*This message is intended for all Malaysian Government servants only, do not forward without prior approval*
Greetings and Salam 1Malaysia.
I want to use this year-end as an opportunity to discuss the important topic of Cybersecurity. This year was interesting for me personally, and for all Malaysians, and we need to be aware of cybersecurity issues in order to avoid situations where some people go bat crazy over a missing pendrive, or we’re struggling to interrogate a sysadmin in Thailand.
But let’s start with a Government Linked Company, Malaysian Airlines (MAS).
In February, MAS had their website hacked by a group calling themselves Lizard Squad, which appeared at the time to be affiliated with ISIS. However, I confirmed with my pal Badghdadi that Lizard squad are in no way related to our good friends at the Caliphate, and we should continue striving to be as brave as them.
Delving deeper into the hack, revealed it to be a domain registrar hijack, and was not a result of inadequate security from MAS. Essentially MAS registered their website with a registrar, and it was that registrar which was hacked, not MAS themselves. Let that be a lesson for us all, sometimes the responsibility of security rest not just with us, but with our IT vendors as well.
Another good example of IT vendors completely messing up is Miliserv.
Miliserv operated the software we use for the illegal surveillance of our citizens (at least until I pass a new law to legalize stasi-like surveillance). According to documents from the Hacking team breach in July, it was plain to see that it wasn’t a good idea to run top-secret government surveillance operations on a Unifi connection using a fake copy of Microsoft Windows, although we applaud their cost-cutting measures, it left us vulnerable to security threats. We will continue to publicly deny buying surveillance software, partly because all our surveillance suggest no one has any proof of it.
We in Government have to be very diligent in our operations. A lot of you think that Malaysia is a small country and will not be attacked, but let me remind you that in April this year, we and other ASEAN countries were the target of an Advanced Persistent Threat named APT30, persistent is putting it lightly, those buggers were hacking us for 10 years, and we just found out about it. Then in November this year, F-secure reported that the Asean.org website was hacked shortly before the 3rd ASEAN-US summit. ASEAN is a global player, and hence a global target.
In light of this hack, I took the bold decision to stop visiting the ASEAN.org website, and block all e-mails from the domain. This caused me to miss the important e-mail announcement informing us to wear Barongs for the APEC leaders summit.Hence my lovely wife was so embarrassed to be wearing her multi-million dollar black gown, while everybody else was wearing white. They really shouldn’t have relied on just e-mails and used signal instead, that’s the messaging app I use for trusted communications, it provides end-2-end encryption, perfect forward secrecy and it’s code is open for review, 3 features Whatsapp doesn’t have. We stopped trusting email a long time ago, and you should too.
E-mails are good, but insecure. And while we would like to stop using them, sometimes that’s not practical. When using email ensure all sensitive data is encrypted, too many secrets were lost during the hacking team breach, including the rumour we were spreading about BN employing Bangladeshi’s to vote for the election (yes we spread rumours about ourselves to trick the opposition).
Please also secure all accounts with two-factor authentication (2FA). For most of us, just using Gmail with 2FA is adequate security, that’s why even though he stole Billions from us, Jho Low still uses Gmail. At some point in the future we think he’ll have stolen enough to buy Google outright, but for now he has to be contented drinking champagne with Paris Hilton instead.(poor thing!)
Also don’t be too embarrassed about going low-tech, a Nokia 3310 never got hacked did it? And it cost less than RM100! An un-hackable phone for less than RM100 is a pretty sweet deal. For comparison a brand new iPhone cost nearly as much as my wife’s haircut (nearly!).
Sometimes we rely too much on technology and suffer when they fail.
I had two bad experiences this year, first my Waze navigation failed while I was on my way to the nothing2hide forum.It was impossible to navigate KL without Waze these days, and I tried asking for directions but people immediately pointed to Pudu jail the moment they realize who I was.It became a security threat the moment I realized I was in Klang, and had to get the IGP to cancel the event.
The second time was when I was at the UN, my Google Glass suddenly powered down–the damn thing was supposed to identify heads of states for me, and without it I was flying blind in the freaking UN. How can anybody remember the faces of 190+ world leaders, and can you really blame me for shaking hands with Netanyahu, the guy looked like he was Russian and the last person I want to piss off is Vladimir Putin. And god damnit, just two days ago Mahmoud Abbas shook his hand, and nobody at PAS headquarters seemed angry about that??!!
Oh, and remember Nurul and Jacel Kiram, just saying.
Obviously unlike my wife, the opposition are not perfect. 4 DAP leaders had their phones hacked at their recent party congress, and I can confirm that I had nothing to do with it (*wink). But seriously, it wasn’t me, I wouldn’t stop at just 4 members now would I? Even Theresa Kok and Khalid Samad had lodge reports about hacks affecting them, those guys at Pakatan can’t even secure their phones and twitter accounts, you think they can secure the Sabah border meh? (boo-yah!)
Presumably they were using an out-dated and rooted Android phones–I only use iPhones baby, and that’s why I don’t get hacked. Unless of course you count leaking data to the Chinese government a hack, China are our friends, they
bailed out invested in our power companies remember.
Fortunately there’s light at the end of the tunnel. Our internet connection speeds are so fast these days, our new communications minister tells me most of you prefer the good ol’ days of dial-up. Don’t worry, based on the current ringgits trend that’ll be all you can afford anyway. And our security services are so well run, we survived the anonymous threat unscathed in August, thanks to the glorious work of cybersecurity malaysia, maybe now they can earn their trip to Milan to see hacking team and form a ‘strategic relationship’ with an enemy of the internet.
But there are low-lights as well, earlier in April MYNIC was hacked, again!! They have since synced up with Jho Low, and have introduced 2FA, but I’ll believe it when I see it. So my blog isn’t migrating to a .my domain anytime soon, that’s probably why you-know-who host his website on a .cc domain as well.
Finally, I want to take this opportunity to talk about anonymity online. As you know, I’m a big fan of online anonymous communications. I think it is the bedrock of modern society. How else could I receive an anonymous donation, if not for anonymous communications, like I always say, you can’t have donations without communications.
I want to be clear, If you’re a government servant hoping to spill the beans on something like a charge sheet with my name on it, please don’t waste your time on well secured technologies like securedrop from the intercept, the guardian or the nearly 20 other online news sites that implement this whistle-blower tech. Even though it’s easy to securely leak information by following instructions on the secure drop website, I suggest to use normal e-mails instead.Preferably your government issued e-mail, that makes it easier
for us to track your ass down and put a hurt on you to engage the journalist you’re leaking to.
Please be vigilant in 2016, we don’t know what will occur, but I’m betting on more anonymous donations, and possibly a few more surveillance purchases (I hear VUPEN has a 2-for-1 special on iOS hacks).
Stay safe, and dahulukan rakyat.
From your ever loving Prime Minister,
Najib ‘Undilah Barisan Nasional’ Razak.
As you probably guessed, this e-mail is pure satire. Although I did try to sprinkle it with real cybersecurity advice. A lawyer friend of mine advised me to put in this caveat, although most other lawyers recommended I don’t post this at all. But what can I say….Merry Christmas and Happy New Year everyone.