The Malaysian Ministry of Education Data Breach

Ok, I’ve been pretty involved in the latest data breach, so here’s my side of the story.

At around 11pm last Friday, I got a query from Zurairi at The Malay Mail, asking for a second opinion on a strange email the newsdesk received from an ‘anonymous source’. The email was  regular vulnerability disclosure, but one that was full of details, attached with an enormous amount of data.

This wasn’t a two-liner tweet, this was a detailed email with outlined sub-sections. It covered why they were sending the email, what the vulnerable system was, how to exploit the vulnerability and finally (and most importantly!) a link to a Google Drive folder containing Gigabytes of data.

The email pointed to a Ministry of Education site called SAPSNKRA, used for parents to check on their children’s exam results. Quick Google searches reveal the site had security issues in the past including one blog site advising parents to proceed past the invalid certificate warning in firefox. But let’s get back to the breach.

My first reaction was to test the vulnerability, and sure enough, the site was vulnerable to SQL Injection, in exactly the manner specified by the email. So far email looked legitimate.

Next, I verified the data in the Google Drive folder, by downloading the gigabytes of text files, and checking the IC Numbers of children I knew.

I further cross-checked a few parents IC numbers against the electoral roll. Most children have some indicator of their fathers name embedded in their own, either through a surname or the full name of the father after the bin, binti, a/l or a/p. By keying in the fathers IC number, and cross-referencing the fathers name against what was in the breach, it was easy to see that the data was the real deal.

So I called back Zurairi and confirmed to him that the data was real, and that the site should be taken offline. I also contacted a buddy of mine over at MKN, to see if he could help, and Zurairi had independently raised a ticket with MyCert (a ticket??!!) and tried to contact the Education Minister via his aide.

Obviously neither Zurairi nor myself, or any of the other journalist I kept in touch with, could report on the story. The site was still vulnerable, and we didn’t want someone else breaching it.

The next morning, I emailed the anonymous source and asked them to take down the Google Drive, explaining that the breach was confirmed, and people were working to take down the site. Hence there was no reason to continue exposing all of that personal information on the internet.

They agreed, and wiped the drive clean, and shortly after I got confirmation that the SAPSNKRA website had been taken down. So with the site down, and the Google Drive wiped cleaned, it seemed the worst was behind us.

Danger averted…at least for now.

But, since Data breaches last forever, and this was a breach, we should talk about what data was in the system. Zurairi did a good job here, but here’s my more detail take on the issue. Continue reading

3 times GovTLS helped fixed government websites

Couple months back I started GovTLSAudit. A simple service that would scan  .gov.my domains, and report on their implementation of TLS. But the service seems to have benefits above and beyond that, specifically around having a list of a government sites that we can use to cross-check against other intel sources like Shodan (which we already do daily) and VirusTotal.

So here’s 3 times GovTLSAudit helped secure government websites.

That time Yayasan Islam Terengganu was used a phishing website

I used virustotal’s search engine to see if they had extra .gov.my domains to scan, and found a few rather suspicious looking urls including:

paypal-security-wmid0f4-110ll-pp16.yit.gov.my
appleid.corn-security2016wmid7780f4-110ll-16.yit.gov.my
paypal-security-wmid7110f4-110ll-pp16.yit.gov.my

This was an obvious phishing campaign being run out of a .gov.my domain. Digging further, I found that the IP address the malicious urls resolve to was local, and belonged to Exabytes. And while the root page was a bare apache directory, buried deep within the sites sub-directories was a redirect that pointed to a Russian IP.

I took to twitter to report my findings — I kinda like twitter for this, and the very next day Exabytes come back with a followup that they were fixing it. That’s good, because having a phishing campaign run on .gov.my infrastructure isn’t exactly what you’d like.

There’s a lot more details in the tweet about how I investigated this,– click here to follow the thread. A warning though — I regularly delete my old tweets. So get it while it’s there :).


Continue reading

Look ma, Open Redirect on Astro

If you’ve come here from a link on twitter — you’d see that the address bar still says login.astro.com.my, but the site is rendering this page from my blog. If not, click this link to see what I mean. You’ll get something like this:

Somehow I’ve managed to serve content from my site on an astro domain. Rest assured, I haven’t ‘hacked’ astro servers and uploaded my page, but I’ve performed an equally sinister attack called open redirect.

While browsing online for some more info on the astro breach, I found this blogpost from Amirul Amir, detailing the open redirect vulnerability on astro’s website. The post is dated Nov 2016, yet the vulnerability still works — and even though Amirul laments that he informed Astro, they seem to have taken no action in more than a year.

You might be wondering what good is an open redirect vulnerability?

Well, an attacker might send you a phishing email, pretending to be astro asking for you update to update your info on their site, and they’ve even included a conveniently placed a link for you to click. The link looks legitimate (it has login.astro.com.my in it), so you click it to a find a legitimate looking site, with valid certificates to boot — so you enter your username and password.

But the site isn’t legitimate, it’s an attackers page (that looks exactly like Astro’s) rendered over the original website, leveraging the vulnerability (and some added javascript) — and now you’ve just given your username and password away.

The frustrating thing with open redirect, is that all the techniques we educate people to use for detecting phishing sites, don’t work in this case — because this is the ‘real’ site, that’s been compromised by open redirect.It has the correct domain, it even has the right certificates, the only way you’d know is if actually look into the embedded javascript, but 99% of folks never do that.

So for a company like Astro to be sitting on this vulnerability for more than a year is not acceptable.

Just more bad news for their already shitty response to the original data breach.

Shout out to Amirul who blogs over at kaizen1996.wordpress.com,although it looks like he stopped blogging in 2016, pity because he had good content.

The Astro Data Breach

I previously wrote about how data breaches are like diamonds:

  • They’re not as rare as you think
  • They’re worth far more to you than to a thief
  • They last forever

And the recent debacle over the Astro data breach epitomizes all of these characteristics.

First off, Lowyat has already reported 3 big data breaches (at least by my count), and rest assured these won’t be the last. Data breaches will continue to happen, and just like diamonds, they’re not as rare people think they are — they happen all the time, get used to it.

Secondly, the Astro breach is reportedly being sold for 30-45 cents per record. Almost any victim would be willing to pay 100 times more to keep that data private, yet on the ‘market’ these things sell for pennies. Honestly, I’d be surprised if anyone paid the sticker price on this, because even 30 cents per record sounds high to me.

Finally, (and most importantly), data breaches are forever!

It’s like pee-ing in the pool, once you do it, there’s no reversing the process. There is no such thing as ‘un-breaching’. Astro (and Lowyat) thought that the breach was “contained” when the links were taken down — but there is no containing data breaches.

If there were a way to contain digital data on the internet, illegal downloaders wouldn’t be an issue!

Once a breach happens, we expect the authorities and data owners to try to limit the damage inflicted on victims. Part of that is trying to ‘contain’ the breach — but most of it, is simply informing the victims with specific details of what data of theirs was breached.

It gives victims visibility of what data was lost, and allows them to take at least some measures to protect themselves.

Sure, Astro lodge a police report, and roped in MCMC, but what’s the point of telling the regulator, if the regulator won’t inform the customers it’s duty bound to protect.