), is one of the two men who have put their I.T. skills together to launch WebSafe Services Samoa.

Located in Vaoala, it is the only local I.T. firm that specialises in cyber security.

What is cyber security? EyeSpy News asked Malaeulu to break it down for Samoa.

“What is cyber security? The range is just drop dead. The idea of trying to make it simple for people to understand, I think that was the main thing for us… we get a lot of questions when we say we are in cyber security. Our main goal is trying to simplify cyber security,” he said.

“Cyber security is mainly a digital component that you care about and you want to protect. It can be for an individual like yourself. You have your devices and you have your kids who you worry about online so that digital component is something you care about and you want to protect it.”

Malaeulu worked for almost 10 years in I.T. for the Government of Samoa before he decided to establish WebSafe with a partner.

He left the Ministry of Commerce Industry and Labour (M.C.I.L.) to build a private enterprise specializing in cyber security.

There are three realms to think of when addressing cyber security: your life (and that of your family’s) as a private user in the digital realm, your digital presence as a business or company and there is the public sector, the big organizations and government ministries.

“You have the realm of small businesses or S.M.E. (small to medium enterprises) businesses. You think my business has a few devices, a few computers and you think can my business survive if these systems came to a halt? You have your point-of-sale system, you might have accounting software. If you are a business person, that part is what you care about as your digital component,” said Malaeulu.

“Also going up to big organizations and government ministries, they invest a lot in I.T. infrastructure and they also have I.T. departments that look after these things. So for a Chief Executive Officer (C.E.O.) who runs a ministry the thing that he or she needs to think about is the staff who has been hired to do this work.”

WebSafe opened its doors in June of 2022.

“We were both longtime public servants for the government. I worked for one of the ministries for almost 10 years. We had an idea because we were two of the people chosen to go on a scoping mission (in 2017) on cyber security for Samoa and that is how we got interested in the field,” Malaeulu said.

“Eventually, we came back and worked for government. A few years later I decided to focus my efforts on cyber security. That’s why I went back to school and got my Masters degree in Cyber Security in New Zealand at Waikato University.”

After the scoping mission, “it was taking a while for the government to pick up on cyber security,” he said.

“It was not moving at the pace that we wanted to so we decided to go and start up a private company to focus solely on cyber security. That’s when we decided to opt out of government and start our own business,” said Maleulu.

“That was back in June. We are currently the only I.T. firm that specialises in cyber security and I think one of our colleagues. We have a small circle of colleagues in Samoa who has that kind of background in I.T. There is one other person who does it but I am not sure if he is operational but we are so I think we can safely say that we are the biggest company because there are two of us. We are an I.T. firm but we specialise in cyber security.”

October is International Cyber Security Awareness Month and the services of WebSafe revolve around cyber security and threat management.

The company was offering special packages during October primarily to create awareness and drive publicity about their expertise.

Small businesses that lack an I.T. department and I.T. people were the focus during October’s Cyber Security Awareness Month.

Email accounts are especially valuable to small businesses.

“We were targeting small businesses the reason being that it’s mainly the small businesses that need our awareness. They don’t have the luxury of having their own I.T. departments or I.T. person. If you sign up with us on the special, we have in the package a security audit around your business and then we give you a report with the list of recommendations. The main thing is the one-on-one consultation,” Malaeulu said.

“We have an hour with the person who owns the business, going through what they need to look out for and the risks involved. After doing the security audit, we pick up all the vulnerabilities. For a small business, I think email is one of the main things. We do an internet sweep of their emails.”

WebSafe’s list of clientele includes Le Uaina Beach Resort which, like most businesses, uses emails to communicate and conduct business.

Malaeulu goes into Le Uaina’s email accounts to locate any data breaches tied to their email addresses.

“We find those emails tied to data breaches and exploits. We explain to them why it is important to know that,” he said.

Data breaches are more common than we think. Malaeulu said a few years ago the graphic design website Canva experienced a data breach.

Email accounts, passwords, first names, last names and dates of birth of Canva users were made vulnerable by the breach.

“When you go with Canva you need to sign up with Canva using your email address. Canva had a data breach a couple of years ago and in that breach they had a lot of information that was stolen and was out there in the deep web,” he said.

“So the reason we do the sweep is find your email address and we see if it was part of the breach or not. And then we explain your email was tied to a data breach and through this data breach this is the kind of information that was compromised and it’s all out there now.”

If a bad person or a hacker were to get their hands on the sensitive information, they could then stealthily log into an email account and wait around for the opportunity to steal your money.

“If I was a bad person and I wanted to target Le Uaina I would start with their email. I know their email and now I just need to go to these data breaches that are already out there and grab that password and username that was in the data breach. How many times in a year have you ever changed your password? If I wanted to target you I would just look up your password, find the breach if there is any data breach and grab the email and password and log into your email account. It makes it easier for me as a criminal to do that,” Malaeulu said.

“For example you sign up to your Canva account and to your Facebook account with that email. You sign up with your online banking with your email and you run your business with that email. When I have that information I can just be waiting, reading all your emails until I see an email that says transfer this money or an email saying someone has just purchased something and we need your bank account to deposit the money. Criminals tend to do that.”

Criminals in cyberspace don’t log into your emails and send emails to all your contacts. What they do is wait for something that benefits them in “a stealth mode hack,” he said.

“Criminals will just wait until they see something that is beneficial to them. It’s like a stealth mode hack and they are just waiting. That is part of the package. That is why we went with small businesses. It’s to build awareness and for them to start thinking about it, to put security in their minds,” Malaeulu said.

WebSafe supplies their clients with recommendations on how to create a good password and valuable knowledge on how to protect the digital components that they care most about at work.

“We are trying to build a culture of cyber security,” he said.

Cyber security is a hot topic as more and more people in Samoa connect with families, business associates and other governments using the internet.

“Everybody talks about cyber security but they aren’t doing anything about it. We don’t want to scare people when we explain these things to them. Scaring people makes them not want to use the technology which is not what we want. We went them to use the technology but in a safe way,” Malaeulu said.

“People hear about cyber security and people know the risks that come with it but they never try and do anything about it. When people know there is a local company that does it and they want to learn more that is where we can come in.”

Cyber security work is incredibly technical so trying to list the services for a company brochure was a challenge, he said.

“It was really hard to try and put our services into a brochure. It’s very very technical so trying to simplify it in a brochure was very hard. It’s easier for us try and explain it face-to-face,” Malaeulu said.

“One of our mains things we like to do is to test companies. It’s called social engineering. It’s like hacking other humans. You don’t really hack in terms of the computer systems they have in place, we try our hack through the human.”

The idea behind social engineering is to have employees of a company, organisation or government ministry go through exercises that teach them how a hacker thinks.

“In cyber security we try to think from a hacker’s point-of-view. If I wanted to gain access into a bank we use social engineering…we use the human factor of the company. For example, I am a hacker. I do some research about the bank. I call into the bank and I will see if I can get information on LinkedIn who the Human Resources manager is and who is on the Human Resources team so I can get names. Once I have names of the H.R. team I can call the bank. I ask to be transferred to the H.R. person whose name I already know and then pretend to be an I.T. company or pretend to be from the I.T. department,” Malaeulu said.

“Once I get that communication going I can then tell the person I need to do something on your computer, can you install something for me? Or can you send me information about this, thinking I’m the I.T. guy and I am on the phone and I need information on their banking system. Once I get that info I am halfway there. Once I get that info, I know more about the system the bank uses and then I can start pinpointing an attack on the bank. I can do more things because I asked the H.R. girl to install something for me and now I have a back door to her P.C. Now that I am in her P.C. I am already inside the bank’s network. So that is part of the social engineering. I put that information together with my technical side and I start hacking away at the banking system.”

WebSafe offers capacity building courses to train staff on what to look for in order to protect their digital systems.

Malaeulu and his partner have created a five-module capacity building course designed to educate the employee in any workplace setting in order to thwart potential hacks.

“We have designed the course for the working environment. The girl (in our social engineering example) should have asked for the name of the person. She should have asked if there was a job scheduled for the I.T. department. It’s about preparing the user for what to expect. It’s trying to build a security culture that’s the idea,” he said.

“Even though you have an I.T. department and you have people buying the best type of firewall, all those security features that you have if you put them in place but you tend to forget about the users, which are almost always all the time the weakest link.”

What internet users should take note of is that the work of hackers is getting easier to carry out because of the technology at their disposal.

People who cannot write well or do not know how to write a proper email or message in English can turn to the Grammarly website to polish their communications.

With the help of Grammarly, criminals can send what looks like official communications to unsuspecting internet users including those on Facebook.

“It’s getting easier for people to do it and it’s getting more hard to spot because there are new technologies for these people to write essays and letters. There is Grammarly that is one of the biggest killers right now. People use this technology to straighten up their grammar so it is getting hard to identify what is real and what is not,” said Malaeulu.

“It’s getting more sophisticated. Facebook is the biggest platform and there are a lot of tips we can offer on Facebook – but it is Facebook. The easiest thing is to do is train people what to look out for.”

WebSafe has a good working relationship with the Samoa Computer Emergency Response Team (S.A.M.C.E.R.T.) under the Ministry of Communications Information and Technology (M.C.I.T.).

Malaeulu and his business partner were part of the 2017 cyber security scoping team who compiled a scoping report and then assisted in formulating S.A.M.C.E.R.T. and the strategy for the team.

S.A.M.C.E.R.T. the nation’s computer emergency response team has a big area to cover, he said.

“We did the scoping report and then we assisted in formulating the strategy for that team and formulating the team. They just launched S.A.M.C.E.R.T. last year. If they need the expertise they can look into the private sector. We have a good network with the S.A.M.C.E.R.T. team,” Malaeulu said.

S.A.M.C.E.R.T. was launched in 2021, after the Ministry of Works Transportation and Infrastructure (M.W.T.I.) hack that had the system down for about two weeks.

The M.W.T.I. hack is a case study for WebSafe.

Malaeulu and his partner assisted in the M.W.T.I. hack.

“We were part of the team that assisted the ministry during that time. S.A.M.C.E.R.T. was not operational during that time. We had a group of I.T.s who worked for the government so the group was called in to assist the ministry. We had the background on it so they called us in when I was with M.C.I.L. M.C.I.T. then quickly spun up S.A.M.C.E.R.T. just after the incident because they realised the need,” he said.

The cyber security specialist is enjoying his time in the private sector.

Malaeulu, a father of two girls and one boy, attended Marist Primary School and St. Joseph’s College.

He received his Bachelor’s degree in Computer Networking from Christchurch Polytechnic Institute of Technology (C.P.I.T.).

His advanced degree from Waikato is in cyber security.

“When I was with the ministry we tend to do all kinds of I.T. stuff. I.T. is such a broad area and there are so many things to do. So we try to be like jack of all trades. We really don’t focus on an area and go full into it. When I stopped working (for the ministry) and instead waking up doing cyber security it is fun because I am now focused on one area,” Malaeulu said.

“People don’t think we have the capacity to do it so that is one of the things we did to promote is actually do the work to show people. We actually went into a company and tried to hack them. It’s very illegal. We were reluctant to do it but the thing is with Samoans if you don’ show them they don’t believe you. People have to understand that you can be attacked. It can happen to you it’s just that is has not happened to you yet.”