Singapore investor watchdog uncovers personal data breach from 2013; 70,000 members hit
Read more at https://www.channelnewsasia.com/news/singapore/singapore-investor-watchdog-sias-uncovers-personal-data-breach-10562884
26 Jul 2018 12:12AM (Updated: 26 Jul 2018 12:30AM)

Ricky Lim

"CSA noted that SIAS website has some vulnerabilities hackers could have exploited. We alerted SIAS about technical issues in their website design so that they can take the necessary safeguards."
--
Look like the hackers can compromise web sites to steal data such as using :-
(1) SQL injection - that can bypass web authentication and do sql search on relational database to steal data.
(2) X-scripting - that can redirect users to a hacker web page and trick user to supply their userid and password and then steal them.
(3) Botnet capturing of userid

Thought WAF/IPS (Web Application Firewall, IPS) - should be able to stop such web vulnerabilites.

Of course good web programming with strong validation should also stop such attacks.

Like · Reply · 1m · Edited

Ricky Lim

5 years breach - now then detect.
Must be SIAS come on board the SOC CII - under Finance Sector - and then detect by SIEMs - that breach has occured when planting agents to the database server?

SIEMs correlate all syslogs from server, database, network, security - and then detect the hacking during forensic?

Like · Reply · 1m · Edited

Ricky Lim

Look like private sector security standards - still not up to mark yet .......

Like · Reply · 1m

Ricky Lim

If conduct yearly penetration tests and vulnerability scanning - will have detected this vulerability and patch this up.

Like · Reply · 1m

WeeSeng Lim

If sensitive data are kept in the database, encrypt them.

Like · Reply · 4h

Paul Tan

Should hold the vendors who developed the system for partial responsibility. How can anyone deliver a software that could be hacked so easily and without any warning!

Like · Reply · 10m

Ricky Lim

"How can anyone deliver a software that could be hacked so easily and without any warning!"

There are 2 answers to 2 part of the questions :-
(1) How could a software can be hacked so easily.
(2) Without warning.

Before answering the above questions, the following also play a part :-
(1) IT budget - how much the orgn allocate IT budget for the web development - if the budget is not sufficient - it is not possible to put in alot of security features to protect because security is costly. The orgn may say use minimal budget to get the web page up - as long as it works - ok already.

(2) Duration given for the software development project - if very little time is given to get the project up - elaborate program coding to do more check cannot be put in place.
There may not be enough test cases to thoroughly test the program before being roll out for production.

Like · Reply · 1m · Edited

Ricky Lim

Now to answer question (1) How could a software can be hacked so easily.

Minimally as a good programmer - input field validation must be done to ensure that only valid user inputs are accepted and other irrelevant input should be rejected:-
(1) Eg. IC no. field - should only accept alphanumeric (but not special character).
(2) Name field - should accept alphabet and not numeric fields.
(3) Date field - should accept date input and not alphabet or numeric fields.
(4) Sex field - should accept "Male" or "Female" and no other fields.

- if input field validation are not performed - but left it open - hackers can :-
(a) perform SQL injection - by issuing SQL commands to the user input field to bypass web authentication and do a direct search on the relational database and pick up all records of say "male" and "female" ---- then all male and female records will be pick up and copied.

(b) hacker write a script to in the user input field and do a URL redirect to a hacker web page that look exactly like the real one - and trick user to key in his userid and password. If 2FA is not implemented, hacker will have captured the valid userid and password.

--- note:- input field validaton are tedious and time consuming --- and will have produced many more programming codes --- that need times and programmer hours.

This will means more IT budget and IT times - must be given to do a thorough task.

- also times is need to come up with more test cases to test the programming codes to ensure there are no vulnerabilities.

--- minimally programmers should adhere to the industry security best practices and hardening guidelines - that will have help programmers to cover most if not all vulnerabilities -- and this also need times and budget to produce a good QC programming codes.

Like · Reply · 1m

Ricky Lim

Now to answer question (2) why Without warning.

This one I will not blame alot on the organization - unless the organization have very fat budget, good talents and resources, experiences and good knowledge. (To be honest, even big foreign MNCs and security organizations also got hacked.......)

Why is it so?
An analogy, if a plastic bag fill with water, just 1 small hole (water will start dripping until the whole plastic bag of water is completely leak and dry).
A balloon cannot have even one small microscopic hole, because air will slowly leaked and if the hole is too big --- it will burst.

IT security is similar to the above. All you need is that out of millions of hardware, software - all you need is just one vulnerabilites - like in this case 1 vulnerabilities in 1 input field in one web page or in singhealth hack, just 1 weak workstation - is sufficient for a State Sponsored Hackers to hack through.

IT security need to be 滴水不漏 ！

Because skilful hackers are not easy to tackle.
Worst for APT - Advanced Persistent Threat hackers (State Sponsored One)
---- organization will have to put in alot of security safeguard to ensure hacking will not succeed.

This will easily cost a bomb.

Thus aggregation of National Resource Infra, Security, System, Software talents & resources - to defend against State Sponsor Hacking will be required.

The initiative by CSA SOC CII monitoring initiative started in 2015 to cover 11 critical economic sectors to protect the CII (Critical Information Infrastructure) will be a more focus, National pooling of resources, expertise and knowledge to ensure State Sponsor Hacking will be extremely difficult to succeed.

To put in layman term - you need to field an Army to square off with another Army invasion.

You can't send an IT division of 30 soldier (a platoon) to defend against an Army with full range resources and soldiers isn't it?

IT defends is a virtual battlefield or a virtual war - via the computer infrastructure.

You need Virtual Generals, soldiers, specialists etc to defend your Fortress.

Like · Reply · 1m · Edited