Thoughts on SingHealth Data Breach

On the 20th of July, Singaporean authorities announced a data breach affecting SingHealth, the country largest healthcare group. The breach impacted 1.5 million people who had used SingHealth services over the last 3 years.

Oh boy, another data breach with 1.5 million records … **yawn**.

But Singapore has less than 6 million people, so it’s a BIG deal to this island I currently call home. Here’s what happened.

The lowdown

According to the official Ministry announcement administrators discovered ‘unusual’ activity on one of their databases on 4-Jul, investigations confirmed the data breach a week later, and public announcement was made 10 days after confirmation.

4-Jul : IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases
10-Jul : Investigations confirmed the data breach, and all relevant authorities were informed
12-Jul : A Police Report is made
20-Jul : A public announcement is made

The official report states that “data was exfiltrated from 27 June 2018 to 4 July 2018…no further illegal exfiltration has been detected”.

The point of entry was ascertained to be “that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database”

And finally that “SingHealth will be progressively contacting all patients…to notify them if their data had been illegally exfiltrated. All the patients, whether or not their data were compromised, will receive an SMS notification over the next five days” Continue reading

The Malaysian Government isn’t watching your porn habits

Recently, there was a poorly written article in The New Straits Times, that suggested the Malaysian Police would know if you were watching porn online.

Let me cut to the chase, the article is shit.

The software in question, aptly named Internet Crime Against Children Child Online Protective Services (ICACCOPS) is used to detect Child Pornography, and Child Pornography only — as the name clearly implies. It is a collaborative effort by Law Enforcement agencies, and is shared with PDRM, probably as a gesture of good will, and also a collaborative effort.

Pornography is perfectly legal in the US, insofar if it’s consensual and does not include minors, there is no way US Law Enforcement agencies are investigating something that is legal in their jurisdiction — it is a waste of effort, and possibly illegal.

From what I pieced together, the system has a list of known Child Pornographic material and uses it to check against what is being shared across a limited number of Peer-2-Peer (P2P) networks. This might surprise you, but your sharing habits on bitTorrent, Ares, and Freenet are all ‘in the clear’, it’s very easy to find out which IP addresses are sharing what.

Hence, the scope isn’t just limited to Child Pornography (good!), but is narrowly focused on P2P networks only. Your general internet surfing habits, even those on PornHub are completely off-bounds to this thing.

How the NST, went from this to “the police will know if you watch Porn” is beyond me.

This was my email to The Malay Mail, who reported on this issue last week:

Hi Anith,

First off, the NST report was sensationalized. It omitted 2 key facts, one that this was focused on child pornography, and two (more importantly) the monitoring was limited to a small set of p2p networks like bit-torrent, Ares and Freenet . ICACCOPS is a system put in place by various authorities to allow for the dissemination of data on p2p users who are sharing child pornography material on these networks.

Nothing in the report or video suggest that the Police are monitoring your regular Internet usage outside of these p2p networks. Your Facebook, twitter, Google, Youtube and all other Internet traffic is still very much private.

P2P networks aren’t anonymous, the music and movie industry regularly threaten legal action against people who share copyrighted material on these networks. It’s easy to find which IP addresses are uploading the latest movies or sharing child pornography, it’s not easy trying to tie an IP address to individual — it should not be automatically assumed that everything flowing from an IP address belongs to the individual subscriber who owns the account, as IP addresses are shared.

In my opinion, information sharing on ICACCOPS, between Law Enforcement Agencies, on the data of P2P networks, targeting the distribution of child pornography, is a very good thing. And if the Police are using it as a starting point for investigations (as the report suggests), that should also be applauded. That’s all I see in this report, and it all looks perfectly fine, nothing to be alarmed about, The NST should be more responsible.

However, as child pornography starts to move to the DarkWeb outside of these P2P networks, this piece of technology will lose it’s efficacy over time, but as the video shows, there’s still a lot of child pornography being shared on these networks and authorities should act.

I don’t want to answer you specific questions, because they assume the authorities are monitoring the network — that may be true, but it’s not in the context of this story. The story should be what is above, to reduce the sensationalism that’s floating around.

More context:
www.teorieib.cz/pbi/files/103-Erdely_ICAC%20Cops%20P2P.pptx
http://www.iacpcybercenter.org/training_conferences/bittorrent-investigations/
https://ec.europa.eu/home-affairs/sites/homeaffairs/files/what-we-do/policies/organized-crime-and-human-trafficking/global-alliance-against-child-abuse/docs/reports-2014/ga_report_2014_-_united_states_en.pdf
https://www.icaccops.com/users/login.aspx?ReturnUrl=%2fusers

Security Headers for Gov-TLS-Audit

Gov-TLS-Audit got a brand new domain today. No longer is it sharing a crummy domain with sayakenahack (which is still blocked in Malaysia!), it now has a place to call it’s own.

The domain cost me a whooping $18.00/yr on AWS, and involved a couple hours of registration and migration.

So I felt that while migrating domains, I might as well implement proper security headers as well. Security Headers are HTTP Headers that instruct the browser to deny or allow certain things, the idea being the more information the site tells the browser about itself, the less susceptible it is to attack.

I was shocked to find out that Gov-TLS-Audit had no security headers at all! I assumed AWS (specifically CloudFront) would take care of ‘some’ http headers for me — I was mistaken. Cloudfront takes care of the TLS implementation, but does not implement any security header for you, not even strict-transport-security which is TLS related.

So unsurprisingly, a newly created cloudfront distribution, using the reference AWS implementation, fails miserably when it comes to security headers.

I guess the reason is that HTTP headers are very site-dependant. Had Cloudfront done it automatically, it might have broken a majority of sites And implementing headers is one thing, fixing the underlying problem is another.

But what security headers to implement? Continue reading

Why my people will never be Ministers

As Malaysians woke up today, to a brand new cabinet of Ministers, many have already begun expressing their dissatisfaction on the lineup. I know better than to wade into these politically charged discussions — but I will point out that my people have long been overlooked for Ministerial positions.

Who are ‘my people’ you ask…

Hackers.

Or if you prefer a less negative word — Geeks. But for the rest of this post, I’ll use the more accurate term of hacker to refer to technically savvy folks who subscribe to the hacker ethic.

Yes, we in the hacker community have long been overlooked for ministerial positions, and I for one, choose to speak out against this travesty. But before I delve into why I think we’ve not played a bigger part in politics, let me first make the case for why we need hackers in parliament.

Why we need hackers in parliament

As technology becomes more pervasive and ubiquitous in our lives, every policy decision becomes a technology decision, whether it’s in education, finance or defence. Hence it becomes pertinent to ensure that the people making these decisions have the capacity to understand the technology that drives the issues. This is not something you get from a 2-week bootcamp, or a crash course in computers, it involves deep technical knowledge that can only be attain from years (even decades) of experience.

But it’s not enough that policy makers merely understand technology, they also need to subscribe to the hacker ethic , and bring that ethic into the decisions they make.

What is the hacker ethic? Well I’m glad you asked.

The ethic has no hard definition, but it incorporates things like Sharing, Openness, Decentralization and Free access to computers, etc. The ethic further includes attitudes, like pure meritocracy, the idea that hackers should be judged for their hacking (and nothing else), not age, gender, degrees or even position in a hierarchy. So anytime you see some poor sod who claims to be a hacker, but puts CISSP, PMP, CEH at the end of their LinkedIn profile — you know they’re not really hackers.

You can see ethic played out at hacker conferences throughout the world, hackers are ever willing to share what they’ve built with anyone who’ll listen, and they’re accepting of anyone willing to learn, at any age bracket, without any education or formal training.

The Hacker perspective is an interesting one, and like all perspectives, may not always be right or appropriate, but it’s important for it to be present at the decision making process, if nothing more than to add to the diversity of thought.

So why aren’t there more hackers in decision making levels? Well let’s see what it takes to reach the decision making level in the first place. Continue reading

The GREAT .my outage of 2018

.my DNSKEY Failure

Boy, that’s a lot of RED!

Last week, MyNic suffered a massive outage taking out any website that had a .my domain, including local banks like maybank2u.com.my and even government websites hosted on .gov.my.

Here’s a great report on what happened from IANIX. I’m no DNSSEC expert, but here’s my laymen reading of what happened:

  1. .my uses DNSSEC
  2. Up to 11-Jun,.my used a DNSKEY with key tag:25992
  3. For some reason, this key went missing on the 15-Jun, and was replaced with DNSKEY key tag:63366. Which is still a valid SEP for .my
  4. Unfortunately, the DS record on root, was still pointing to key tag:25992
  5. So DNSSEC starting failing
  6. 15 hours later, instead of correcting the error, someone tried to switch off DNSSEC removing all the signatures (RRSIG)
  7. But this didn’t work, as the parent zone still had a DS entry that pointed to key tag:25992 and hence was still expecting DNSSEC to be turned on.
  8. 5 hours after that, they added back the missing DNSKEY key tag:25992 (oh we found it!), but added invalid Signatures for all entries — still failing.
  9. Only 4 hours after that did they fix it, with the proper DS entry on root for DNSKEY key tag:63366and valid signatures.
  10. That’s a 24 hour outage on all .my domains.

So basically, something broke, they sat on it for 15 hours, then tried a fix, didn’t work. Tried something else 5 hours after that, didn’t work again! And finally after presumably a lot of praying to the Gods of the Internet and a couple animal sacrifices, managed to fix it after a 24-hour downtime.

I defend my fellow IT practitioners a lot on this blog, but this is a difficult one. Clearly this was the work of someone who didn’t know what they were doing, and refused to ask for help, instead tried one failed fix after another which made things worse. As my good friend Mark Twain would say — it’s like a Mouse trying to fix a pumpkin.

I don’t fully understand DNSSEC (it’s complicated), but I’m not in charge of a TLD. It’s unacceptable that someone could screw up this badly — and for that screw up to impact so many people, and all we got was a lousy press release.

The point is, it shouldn’t take 24 hours to resolve a DNSSEC issue, especially when it’s such a critical piece of infrastructure. I’ve gone through reports of similar DNSSEC failures, and in most cases recovery takes 1-5 hours. The .nasa.gov TLD had a similar issue, that was resolved in an hour, very rarely do we see a 24 hour outage, so what gives?

I look forward to an official report from MyNIC to our spanking new communications ministry, and for that to be shared to the public. Continue reading

The Malaysian Ministry of Education Data Breach

Ok, I’ve been pretty involved in the latest data breach, so here’s my side of the story.

At around 11pm last Friday, I got a query from Zurairi at The Malay Mail, asking for a second opinion on a strange email the newsdesk received from an ‘anonymous source’. The email was  regular vulnerability disclosure, but one that was full of details, attached with an enormous amount of data.

This wasn’t a two-liner tweet, this was a detailed email with outlined sub-sections. It covered why they were sending the email, what the vulnerable system was, how to exploit the vulnerability and finally (and most importantly!) a link to a Google Drive folder containing Gigabytes of data.

The email pointed to a Ministry of Education site called SAPSNKRA, used for parents to check on their children’s exam results. Quick Google searches reveal the site had security issues in the past including one blog site advising parents to proceed past the invalid certificate warning in firefox. But let’s get back to the breach.

My first reaction was to test the vulnerability, and sure enough, the site was vulnerable to SQL Injection, in exactly the manner specified by the email. So far email looked legitimate.

Next, I verified the data in the Google Drive folder, by downloading the gigabytes of text files, and checking the IC Numbers of children I knew.

I further cross-checked a few parents IC numbers against the electoral roll. Most children have some indicator of their fathers name embedded in their own, either through a surname or the full name of the father after the bin, binti, a/l or a/p. By keying in the fathers IC number, and cross-referencing the fathers name against what was in the breach, it was easy to see that the data was the real deal.

So I called back Zurairi and confirmed to him that the data was real, and that the site should be taken offline. I also contacted a buddy of mine over at MKN, to see if he could help, and Zurairi had independently raised a ticket with MyCert (a ticket??!!) and tried to contact the Education Minister via his aide.

Obviously neither Zurairi nor myself, or any of the other journalist I kept in touch with, could report on the story. The site was still vulnerable, and we didn’t want someone else breaching it.

The next morning, I emailed the anonymous source and asked them to take down the Google Drive, explaining that the breach was confirmed, and people were working to take down the site. Hence there was no reason to continue exposing all of that personal information on the internet.

They agreed, and wiped the drive clean, and shortly after I got confirmation that the SAPSNKRA website had been taken down. So with the site down, and the Google Drive wiped cleaned, it seemed the worst was behind us.

Danger averted…at least for now.

But, since Data breaches last forever, and this was a breach, we should talk about what data was in the system. Zurairi did a good job here, but here’s my more detail take on the issue. Continue reading

3 times GovTLS helped fixed government websites

Couple months back I started GovTLSAudit. A simple service that would scan  .gov.my domains, and report on their implementation of TLS. But the service seems to have benefits above and beyond that, specifically around having a list of a government sites that we can use to cross-check against other intel sources like Shodan (which we already do daily) and VirusTotal.

So here’s 3 times GovTLSAudit helped secure government websites.

That time Yayasan Islam Terengganu was used a phishing website

I used virustotal’s search engine to see if they had extra .gov.my domains to scan, and found a few rather suspicious looking urls including:

paypal-security-wmid0f4-110ll-pp16.yit.gov.my
appleid.corn-security2016wmid7780f4-110ll-16.yit.gov.my
paypal-security-wmid7110f4-110ll-pp16.yit.gov.my

This was an obvious phishing campaign being run out of a .gov.my domain. Digging further, I found that the IP address the malicious urls resolve to was local, and belonged to Exabytes. And while the root page was a bare apache directory, buried deep within the sites sub-directories was a redirect that pointed to a Russian IP.

I took to twitter to report my findings — I kinda like twitter for this, and the very next day Exabytes come back with a followup that they were fixing it. That’s good, because having a phishing campaign run on .gov.my infrastructure isn’t exactly what you’d like.

There’s a lot more details in the tweet about how I investigated this,– click here to follow the thread. A warning though — I regularly delete my old tweets. So get it while it’s there :).


Continue reading

Look ma, Open Redirect on Astro

If you’ve come here from a link on twitter — you’d see that the address bar still says login.astro.com.my, but the site is rendering this page from my blog. If not, click this link to see what I mean. You’ll get something like this:

Somehow I’ve managed to serve content from my site on an astro domain. Rest assured, I haven’t ‘hacked’ astro servers and uploaded my page, but I’ve performed an equally sinister attack called open redirect.

While browsing online for some more info on the astro breach, I found this blogpost from Amirul Amir, detailing the open redirect vulnerability on astro’s website. The post is dated Nov 2016, yet the vulnerability still works — and even though Amirul laments that he informed Astro, they seem to have taken no action in more than a year.

You might be wondering what good is an open redirect vulnerability?

Well, an attacker might send you a phishing email, pretending to be astro asking for you update to update your info on their site, and they’ve even included a conveniently placed a link for you to click. The link looks legitimate (it has login.astro.com.my in it), so you click it to a find a legitimate looking site, with valid certificates to boot — so you enter your username and password.

But the site isn’t legitimate, it’s an attackers page (that looks exactly like Astro’s) rendered over the original website, leveraging the vulnerability (and some added javascript) — and now you’ve just given your username and password away.

The frustrating thing with open redirect, is that all the techniques we educate people to use for detecting phishing sites, don’t work in this case — because this is the ‘real’ site, that’s been compromised by open redirect.It has the correct domain, it even has the right certificates, the only way you’d know is if actually look into the embedded javascript, but 99% of folks never do that.

So for a company like Astro to be sitting on this vulnerability for more than a year is not acceptable.

Just more bad news for their already shitty response to the original data breach.

Shout out to Amirul who blogs over at kaizen1996.wordpress.com,although it looks like he stopped blogging in 2016, pity because he had good content.

The Astro Data Breach

I previously wrote about how data breaches are like diamonds:

  • They’re not as rare as you think
  • They’re worth far more to you than to a thief
  • They last forever

And the recent debacle over the Astro data breach epitomizes all of these characteristics.

First off, Lowyat has already reported 3 big data breaches (at least by my count), and rest assured these won’t be the last. Data breaches will continue to happen, and just like diamonds, they’re not as rare people think they are — they happen all the time, get used to it.

Secondly, the Astro breach is reportedly being sold for 30-45 cents per record. Almost any victim would be willing to pay 100 times more to keep that data private, yet on the ‘market’ these things sell for pennies. Honestly, I’d be surprised if anyone paid the sticker price on this, because even 30 cents per record sounds high to me.

Finally, (and most importantly), data breaches are forever!

It’s like pee-ing in the pool, once you do it, there’s no reversing the process. There is no such thing as ‘un-breaching’. Astro (and Lowyat) thought that the breach was “contained” when the links were taken down — but there is no containing data breaches.

If there were a way to contain digital data on the internet, illegal downloaders wouldn’t be an issue!

Once a breach happens, we expect the authorities and data owners to try to limit the damage inflicted on victims. Part of that is trying to ‘contain’ the breach — but most of it, is simply informing the victims with specific details of what data of theirs was breached.

It gives victims visibility of what data was lost, and allows them to take at least some measures to protect themselves.

Sure, Astro lodge a police report, and roped in MCMC, but what’s the point of telling the regulator, if the regulator won’t inform the customers it’s duty bound to protect.

Here’s one thing that’s already changed post GE14

In 2015, I was invited to a variety program on Astro to talk about cybersecurity.

This was just after Malaysian Airlines (MAS) had their DNS hijacked, but I was specifically told by the producer that I could NOT talk about the MAS hack, because MAS was a government linked company, and they couldn’t talk bad about GLCs.

Then half-way through the interview they asked me about government intervention, and I said something to the effect of “Governments are part of the problem and should refrain from censoring the internet”, that sound-bite never made it to TV because it was censored.

This was some stupid variety show called VBuzz, on a Tamil TV channel (of all places), tucked away in the Astro labyrinth of channels, and even then they were absolutely piss scared of being critical of anything even remotely close to the government. My statement wasn’t even directed at the Malaysian government, it was directed at government intervention in general, but alas, they feared too much and censored it out.

To be fair, I’m 100% certain the station would not have been in any trouble if they just broadcasted all of what I said (I’ve been more critical on other mediums like the blog and radio), but the producers chose to err on the side of caution.

When I asked why it was censored, they said it was because of the ‘law’. When I pressed her to give the actual law in question, and her response (quite nonchalantly) was that it was an un-written law!

Then…GE14 happened and….

Two days ago, on Astro Awani (LIVE!!), a commentator openly criticized directly the SPR commissioner, a Government Agency….and Astro didn’t censor now. Far more critical than what I said, and Far worse, but somehow magically the media found their spine that day.

It’s now a viral clip of how press freedom actually looks like, and hopefully this refreshing change will permeate through all of Malaysian media.