Gov TLS Audit : Architecture

Last Month, I embarked on a new project called GovTLS Audit, a simple(ish) program that would scan 1000+ government websites to check for their TLS implementation. The code would go through a list of hostnames, and scan each host for TLS implementation details like redirection properties, certificate details, http headers, even stiching together Shodan results into a single comprehensive data record. That record would inserted into a DynamoDB, and exposed via a rest endpoint.

Initially I ran the scans manually Sunday night, and then uploaded the output files to S3 Buckets, and ran the scripts to insert them into the DB.

But 2 weeks ago, I decided to Automate the Process, and the architecture of this simple project is complete(ish!). Nothing is ever complete, but this is a good checkpoint, for me to begin documenting the architecture of GovTLS Audit (sometimes called siteaudit), and for me to share.

What is GovTLS Audit

First let’s talk about what GovTLS Audit is — it’s a Python Script that scans a list of sites on the internet, and stores the results in 3 different files, a CSV file (for human consumption), a JSONL file (for insertion into DynamoDB) and a JSON file (for other programmatic access).

A different script then reads in the JSONL file and loads each row into database (DynamoDB), and then uploads the 3 files as one zip to an S3 bucket.

On the ‘server-side’ there are 3 lambda functions, all connected to an API Gateway Endpoint Resource.

  • One that Queries the latest details for a site [/siteDetails]
  • One that Queries the historical summaries for the site [/siteHistory]
  • One that List all scan (zip files) in the S3 Bucket [/listScans]

Finally there’s a separate S3 bucket to serve the ‘website’, but that’s just a simple html file with some javascript to list all scan files available for download. In the End, it looks something like this (click to enlarge):


Continue reading

Gov.My TLS audit: Version 2.0

Last week I launched a draft of the Gov.my Audit, and this week we have version 2.0

Here’s what changed:

  1. Added More Sites. We now scan a total of 1324 government websites, up from just 1180.
  2. Added Shodan Results. Results includes both the open ports and time of the Shodan scan (scary shit!)
  3. Added Site Title. Results now include the HTML title to give a better description of the site (hopefully!).
  4. Added Form Fields. If the page on the root directory has an input form, the names of the fields will appear in the results. This allows for a quick glance at which sites have forms, and (roughly!) what the form ask for (search vs. IC Numbers).
  5. Added Domain in the CSV. The CSV is sorted by hostname, to allow for grouping by domain names (e.g. view all sites from selangor.gov.my or perlis.gov.my)
  6. Added an API. Now you can query the API can get more info on the site, including the cert info and HTTP headers.
  7. Released the Serverless.yml files for you to build the API yourself as well ūüôā

All in all, it’s a pretty bad-ass project (if I do say so myself). So let’s take all that one at a time.

Continue reading

Sayakenahack: Epilogue

I keep this blog to help me think, and over the past week, the only thing I’ve been thinking about, was sayakenahack.

I’ve declined a dozen interviews, partly because I was afraid to talk about it, and partly because my thoughts weren’t in the right place. I needed time to re-group, re-think, and ponder.

This blog post is the outcome of that ‘reflective’ period.

The PR folks tell me to strike while the iron is hot, but you know — biar lambat asal selamat.

Why I started sayakenahack?

I’m one part geek and one part engineer. I see a problem and my mind races to build a solution. Building sayakenahack, while difficult, and sometimes frustrating, was super-duper fun. I don’t regret it for a moment, regardless of the sleepless nights it has caused me.

But that’s not the only reason.

I also built it to give Malaysians a chance to check whether they’ve been breached. I believe this is your right, and no one should withhold it from you. I also know that most Malaysians have no chance of ever checking the breach data themselves because they lack the necessary skills.

I know this, because 400,000 users have visited my post on “How to change your Unifi Password“.

400,000!!!

If they need my help to change a Wifi password, they’ve got no chance of finding the hacker forums, downloading the data, fixing the corrupted zip, and then searching for their details in file that is 10 million rows long — and no, Excel won’t fit 10mln rows.

So for at least 400,000 Malaysians, most of whom would have had their data leaked, there would have been zero chance of them ever finding out. ZERO!

The ‘normal’ world is highly tech-illiterate (I’ve even talked about it on BFM).¬† Sayakenahack was my attempt to make this accessible to common folks. To deny them this right of checking their data is just wrong.

But why tell them at all if there’s nothing they can do about it? You can’t put the genie back in the lamp. Continue reading

SayaKenaHack.com

On the 19th of October, Lowyat.net reported that a user was selling the personal data of MILLIONS of Malaysians on their forum. Shortly after, the article was taken down on the request of the MCMC, only to put up again, a couple of days later.

Lowyat later reported that a total of 46.2 Million phone numbers were exposed,  and the data included IC numbers, Addresses, IMSI, IMEI and SIM numbers as well. In short, a lot of data from a lot of people.

So Malaysia joined the ranks of The Phillipines, Turkey and South Africa to have data on their entire population leaked on the internet. [Spoiler alert: This is not a good thing]

Where can I check?

You can head over to a site I created: sayakenahack.com to check if you’re part of the breach. So far I’ve loaded data from Maxis, Digi, Celcom and UMobile onto the site. I’ll be adding the smaller telcos later this week (stay tuned).

Medical council, etc…I’m still debating whether I should put that in. Maybe some doctors don’t want to be identified as doctors, so that data stays out for now.

Waah… That means you downloaded illegal data?

Technically yes, the data might be illegal. But any geek can find it online, it’s a google search away.

I’m just making the data available to the ‘normals’, people who don’t look around in hacker forums.

Plus all data is masked, so only the first 4 and last 2 digits of the phone number is available. Which is almost as good as the masking of credit card numbers on your printed receipts.

I also don’t publish any names or addresses. If you’re unhappy with this, you should be unhappy with the Election Commission website that publishes your name in FULL on their website upon entering just an IC number. Similar to PTPTN etc.

Did you pay for the Data?

No. Contrary to what’s being reported the data is available for FREE online. Even the ‘hacker’ who was selling it on Lowyat was basically a re-seller.

I did not pay for the data, I would never validate the business case of reselling stolen data.

If I search for my IC, will you log my data?

No.

In technical terms, I’ve switched of logging for my API Gateway, CloudFront & Lambda.

If I wanted your data — I wouldn’t need you to search for you. I already have it.

OMG I’m breached !!! What can I do?

Unfortunately, there’s little you can do.

Your IC number is a permanent fixture of your life –and can’t be changed. This is bad design, but it’s the design we have at the moment.

If you lose your Phone Number, Credit Card details or E-mail address, you’d still have some form of mitigating the damage. But if someone gets your IC number, you can’t go to the NRD and get them to issue you a new one.

To be fair IC numbers (in their modern form) are at least 25 years old, so I’m not blaming anyone — but the reality is that we should either stop using IC numbers so extensively , or find some way to make them mutable. Not and easy task, but until that happens the damage of this leak will continue… in perpetuity.

Now onto the good news!

The leak is from 2014, so the chances of you having the same phone is minuscule. I know of only one person whose phone is older than 3 years old, everybody else has changed their phone. So IMEI numbers (which are tied to your phones) from 2014 are pretty useless.

IMSI and SIM are almost the same as well. Over the past 3 years, I’m almost certain a large percentage of the victims (50-80%) would have their sim cards swapped — primarily from buying a new phone that required a micro or nano sim or from porting telcos, or just losing their phones.

What’s not so good is the fact that most people still keep their Name, Address and Phone Number. So those are the top 3 (4 if you count IC Numbers) data elements in the breach, and unfortunately their almost all there.

Where did the data come from?

Well……

The breach includes not just Telco data but Jobstreet and various other sources as well. Let’s just focus on Telco because that’s the big one.

There’s only 2 possibilities on where the telco data came from:

  • Someone hacked into individuals telcos and took it; or
  • Someone hacked a central source with all the data

Now, consider that all Telco’s are in this breach — including Altel, PLDT, Redtone, etc. Which self-respecting hacker, with the skills to hack Maxis, Digi and Celcom, is going to waste time on Altel? Really?!

Consider also, that if you downloaded the data, (which I obviously have), it’s clear as day where the leak came from. It’s so clear, Stevie Wonder can see where the data was leaked from.

I’m hoping over the next few days somebody somewhere will make an announcement.

In the mean-time stay safe Malaysia.

End notes and Special Thanks

Thanks to Bin Hong for alerting me that I had a few logs on the GitHub repository. I’ve torn down the old repo and created a new one.

Thanks to Ang YC for letting me know I gave too much info to folks.

Thanks to **rax***n for sharing the data on the *ahem* site.

Thanks to Ridhwan Daud for correcting my API spelling. (it’s case sensitive).

All data available on sayakenahack.com is available somewhere on the web. I’m just making sure that it’s not just geeks/hackers who have this data, but the average citizen can also be informed if they’re part of the leak.

I’m especially proud of the architecture underlying sayakenahack. It’s completely serverless, and I’ll make a post about it soon. But learning DynamoDB and about a gazillion AWS services to deploy this was both fun and tiring.

For now, you can build your own version of sayakenahack with the data, by using the api at:

https://sayakenahack.com/api/v1/pwn?icNum=12345

I’ve changed the API many times. I promised this version is stable for the next 3 months.

The api is CORS enabled, so you can call it with javascript on your browser. There’s only one endpoint for now, I’ll documenting the API and will publish some documentation soon.

I spent a good 40+ hours building all of this, the code is mostly available on my GIT repository. Couple of elements aren’t there (lambda function to query DynamoDB) — but I’ll upload that when time permits.

Everything wrong with TalkingPoint’s “Cybersecurity” episode

Channel News Asia posted last week that hackers could steal your info by just knowing your phone number.

Woah!! Must be some uber NSA stuff right–but no, it was a couple of guys with Metasploit and they required a LOT more than ‘just’ the phone number.

The post was¬†an add-on to a current affairs show called Talking Point, that aired an episode last week about cybersecurity, which (like most mainstream media reporting)¬†had more than a few errors I’d like to address.

Problem 1: Cost of cybercrime — but no context

The show starts off, by highlighting that Cybercrime cost Singaporeans S$1.25bln, which might be true, but lacks context, or rather had the context removed.

Because the very report that estimated the cost, also mentioned that society was willing to tolerate malicious activity¬†that cost less than 2% of GDP, like Narcotics (0.9%) and even pilferage¬†(1.5%). S$1.25bln is less than 0.3%¬†of Singapore’s GDP, and is long way off the 2% threshold. Giving out big numbers without context gives readers the wrong impression.

So allow me to provide context on just how big that S$1.25bln is.

In 2010, Singapore’s retail¬†sector lost S$222 mln to shrinkage, a term used to describe the losses attributed to employee theft, shoplifting, administrative error, and others. Had we split the cost of cybercrime across different industry based on their percentage of overall GDP, the total losses for cybercrime on the retail sector in 2015 would be $225 mln–almost identical to what the sector lost to shrinkage….7 years ago!

Cybercrime is a problem, but not one that is wildly out of proportion to the other issues society is facing. Continue reading

Cyberwar assessment of Malaysia vs. DPRK

Would North Korea ever declare war on Malaysia?

Probably not.

But nothing is predictable when you’re dealing with a erratic despot who killed his own uncle with an anti-aircraft gun.

Realistically though, few nations have the resources and political will, to launch a war, half-way across the world. And neither Malaysia nor North Korea are one of those ‘few’ nations. But what if, instead of moving armies we just moved malicious code? What if we fought a cyberwar with the North Koreans, how would it look like, and could we win? Let’s find out.

Cyber is new domain of war

Cyber is a new domain of warfare, and this domains involves new ways of thinking and paradigm shifts. In the 18th and 19th century, the most powerful nation on earth, Great Britain had the worlds greatest Navy, and that allowed the empire to control the trade that flowed through the seas, and protect the island nation. Strategically Britain’s Navy was essential to the protection of Britain, and the projection of its power around the world.

As we move from trading over the seas to trading over network cables, the parallels of having a Cyber-Navy become more apparent by the day. After all, the data that pass through our networks have an inherent value above and beyond the physical goods they may represent.

Let’s say you’re buying a new laptop online, you enter your password into the online shopping portal, and then inevitably your credit card details. Your password and card information has value, inherent to itself, regardless of the laptop the transaction represents. We still ship physical goods via sea-lanes and air-freight, but the data transversing the internet has tradeable value.

More apparent when you consider that the vast majority of ‘money’ is traded in digital form, over the internet. Just ask the Bangladesh Central Bank, that lost millions of dollars (which could have been Billions) to hackers who infiltrated their network, and issued electronic instructions to wire money.

But there are things far more important than money.

In today’s world of ‘fake news’ and election tampering, it could be argued that having a Cyber Army is a necessity not just to protect trade and finance, but the very core of a country’s democracy.

And there we see the first issue with Cyber defense of critical infrastructure–is it a civil or military function?

Private companies in any country run their own security guards, banks hire private firms to protect the cash in the safe. If a bank gets robbed, the manager calls the police, and the entire apparatus is a civilian function. But a private company in Malaysia (or anywhere else) isn’t worried about military attack. After all, armies don’t attack banks or companies don’t they?

On the internet, everyone is fair game.

Strong evidence suggest that state sponsored actors have attacked banks, stolen secrets from chemical companies, even attacked Facebook. In a non-cyber world, having an army attack civilian infrastructure in peace-time would be insane! But that is the norm on the internet.

So whose job is it to protect civilian infrastructure from military attack during peace time?

The Americans have drawn clear delineation, that the Department of Homeland Security (DHS) protects civilian government infrastructure (and helps private companies when called upon), while US Cyber Command protects the Military infrastructure. Malaysia (and most other countries) have no such delineation–and the problem is that governments get hacked all the time, even ours, and it’s unclear to me which Malaysian government agency is actually responsible for the security of our infra.

But before we evaluate our defensive capabilities, let’s evaluate the North Korean defense. Continue reading

Writing a WordPress Restoration script

WordPress sites get hacked all the time, because¬†the typical WordPress blogger install 100’s of shitty plugins and rarely updates their site. On the one hand, it’s great that WordPress has empowered so many people to begin blogging without requiring the ‘hard’ technical skills, on the other it just gives criminals a large number of potential victims.

Two years ago, when I studied the details of phishing attacks that targeted Maybank and RHB,¬†I found that attackers use compromised WordPress sites to host their phishing content. They’d first hack into¬†a seemingly random WordPress¬†website, host their phishing content there, and then blast out emails to unsuspecting victims with links to pointing back to their hacked bounty. If the hack works they’d get free username and passwords, and if they were ever caught, most evidence would point to the unsuspecting WordPress site owner.

So if you have a WordPress site (like me), chances are you’re in the cross-hairs of hackers already, and securing your site is the responsible thing to do.

In general WordPress sites should be:

  • Updated Automatically
  • Use a minimal number of plugins
  • Use plugins only from reputable publishers
  • Use themes only from reputable publishers–and have only one theme in the install directory
  • Employ strong passwords for the admin & user
  • Have the permissions of the underlying folders set accordingly (i.e.CHMOD them all)

But even if you took all precautions to hardened your site, there’s always a possibility of it getting hacked. No security is perfect,¬†and you should look into backups–backup often and to a separate location. That way, a compromised site can be rebuilt,¬†even if it were defaced. The last thing you want is to lose your precious design and data, because some one installed a shitty plugin over the weekend.

Today, I’ll walk through a short bash script I wrote to backup (and restore) a WordPress installation from scratch. It took me quite a while to write this (partly because I have no experience with Bash scripts), but I thought it would be good to walkthrough the details of the script and what it does.

The full script is available on github here, and the usage instructions will be maintained there. The write-up below describes code the first production release, linked here, even though¬†I’ve since updated the scripts to include some modifications, and as we speak I’m just about the release version 1.2.

So here we go…

Special Thanks

The following 3 folks, were greatly influential in the writing of the script, listed in no particular order. No to mention, the wonderful folks at stackoverflow that helped tremendously as well.

Thanks to Andrea Fabrizi for the awesome DropboxUploader script
Thanks to Ben Kulbertis for the awesome Cloudflare update script
Thanks to Peteris.Rocks for inspiring me with his Unattended WordPress Installation script

Pre-Requisites

As a pre-requisite to all this, I made the following decisions.

The back ups would be stored in DropBox– Dropbox has free options (up to 2GB) and has versioning by default.All your backups are versioned and kept for 30 days (not just the latest upload, which gets destroyed if you’re hit by malware). Doing this on AWS requires extra work, which I wasn’t prepared to do, and AWS has no free tier for S3 storage.

Also, I use CloudFlare to maintain the DNS. It’s optional of course, but I needed a DNS provider that had an API, and they were¬†the logical choice. This allowed the script to update your DNS as well.

Finally, the script assumes a standard LAMP stack, i.e. Linux (specifically Ubuntu 16.04), Apache , MySql and PHP. PHP is enforced by WordPress itself so that’s fine.But the ‘trend’ these days is to have NGINX instead of Apache, and MariaDB instead of MySQL. I kept things in ‘classic’ mode for now, I may revisit in the future. Continue reading

So you got hit by Ransomware

Last Monday,¬†I got a text message¬†from my uncle saying his office computer was¬†hacked, and he¬†couldn’t access any of his files. Even without probing further, I already knew he’d been hit with ransomware and was now an unwitting victim in a criminal industry estimated to be worth¬†Billions of dollars.

After learning a bit more, I found out that the IT guys at the company backed up their data (which was good), but stored all backup files on the same computer (which was bad). I guess they kept it on a different hard-drive which mitigated the risk of hard-disk crashes, but didn’t effect any other type of risk. What if someone had broken into the office and stolen the whole computer? What if the Office was burnt to the ground or flooded? With all the backups on the same computer these risk would completely wipe out all their data–even if the files were stored in separate drives.

Ransomware is particularly interesting, the ‘industry’ has¬†experienced tremendous growth the last 2 years, and it’s now¬†the number one cyber-threat small business owners face. But before going into ways of addressing the threat, it’s important we understand¬†cyber-threats in general, and for that we need the CIA.

Confidentiality, Integrity and Availability (CIA)

No, not the spy agency, but the acronym that stands for Confidentiality, Integrity and Availability.The three pillars make up the InfoSec Triad, and a threat is something to affects any one of the them.

  • Confidentiality means keeping the data confidential only to authorized users
  • Integrity is assuring the accuracy and completeness of data and that it¬†hasn’t been tampered with
  • Availability refers to the ability to make it available on request

People often focus on Confidentiality, going all out on setting strong passwords, file encryption and firewalls to protect data for being siphoned out. But security threats, like Ransomware and DDOS attacks, do not affect the confidentiality or integrity of data–and the protections you put in place to help with confidentiality and integrity are useless against them.

File encryption, a necessary tool to protect  the confidentiality of your data, does not protect against ransomware attacks (you can still encrypt and encrypted file), and setting strong passwords does not protect your website from being hit by a DDOS.

There is no panacea in cyber security, only specific actions to address specific threats, and unless you’re addressing availability threats like ransomware and DDOS attacks, your general anti-virus is quite useless against it. So let’s breakdown the Ransomware threat and see how its evolved¬†to become the darling of cybercriminals everywhere. Continue reading

Relax dear-citizen your contactless card is relatively safe—ish

As Malaysia slowly (but surely) migrates to Chip and Pin, some banks have taken the opportunity to issue not just new Pin-enabled cards, but contactless-enabled ones as well.

To be clear,¬†Banks are only mandated to issue new Pin cards (replacing the signature cards you¬†had before),¬†but are taking the opportunity to also embed contactless capabilities into them as well. After all they’re already issuing new cards to every (single!) card holder, might as well get them on the contactless bandwagon while they’re at it.

The reason for being so gung-ho about contactless is purely economical. Research suggest that the easier payment methods become, the more money people are willing to spend. People with credit cards spend more than people with just cash, and 0% interest schemes have been a godsend¬†to retailers. Contactless payments, which don’t involve cumbersome Pins or signatures, are clearly the next evolutionary step, with one research paper suggesting they increase customer spending by nearly 10%.

Banks make money from small percentages per transactions, the more transactions at higher amounts, the more money they stand to make. So if an extra dollar worth of electronics in a contactless card increases revenue by 10%–why not?!

Pins are for security, Contactless is for convenience

But while PINs are a security feature, contactless is all about convenience. And conveniences trade-off security, so it stands to reason that contactless cards are less secure than regular ‘contact’ ones.

The question is whether that trade-off is worth the increase in convenience. After all, nothing is absolutely secure, and in today’s criminally infested internet, keeping your money under the mattress is safer than keeping it in a bank–but nobody does it because the mattress would be too inconvenient.

So what convenience are you getting with a contactless cards?

For one thing, no more waiting for a receipt printout to sign on, or bending down to an inconveniently placed pinpad to type in your PIN. Plus, for someone with gigantic fingers like me, I jump on the opportunity to avoid having to fidget with pinpads that must have been designed for dwarf children after they’ve been struck by the ray gun from Honey I shrunk the kids.

But that’s about it–the only convenience contactless cards provide is that you can do contactless payments–up to a specified amount.

The question now is what security trade offs are you making for this remarkable feature? Continue reading

Securing your StarHub Home Router

As with all new shiny equipment,  a newly installed router in your home requires a few things to be configured to properly secure it.

Goes without saying, that you should change your WiFi password the moment the technician leaves your home, but there are other things you’d need to configure in order to secure your router against common attacks.

Now remember, even if you follow all the advice on this post, there’s a strong chance that you’d still be hacked somewhere down the road–especially if you’re relying on a crappy consumer grade router, but taking these precautions raises your security level above the general population, giving you an edge over everybody else, and sometimes the difference between being hacked and staying safe could be one simple configuration on a router.

For this post, I’m going to use the standard Dlink 868L router that StarHub gave me when I signed-up for their 1Gbps package. While the post is specific, the general principles still apply to any router you own.

Step 1: Logon to the router

Goes without saying, all changes have to be made on the router itself. The good news is that all general purpose routers like the Dlink-868L come with a web interface, i.e. the router host a website on your network that you can use to change settings.

Fire up a browser like Chrome or Firefox (God forbid you’re on Internet Explorer), and point the address bar to http://192.168.0.1 and you ‘should’ come to the router homepage (image below). If not, try the other possible addresses, like http://192.168.1.1 or http://10.1.1.1, if none of those work, you’ll need to go to your ipconfig on your local windows client to determine the ‘gateway’ ip address of your router.

Once there, you’ll see the following screen. For most StarHub customers, just logon with the admin user and leave the password field blank–as in don’t enter anything for the password.

login-screen Continue reading