Here’s one thing that’s already changed post GE14

In 2015, I was invited to a variety program on Astro to talk about cybersecurity.

This was just after Malaysian Airlines (MAS) had their DNS hijacked, but I was specifically told by the producer that I could NOT talk about the MAS hack, because MAS was a government linked company, and they couldn’t talk bad about GLCs.

Then half-way through the interview they asked me about government intervention, and I said something to the effect of “Governments are part of the problem and should refrain from censoring the internet”, that sound-bite never made it to TV because it was censored.

This was some stupid variety show called VBuzz, on a Tamil TV channel (of all places), tucked away in the Astro labyrinth of channels, and even then they were absolutely piss scared of being critical of anything even remotely close to the government. My statement wasn’t even directed at the Malaysian government, it was directed at government intervention in general, but alas, they feared too much and censored it out.

To be fair, I’m 100% certain the station would not have been in any trouble if they just broadcasted all of what I said (I’ve been more critical on other mediums like the blog and radio), but the producers chose to err on the side of caution.

When I asked why it was censored, they said it was because of the ‘law’. When I pressed her to give the actual law in question, and her response (quite nonchalantly) was that it was an un-written law!

Then…GE14 happened and….

Two days ago, on Astro Awani (LIVE!!), a commentator openly criticized directly the SPR commissioner, a Government Agency….and Astro didn’t censor now. Far more critical than what I said, and Far worse, but somehow magically the media found their spine that day.

It’s now a viral clip of how press freedom actually looks like, and hopefully this refreshing change will permeate through all of Malaysian media.

Gov TLS Audit : Architecture

Last Month, I embarked on a new project called GovTLS Audit, a simple(ish) program that would scan 1000+ government websites to check for their TLS implementation. The code would go through a list of hostnames, and scan each host for TLS implementation details like redirection properties, certificate details, http headers, even stiching together Shodan results into a single comprehensive data record. That record would inserted into a DynamoDB, and exposed via a rest endpoint.

Initially I ran the scans manually Sunday night, and then uploaded the output files to S3 Buckets, and ran the scripts to insert them into the DB.

But 2 weeks ago, I decided to Automate the Process, and the architecture of this simple project is complete(ish!). Nothing is ever complete, but this is a good checkpoint, for me to begin documenting the architecture of GovTLS Audit (sometimes called siteaudit), and for me to share.

What is GovTLS Audit

First let’s talk about what GovTLS Audit is — it’s a Python Script that scans a list of sites on the internet, and stores the results in 3 different files, a CSV file (for human consumption), a JSONL file (for insertion into DynamoDB) and a JSON file (for other programmatic access).

A different script then reads in the JSONL file and loads each row into database (DynamoDB), and then uploads the 3 files as one zip to an S3 bucket.

On the ‘server-side’ there are 3 lambda functions, all connected to an API Gateway Endpoint Resource.

  • One that Queries the latest details for a site [/siteDetails]
  • One that Queries the historical summaries for the site [/siteHistory]
  • One that List all scan (zip files) in the S3 Bucket [/listScans]

Finally there’s a separate S3 bucket to serve the ‘website’, but that’s just a simple html file with some javascript to list all scan files available for download. In the End, it looks something like this (click to enlarge):


Continue reading

Gov.My TLS audit: Version 2.0

Last week I launched a draft of the Gov.my Audit, and this week we have version 2.0

Here’s what changed:

  1. Added More Sites. We now scan a total of 1324 government websites, up from just 1180.
  2. Added Shodan Results. Results includes both the open ports and time of the Shodan scan (scary shit!)
  3. Added Site Title. Results now include the HTML title to give a better description of the site (hopefully!).
  4. Added Form Fields. If the page on the root directory has an input form, the names of the fields will appear in the results. This allows for a quick glance at which sites have forms, and (roughly!) what the form ask for (search vs. IC Numbers).
  5. Added Domain in the CSV. The CSV is sorted by hostname, to allow for grouping by domain names (e.g. view all sites from selangor.gov.my or perlis.gov.my)
  6. Added an API. Now you can query the API can get more info on the site, including the cert info and HTTP headers.
  7. Released the Serverless.yml files for you to build the API yourself as well 🙂

All in all, it’s a pretty bad-ass project (if I do say so myself). So let’s take all that one at a time.

Continue reading

Sayakenahack: Epilogue

I keep this blog to help me think, and over the past week, the only thing I’ve been thinking about, was sayakenahack.

I’ve declined a dozen interviews, partly because I was afraid to talk about it, and partly because my thoughts weren’t in the right place. I needed time to re-group, re-think, and ponder.

This blog post is the outcome of that ‘reflective’ period.

The PR folks tell me to strike while the iron is hot, but you know — biar lambat asal selamat.

Why I started sayakenahack?

I’m one part geek and one part engineer. I see a problem and my mind races to build a solution. Building sayakenahack, while difficult, and sometimes frustrating, was super-duper fun. I don’t regret it for a moment, regardless of the sleepless nights it has caused me.

But that’s not the only reason.

I also built it to give Malaysians a chance to check whether they’ve been breached. I believe this is your right, and no one should withhold it from you. I also know that most Malaysians have no chance of ever checking the breach data themselves because they lack the necessary skills.

I know this, because 400,000 users have visited my post on “How to change your Unifi Password“.

400,000!!!

If they need my help to change a Wifi password, they’ve got no chance of finding the hacker forums, downloading the data, fixing the corrupted zip, and then searching for their details in file that is 10 million rows long — and no, Excel won’t fit 10mln rows.

So for at least 400,000 Malaysians, most of whom would have had their data leaked, there would have been zero chance of them ever finding out. ZERO!

The ‘normal’ world is highly tech-illiterate (I’ve even talked about it on BFM).  Sayakenahack was my attempt to make this accessible to common folks. To deny them this right of checking their data is just wrong.

But why tell them at all if there’s nothing they can do about it? You can’t put the genie back in the lamp. Continue reading

Why does SayaKenaHack have dummy data?

Why does sayakenahack have dummy data? If I enter “123456” and “112233445566” I still get results.

I was struggling with answering this question, as some folks have used it to ‘prove’ that I was a phisher. We’ll get to that later, for now I hope to answer why these ‘fake’ IC numbers exist in the sayakenahack.

Firstly, I couldn’t find a good enough way to validate IC numbers as I was inserting them into the database. Most of you think that IC numbers follow a pre-define pattern :

  • 6-digit birthday (yymmdd format)
  • 2-digit state code
  • 4-digit personal identifier, where the last digit is odd for men, and even for women.

But, there are still folks with old IC numbers, and the army have their own format. Not to mention that the IC Number field  can be populated by passport numbers (for foreigners) and Company registration IDs. So instead of cracking my head on how to validate IC numbers, I decided to pass them all in.

The only ‘transformation’ I do is to strip them of all non-AlphaNumeric characters and uppercasing any letters in the result. This would standardize the IC numbers in the database, regardless of source file format.

Had I done some validation, I might have removed these dummy entries — but fortunately I didn’t.

Upon further analyzing the data, I went back to the original source files and notice something strange, the account numbers belonged to some strange names. And then it made sense — this was Test data.

Test data in a Production Environment to be exact.

And when the Database for the telco was dumped, the telco’s didn’t remove these test accounts from their system. So what we have is a bunch of dummy accounts, with dummy IC numbers. Continue reading

SayaKenaHack.com

On the 19th of October, Lowyat.net reported that a user was selling the personal data of MILLIONS of Malaysians on their forum. Shortly after, the article was taken down on the request of the MCMC, only to put up again, a couple of days later.

Lowyat later reported that a total of 46.2 Million phone numbers were exposed,  and the data included IC numbers, Addresses, IMSI, IMEI and SIM numbers as well. In short, a lot of data from a lot of people.

So Malaysia joined the ranks of The Phillipines, Turkey and South Africa to have data on their entire population leaked on the internet. [Spoiler alert: This is not a good thing]

Where can I check?

You can head over to a site I created: sayakenahack.com to check if you’re part of the breach. So far I’ve loaded data from Maxis, Digi, Celcom and UMobile onto the site. I’ll be adding the smaller telcos later this week (stay tuned).

Medical council, etc…I’m still debating whether I should put that in. Maybe some doctors don’t want to be identified as doctors, so that data stays out for now.

Waah… That means you downloaded illegal data?

Technically yes, the data might be illegal. But any geek can find it online, it’s a google search away.

I’m just making the data available to the ‘normals’, people who don’t look around in hacker forums.

Plus all data is masked, so only the first 4 and last 2 digits of the phone number is available. Which is almost as good as the masking of credit card numbers on your printed receipts.

I also don’t publish any names or addresses. If you’re unhappy with this, you should be unhappy with the Election Commission website that publishes your name in FULL on their website upon entering just an IC number. Similar to PTPTN etc.

Did you pay for the Data?

No. Contrary to what’s being reported the data is available for FREE online. Even the ‘hacker’ who was selling it on Lowyat was basically a re-seller.

I did not pay for the data, I would never validate the business case of reselling stolen data.

If I search for my IC, will you log my data?

No.

In technical terms, I’ve switched of logging for my API Gateway, CloudFront & Lambda.

If I wanted your data — I wouldn’t need you to search for you. I already have it.

OMG I’m breached !!! What can I do?

Unfortunately, there’s little you can do.

Your IC number is a permanent fixture of your life –and can’t be changed. This is bad design, but it’s the design we have at the moment.

If you lose your Phone Number, Credit Card details or E-mail address, you’d still have some form of mitigating the damage. But if someone gets your IC number, you can’t go to the NRD and get them to issue you a new one.

To be fair IC numbers (in their modern form) are at least 25 years old, so I’m not blaming anyone — but the reality is that we should either stop using IC numbers so extensively , or find some way to make them mutable. Not and easy task, but until that happens the damage of this leak will continue… in perpetuity.

Now onto the good news!

The leak is from 2014, so the chances of you having the same phone is minuscule. I know of only one person whose phone is older than 3 years old, everybody else has changed their phone. So IMEI numbers (which are tied to your phones) from 2014 are pretty useless.

IMSI and SIM are almost the same as well. Over the past 3 years, I’m almost certain a large percentage of the victims (50-80%) would have their sim cards swapped — primarily from buying a new phone that required a micro or nano sim or from porting telcos, or just losing their phones.

What’s not so good is the fact that most people still keep their Name, Address and Phone Number. So those are the top 3 (4 if you count IC Numbers) data elements in the breach, and unfortunately their almost all there.

Where did the data come from?

Well……

The breach includes not just Telco data but Jobstreet and various other sources as well. Let’s just focus on Telco because that’s the big one.

There’s only 2 possibilities on where the telco data came from:

  • Someone hacked into individuals telcos and took it; or
  • Someone hacked a central source with all the data

Now, consider that all Telco’s are in this breach — including Altel, PLDT, Redtone, etc. Which self-respecting hacker, with the skills to hack Maxis, Digi and Celcom, is going to waste time on Altel? Really?!

Consider also, that if you downloaded the data, (which I obviously have), it’s clear as day where the leak came from. It’s so clear, Stevie Wonder can see where the data was leaked from.

I’m hoping over the next few days somebody somewhere will make an announcement.

In the mean-time stay safe Malaysia.

End notes and Special Thanks

Thanks to Bin Hong for alerting me that I had a few logs on the GitHub repository. I’ve torn down the old repo and created a new one.

Thanks to Ang YC for letting me know I gave too much info to folks.

Thanks to **rax***n for sharing the data on the *ahem* site.

Thanks to Ridhwan Daud for correcting my API spelling. (it’s case sensitive).

All data available on sayakenahack.com is available somewhere on the web. I’m just making sure that it’s not just geeks/hackers who have this data, but the average citizen can also be informed if they’re part of the leak.

I’m especially proud of the architecture underlying sayakenahack. It’s completely serverless, and I’ll make a post about it soon. But learning DynamoDB and about a gazillion AWS services to deploy this was both fun and tiring.

For now, you can build your own version of sayakenahack with the data, by using the api at:

https://sayakenahack.com/api/v1/pwn?icNum=12345

I’ve changed the API many times. I promised this version is stable for the next 3 months.

The api is CORS enabled, so you can call it with javascript on your browser. There’s only one endpoint for now, I’ll documenting the API and will publish some documentation soon.

I spent a good 40+ hours building all of this, the code is mostly available on my GIT repository. Couple of elements aren’t there (lambda function to query DynamoDB) — but I’ll upload that when time permits.

Cyberwar assessment of Malaysia vs. DPRK

Would North Korea ever declare war on Malaysia?

Probably not.

But nothing is predictable when you’re dealing with a erratic despot who killed his own uncle with an anti-aircraft gun.

Realistically though, few nations have the resources and political will, to launch a war, half-way across the world. And neither Malaysia nor North Korea are one of those ‘few’ nations. But what if, instead of moving armies we just moved malicious code? What if we fought a cyberwar with the North Koreans, how would it look like, and could we win? Let’s find out.

Cyber is new domain of war

Cyber is a new domain of warfare, and this domains involves new ways of thinking and paradigm shifts. In the 18th and 19th century, the most powerful nation on earth, Great Britain had the worlds greatest Navy, and that allowed the empire to control the trade that flowed through the seas, and protect the island nation. Strategically Britain’s Navy was essential to the protection of Britain, and the projection of its power around the world.

As we move from trading over the seas to trading over network cables, the parallels of having a Cyber-Navy become more apparent by the day. After all, the data that pass through our networks have an inherent value above and beyond the physical goods they may represent.

Let’s say you’re buying a new laptop online, you enter your password into the online shopping portal, and then inevitably your credit card details. Your password and card information has value, inherent to itself, regardless of the laptop the transaction represents. We still ship physical goods via sea-lanes and air-freight, but the data transversing the internet has tradeable value.

More apparent when you consider that the vast majority of ‘money’ is traded in digital form, over the internet. Just ask the Bangladesh Central Bank, that lost millions of dollars (which could have been Billions) to hackers who infiltrated their network, and issued electronic instructions to wire money.

But there are things far more important than money.

In today’s world of ‘fake news’ and election tampering, it could be argued that having a Cyber Army is a necessity not just to protect trade and finance, but the very core of a country’s democracy.

And there we see the first issue with Cyber defense of critical infrastructure–is it a civil or military function?

Private companies in any country run their own security guards, banks hire private firms to protect the cash in the safe. If a bank gets robbed, the manager calls the police, and the entire apparatus is a civilian function. But a private company in Malaysia (or anywhere else) isn’t worried about military attack. After all, armies don’t attack banks or companies don’t they?

On the internet, everyone is fair game.

Strong evidence suggest that state sponsored actors have attacked banks, stolen secrets from chemical companies, even attacked Facebook. In a non-cyber world, having an army attack civilian infrastructure in peace-time would be insane! But that is the norm on the internet.

So whose job is it to protect civilian infrastructure from military attack during peace time?

The Americans have drawn clear delineation, that the Department of Homeland Security (DHS) protects civilian government infrastructure (and helps private companies when called upon), while US Cyber Command protects the Military infrastructure. Malaysia (and most other countries) have no such delineation–and the problem is that governments get hacked all the time, even ours, and it’s unclear to me which Malaysian government agency is actually responsible for the security of our infra.

But before we evaluate our defensive capabilities, let’s evaluate the North Korean defense. Continue reading

Relax dear-citizen your contactless card is relatively safe—ish

As Malaysia slowly (but surely) migrates to Chip and Pin, some banks have taken the opportunity to issue not just new Pin-enabled cards, but contactless-enabled ones as well.

To be clear, Banks are only mandated to issue new Pin cards (replacing the signature cards you had before), but are taking the opportunity to also embed contactless capabilities into them as well. After all they’re already issuing new cards to every (single!) card holder, might as well get them on the contactless bandwagon while they’re at it.

The reason for being so gung-ho about contactless is purely economical. Research suggest that the easier payment methods become, the more money people are willing to spend. People with credit cards spend more than people with just cash, and 0% interest schemes have been a godsend to retailers. Contactless payments, which don’t involve cumbersome Pins or signatures, are clearly the next evolutionary step, with one research paper suggesting they increase customer spending by nearly 10%.

Banks make money from small percentages per transactions, the more transactions at higher amounts, the more money they stand to make. So if an extra dollar worth of electronics in a contactless card increases revenue by 10%–why not?!

Pins are for security, Contactless is for convenience

But while PINs are a security feature, contactless is all about convenience. And conveniences trade-off security, so it stands to reason that contactless cards are less secure than regular ‘contact’ ones.

The question is whether that trade-off is worth the increase in convenience. After all, nothing is absolutely secure, and in today’s criminally infested internet, keeping your money under the mattress is safer than keeping it in a bank–but nobody does it because the mattress would be too inconvenient.

So what convenience are you getting with a contactless cards?

For one thing, no more waiting for a receipt printout to sign on, or bending down to an inconveniently placed pinpad to type in your PIN. Plus, for someone with gigantic fingers like me, I jump on the opportunity to avoid having to fidget with pinpads that must have been designed for dwarf children after they’ve been struck by the ray gun from Honey I shrunk the kids.

But that’s about it–the only convenience contactless cards provide is that you can do contactless payments–up to a specified amount.

The question now is what security trade offs are you making for this remarkable feature? Continue reading

Two years on, teaching coding in schools declared a success

teach-codingKLANG: Two years on, the the pilot initiative to teach coding and digital security as an SPM subject has been touted as a resounding success, and the government is mulling a move to make it compulsory by 2020.

The announcement shocked parents, as out of 10,000 students who took part in the pilot program, only 10 had scored an A while the rest had failed with a grade of F.

Education Minister, Dato’ Seri Java, said that this reflects the current IT market, where out of 10,000 security consultants, only 10 will ever give you good advice.

“We benchmarked against the industry, and set the grading curve accordingly, so only a 10 students getting an A was the intention!! We can’t have cases where students just memorize a textbook and then score an A, this is not History or Geography, this is an important subject” he said, while further mocking drama and English literature under his breath.

Deputy Director of Education, Perl Ramachandran further added that instead of focusing on the 9,990 students who failed, the public should instead focus on the ‘A’ students who showed exemplary work and are were ‘bright spots’ in the dark abyss which is the Malaysian education system.

One such exemplary student was 17-year old lass Siti Pintu bt. Belakang, she had managed to install a backdoor into the MOE exam system and downloaded the question paper days before the exam. A backdoor is an application that allows an attacker unfettered access to the compromised system, and Siti managed to code one from scratch specifically for this purpose.

Already Russian cyber-criminal organizations are offering her scholarships to prestigious universities, Perl further added.

Then there Godam a/l Rajakumar, who instead of stealing exam papers, simply hacked into the MOE grading system and gave himself a ‘A’. Continue reading

The Internet is slow because of illegal downloads

Let’s start with the quote that set off the rage in my heart—

“You can see today that our Internet is slow. Not because it itself is slow but because a lot of people are using it,” he said

The government agency chief blamed this on illegal downloads hogging Internet bandwidth here, adding that this does not happen in countries like Germany due to stricter enforcement.

“In Germany, the Internet is fast because if you download illegally, you will be charged by the authorities.

“You can’t download illegal movies, songs and pictures there, you need to pay but we here, anything also we download illegally right up to the pictures of our grandfathers.

“That is why the Internet highway is slow but we blame the government. The government has created proper Internet highways but we don’t know how to use it. Millions have been spent on this by the government,” he explained.

So apparently, Datuk Ibrahim Saad, the  National Civics Bureau (BTN) chief  thinks that the internet is slow in Malaysia (it’s not that slow), because illegal downloads are hogging up the pipelines.

Let’s start with his first sentence, an substitute the word ‘internet’ with the name of any Malaysian highway you choose, personally I like to use the LDP:

You can see today that our LDP is slow. Not because it itself is slow but because a lot of people are using it

Hmmm, I guess in his infinite wisdom that makes sense to the BTN chief, but to me that just sounds like the highway wasn’t built properly.

Let’s go to the 2nd statement:

In Germany, the Internet is fast because if you download illegally, you will be charged by the authorities.

“You can’t download illegal movies, songs and pictures there, you need to pay but we here, anything also we download illegally right up to the pictures of our grandfathers.

“That is why the Internet highway is slow but we blame the government

Now we come to the crux of the issue. If Malaysians weren’t illegally downloading, they’d have faster internet.

Here’s 4 reasons why he’s wrong. Continue reading