REACH 554 -  What are your views on helping Singapore’s companies and organisations step up their cyber security measures? What else can be done to improve their cyber-security preparedness?

(SK)

22 Mar 2024 (10am - 7pm)

REACH

22/3/24, 9:45 am - +REACH: *Dear Contributors,*

Welcome back! 😊

⏰ We will be opening the chat from *10am to 7pm* today. ⏰

*House Rules (short version of our Terms of Use) to keep in mind:* 

1. Be kind and respectful. We all want to be in a safe space to share our views. 

2. Any and all threatening, abusive, vulgar or racially, religiously and ethnically objectionable content is prohibited.

3. Consider the quiet ones among us and give them a chance to comment.

4. No need to repeat your comment or in different forms (including caps) - we heard you loud and clear the first time.

5. Let’s protect each other’s privacy and keep contact details in this group what it should always be - confidential. 

*Full set of Terms of Use:* https://go.gov.sg/reach-whatsapp-terms

We will strive to uphold these rules to ensure this is a safe space for all.

Please be assured that the points made by participants during the chat are aggregated and shared with relevant agencies.

The topic will be posted shortly.

Thank you

Megan 😊

22/3/24, 10:00 am - +REACH: *📢 Topic 📢*

On 20 March at a conference, Minister for Communications and Information Josephine Teo shared that more can be done to improve cyber security for Singapore’s companies and organisations. 

She added that beyond strengthening digital infrastructure like cloud services and data centres, the cyber security of Singapore’s companies is important as it provides services that people use and defines their online experiences.

 *💬 What are your views on helping Singapore’s companies and organisations step up their cyber security measures? What else can be done to improve their cyber-security preparedness?*

_*📌 Gaps in cyber-security preparedness of local organisations*_

A recent survey by the Cyber Security Agency of Singapore (CSA), which covered more than 2,000 entities across 23 industries and seven charity sectors, found that the majority of these organisations had encountered at least one cyber incident in the year prior to being surveyed, such as ransomware attempts.

The survey queried organisations on the cyber-security measures they have adopted in five areas, such as using secure configuration settings for hardware and software, controlling access to data and services, and updating software on devices and systems. On average, organisation adopted about 70 per cent of essential measures in each of the five areas. 

Minister Teo noted that while the adoption rate is “reasonably encouraging”, CSA believes that partial adoption of the measures is inadequate. 

“Unless all these essential measures are adopted, the organisations are still exposed to unnecessary cyber risks,” she added. 

The survey’s findings, which will be fully disclosed next week, revealed that small and medium-sized enterprises fared better in some categories compared with others. The survey also found that almost 60 per cent of businesses and non-profit organisations reported a lack of knowledge or experience to implement cyber security effectively. 

_*📌 Cybersecurity Act will be expanded*_

Minister Teo hoped  the survey findings will help to motivate organisations to progress from awareness to taking concrete actions, so that they can minimally “pass” by adopting all the essential cyber measures.

Her remarks came after the announcement during the annual debate on the Ministry of Communications and Information’s budget on March 1 that the five-year-old Cybersecurity Act, which establishes a framework for overseeing and maintaining national cyber security, will be expanded to include foundational digital infrastructure like cloud services and data centres. 

The ministry is also exploring the introduction of a new Digital Infrastructure Act, which comes on the back of recent outages in the banking and healthcare sectors that MPs said have dented public confidence.

At the cyber-security conference, Minister Teo provided updates on the CyberSG Talent, Innovation and Growth Plan, or the TIG Plan. The plan was first announced in September 2023, and seeks to boost the Republic’s cyber-security talent and industry development efforts.

👉 https://www.straitstimes.com/business/more-can-be-done-to-boost-cybersecurity-for-s-pore-businesses-josephine-teo 

👉  https://www.mci.gov.sg/media-centre/speeches/opening-address-by-minister-josephine-teo-at-istari-charter-apac/

22/3/24, 10:02 am - ~ REACH Singapore changed the group description

22/3/24, 10:02 am - ~ REACH Singapore changed this group's settings to allow all members to send messages to this group

------

22/3/24, 10:36 am - ☸️  Danny 心: 

More banks in Singapore to offer money lock feature, but take-up rate low among young adults.

At least three more major offshore banks – HSBC, Maybank and Standard Chartered – are set to offer the “money lock” feature to Singapore customers as early as by the middle of this year.

The anti-scam security feature adds a layer of protection to accounts by allowing users to set aside portions of their funds that cannot be transferred digitally.

The move follows the introduction of the safeguard in November last year by major local banks DBS, OCBC and UOB.           

https://www.channelnewsasia.com/singapore/banks-money-lock-anti-scam-security-feature-ocbc-dbs-uob-maybank-older-users-4207941

22/3/24, 10:36 am - ☸️  Danny 心: <Media omitted>

22/3/24, 10:36 am - ☸️  Danny 心: <Media omitted>

22/3/24, 10:44 am - +SL: Is the unlock process user friendly? Sound like it need to go to nearby atm with atm card to unlock..

22/3/24, 10:45 am - +Rama: Can it be done securely via mobile phone app?

22/3/24, 10:48 am - +Frankie Wee: https://www.todayonline.com/singapore/anti-scam-portal-launch-unwitting-victims-2371156

22/3/24, 10:48 am - +Frankie Wee: Mate need to be more security

22/3/24, 10:50 am - ☸️  Danny 心: 

Need to go ATM or banks to unlock.

Only then it is foolproof and failsafe.

Because scammers cannot masquerade victims digitally.

22/3/24, 10:50 am - +Frankie Wee: Mate seek is not responsible for all accounts who setup fake ID

22/3/24, 10:50 am - ☸️  Danny 心: 

If done via mobile apps, scammers still can intercept via malware.

No true 2 factor authentication.

22/3/24, 10:51 am - +SL: Based on what I read on 2 banks' websites, bank 1: 1 unlocks via a nearby atm, and bank 2: needs to go in person to the branch to unlock the account (2 working day processing time for this unlock via branch)—separate vault recommended for the second lock feature.

22/3/24, 10:52 am - ☸️  Danny 心: 

OCBC can do via ATM.

Other banks only can visit banks.

22/3/24, 10:53 am - ☸️  Danny 心: 

REACH - Current Bank 2FA is not foolproof in protecting bank customer savings. And the full onus of scam weight heavily on bank customers.

11 May 2023

1. Totally relying on online tools and online 2FA security features for bank transfer (local and overseas) - are not foolproof in the advent of AI and quantum computing.

As id, password, digital token, SMS OTP, biometric fingerprint, face recognition, email OTP - all fall into one device - the smartphone.

Once a malware compromise the handphone, multi- factor authentication = no authentication - because AI malware will easily disable biometric authentication or pick up all the password, pin etc from the smartphone.

The multiple factor authentication gives only superficial and false security assurance that can be hacked.

https://www.tomsguide.com/news/this-new-android-malware-is-stealing-passwords-and-2fa-codes-what-you-need-to-know#:~:text=This%20new%20Android%20malware%20is%20stealing%20passwords%20and%202FA%20codes%20%E2%80%94%20what%20you%20need%20to%20know

2. Bank call back verification for all overseas and local bank transfer - serve as real 2 factor authentication - as without customer confirmation, all online transfer cannot be authorised and approved.

If the current bank security features 2FA are considered foolproof with the touted userid, password as 1FA and digital token or SMS OTP as 2FA.

Rightfully, scammers despite getting the 1FA userid and password -  cannot and shouldn't have acquire the 2FA - digital token or SMS OTP - to successfully login and access the bank account - if bank security is foolproof.

But the real fact is, scammers can acquire both the 1FA and 2FA through the compromise handphone - because bank online access allows all 1FA and 2FA to be landed on the same device - the victim handphone.

Previously, a hard token is issued to the customers. But now no longer the case - as banks increasingly use soft digital token or SMS OTP that land on the same handphone.

This is a security breach - according to the security best practices.

Hence if the customer are scam by malware or fool by scammers to release their 1FA, rightfully if security practices are tight, scammers will not be able to access the 2FA .

But bank online implementation make it do so.

So banks have equal accountability and responsibility - if a customer bank account is scam - and should have implemented a foolproof login process.

And if the bank account is breached due to the inadequacy of login security process, then banks should also have accountability to compensate customers for the loss suffer by the customers.

This means that if a scam victim sue in court if he/she got scammed even if the victim is wrong by releasing their id and password credentials or even 2FA via malware or fool by scammers - banks are still accountable if the victims has no wish to transfer their money to the scammers.

Because banks if do call back verification to check with the victim if the online transfer is authorised - and if the victim say no - the money will still be intact and not be scammed. The call back only requires 5 minutes - but go a long way to stop a scam.

By making the joint responsibility of banks and customers against scam - successful scam can be greatly reduced if not totally eliminated.

Then police involvement, prosecution, drastic rise in scam cases will not arise.

Why such a simple step not implemented?

In fact for the $1.3 billion scam victims, alot more time, manpower and resources are needed to trace, track, investigate by multi agencies hoping to recover the lost fund - a big portion cannot recover.

It cost alot more not only to banks, but also police, Telcos, IT experts, prosecutors, courts times, foreign affairs and so many others to nab the scam.

And yet victims suffer money loss and mental distress.

Not worth it to implement a slew of efforts to nab scam - as scam can in fact be stop at the source.

====

22/3/24, 10:54 am - +Rama: 😳🤦‍♂️😔

22/3/24, 10:55 am - ☸️  Danny 心: 

Past feedback on unreliability of fully relying on digital authentication as 2 or multiple factor authentication - not reliable.

Only out of band physical authentication is true 2 factor authentication.

22/3/24, 10:57 am - +Loong Hin: The bank needs to improve their fraudulent activities detection mechanism. They need to upgrade their AI to better detect these fraudulent transactions.

22/3/24, 10:58 am - ☸️  Danny 心: 

By the time is detected, it is already too late.

Money already transfer overseas.

22/3/24, 10:58 am - ☸️  Danny 心: 

To tackle money laudering, we need to tackle vice and embezzlement.

Online scam - is the biggest source of illegal money.

Current anti-scam measures are still not "FAILSAFE" or "FOOLPROOF" to prevent online scam.

Let me explain why :-

*Current Anti-Scam measures*

1. Notice that current authentication method to access CPF, banking and other financial transaction are done via "What you know" :-

a. User id, password, OTP/digital token (SingPass) - 2FA or multi-FA.

2. There is also a discussion or intent to implement Biometric Authentication  - essentially "What you have" :-

a. eg. facial recognition, fingerprinting, IRIS, voice recognition etc - for CPF access for 55 years or older.

(Both attempts to establish the true identity of the user - essentially "Who you really are, and your real intent" to effect the fund transfer.

- But unfortunately both can be "stolen" by scammers :-

a. Remote control malware downloaded to take over the victim handphone or malware keyloggers that steal userid, password and OTP.

b. Biometric features can be lifted off from photo, video, fingerprint scan, audio in social media or other platform. Biometric features (once stolen, will be forever lost - unless one change the face, finger, eyes of voice). 

If stolen, scammers will have unlimited and unfetter access to all banks, finance institution, CPF - as password lost can be changed but not biometric features.

Note :- There is a recent news whereby a HK scammer lift the facial features from his colleagues in selfie and wefie photos and videos - and scam a virtual bank loan of HK$1.8 million.

https://www.thestandard.com.hk/breaking-news/section/4/199137/'Face-stealing'-man-among-trio-arrested-in-HK$1.8m-loan-fraud

https://www.trendmicro.com/vinfo/hk/security/news/internet-of-things/leaked-today-exploited-for-life-how-social-media-biometric-patterns-affect-your-future

https://www.forbes.com/sites/thomasbrewster/2021/10/14/huge-bank-fraud-uses-deep-fake-voice-tech-to-steal-millions/

----

3. Hence there is an urgent need to put in place - "Who you really are, and your real intent" (as biometric - cannot achieve this feature - because scammers can steal biometric and masquerade the real user and fool the security system during authentication).

a. By requiring user to use "Userid, password, digital token/OTP" to achieve 1st level access - are in fact the 1st FA (digital access) --- but no way to ascertain the user is the real user by the bank / financial security system.

b. Hence will need another non-digital authentication verification - to determine "who you really are, and your real intent" which I suggest :-

i. Recorded Video conferencing verification (eg. using zoom or Whatsapp vc, or Telegram vc) - whichever platform is secured and comfortable to both the banks and financialy institutions. As Banks / Financial institutions can see and hear the real users - to determine who you really are and his real intent by checking with him online.

ii. Recorded Telephone call back by banks/financial institutions/CPF to achieve similar effect.

iii. Appear physically in banks/financial institutions/CPF 

--- before banks/financial institutions/CPF effect the transfer.

(Note :- I acknowledge this is a crude, inefficient method - to effect fund transfer as there could be millions of fund transfer transaction per day - and will draw up many resources from the banks/financial institutions or CPF.

But it is to-date the only "FAILSAFE or Foolproof" method - to establish "who you really are, and your real intent" ---- as oppose to other more efficient digital method of authentication but not foolproof or failsafe - resulting in tremendous monetary loss to victims, banks/financial institutions and policing overhead to track, trace, and arrest scammers).

I will not insist on this crude and less efficient method (that provide "air gap" - similar to "physical segregation of internet and intranet access" - that are crude, costly but foolproof/failsafe) - if new, innovative digital solutions are found and develop --- achieving similar effects.

22/3/24, 10:58 am - +Rama: Yes

22/3/24, 10:59 am - ☸️  Danny 心: 

This feedback lead to the moneylock.

22/3/24, 10:59 am - +SL: Live Face recognition which the portal did not accept any recording or video output from any 3rd party machine. 

The feature will require a mobile device to swing around the authenticate target for x seconds. I saw a similar feature on our singpass registration via computer/mobile device.

22/3/24, 11:00 am - ☸️  Danny 心: 

Life biometric anti-spoofing measures still under development worldwide.

Not yet fully developed.

22/3/24, 11:03 am - +Landon: The money lock feature does not fix this issue. It is just a restrictive mechanism to prevent users from making withdrawals. 

This scenario happened to me in Singapore and Australia. 

1. Made a ATM bank transfer payment of $800 in Singapore from OCBC to DBS after a scammer scammed me of my money. Reported the scam immediately to OCBC. OCBC said can't stop the payment and can't recover it. Advise to make police report. Police report filed. Never got my money back. 

2.I made a transfer of $2300 to another bank account from Westpac to Commonwealth Bank in Australia. Reported the transfer as a scam as the other party did not send the product to me. I reported to the bank within 3 working days as required by the bank. I got my money back within 24 hours in full with no questions ask.

22/3/24, 11:03 am - ☸️  Danny 心: 

Because AI, GAN adversarial neural network, deepfake - now very sophisticated.

Until and unless live biometric are proven foolproof and failsafe.

Live biometric once stolen is gone forever.

22/3/24, 11:05 am - ☸️  Danny 心: 

Is the $800 in OCBC moneylock?

22/3/24, 11:07 am - ☸️  Danny 心: 

Because the transfer is done by the victims.

The victim give consent to transfer.

Not stolen online by scammers.

If victim give consent to transfer, moneylock no used.

22/3/24, 11:08 am - +Landon: No, this happened before money lock was implemented.

22/3/24, 11:08 am - +Landon: But in both scenarios, Australia could get the money back.

22/3/24, 11:09 am - +Landon: They said it's either partial or full deposit back into my bank account.

22/3/24, 11:09 am - ☸️  Danny 心: 

There are more than 10 tracks in life biometric anti-spoofing measures need to be developed - before it is considered safe.

The protection against video and device is only one of them.

22/3/24, 11:10 am - ☸️  Danny 心: 

After moneylock, I think it should be safe.

Because money can only be used after unlock.

22/3/24, 11:10 am - +Loong Hin: Rather than to have the money lock features, alternative can have an add new payee lock feature whereby if you want to add new payee, it has to be done at ATM.

22/3/24, 11:11 am - +Landon: That's dumb.

22/3/24, 11:11 am - +Landon: I'm a business owner. I'm not always available to be at the ATM.

22/3/24, 11:11 am - ☸️  Danny 心: 

I am not sure about Australia.

Government drawing up accountability for banks, telcos and victims to prevent abuse.

22/3/24, 11:11 am - +Landon: Also travel lots for work.

22/3/24, 11:11 am - +Landon: So no access to local atm in overseas

22/3/24, 11:13 am - ☸️  Danny 心: 

Scammers steal your id and bank credentials.

Add payee and moneylock created out of band is the same effect.

22/3/24, 11:14 am - ☸️  Danny 心: 

Moneylock is for excess fund.

Moving fund don't moneylock.

The most you lose the fund not under moneylock.

22/3/24, 11:15 am - +Landon: Yes, but again- the banks in Singapore don't seem to understand when I ask them to reverse or stop the transaction.

22/3/24, 11:15 am - +Landon: They said can't reverse or stop which is rubbish.

22/3/24, 11:16 am - ☸️  Danny 心: 

It can do alot of damage eg. Increase credit limit, add payee, do Swift transfer etc.

Moneylock stop all this transaction and protect your money.

22/3/24, 11:16 am - ☸️  Danny 心: 

If already transferred how to stop?

22/3/24, 11:16 am - ☸️  Danny 心: 

Swift transfer is immediate.

22/3/24, 11:17 am - +Landon: Because I've reversed or stopped pending transactions or where money is being held by an intermediary bank while in Australia. 

Sometimes you make payment, you see your bank statement says "pending" or "processing". Those can be stopped.

22/3/24, 11:17 am - +Landon: Means the money hasn't been fully transferred out of the bank account or being held in a trust

22/3/24, 11:18 am - +Landon: The bank on the back end can stop the transaction.

22/3/24, 11:30 am - ☸️  Danny 心: 

I am not sure what transfer you used that have "pending status".

For online Swift transfer, it is almost immediate and cannot stop.

22/3/24, 11:32 am - ☸️  Danny 心: 

1. Moneylock is an out of band features - that help bank customers to lock up a big portion of their savings - so that it cannot be stolen by scammers online.

2. But if victims willingly give it away by unlocking it and transfer to scammers, nothing the moneylock or bank staff can do.

22/3/24, 11:37 am - ☸️  Danny 心: 

To date, 0 money is loss from "moneylock account".

22/3/24, 11:40 am - +Landon: <Media omitted>

22/3/24, 11:41 am - +Landon: As you can see, we already authorised the payment- however we realised it's the wrong amount and click reverse payment.

22/3/24, 11:44 am - ☸️  Danny 心: 

1. Currently, I think CSA has identified about 11 CII (Critical Information Infrastructure) under cybersecurity protection.

2. Among them are government, financial, healthcare, critical infrastructure such as power, water, etc.

3. I am not sure whether SME and other business is it under such CII protection.

4. It is a 24 hour continuous X 365 days cybersecurity surveillance and protection through SIEM (Security Incidents and Events Management).

5. Critical organisation under such surveillance must meet the cybersecurity standards by upgrading their software, patches, minimum security server and end devices standard.

22/3/24, 11:45 am - ☸️  Danny 心: 

Hmm...

Not sure about this particular case.

But if you transfer with consent, moneylock also cannot help you.

22/3/24, 11:45 am - +Landon: there needs to be a feature that allows us to stop payments whether it's a credit card, giro/direct debit or ETF.

22/3/24, 11:45 am - +Landon: All I know in Singapore is I never get my money back

22/3/24, 11:46 am - +Landon: I've always gotten my money back in Australia accounts. That's why I keep most of my savings there and only keep what's required in Singapore for daily expenses.

22/3/24, 11:46 am - +Landon: Also interest rate is better there.

22/3/24, 11:47 am - ☸️  Danny 心: 

1. In retrospect, if SMEs and small businesses need to come on board the CII - it will be too onerous for CSA infrastructure to handle.

2. Unless another private security central SIEM is setup for SME and small businesses can come on board for a small fees. <This message was edited>

22/3/24, 11:47 am - ☸️  Danny 心: ,🤷

22/3/24, 11:47 am - +Rama: Good move.

22/3/24, 11:47 am - +Rama: Agree

22/3/24, 11:49 am - +Landon: Also always receive this message from the Singapore bank 

"If you didn't make this transaction, please call our hotline"

22/3/24, 11:49 am - +Landon: I call and then they say can't stop the payment, then call for what??!

22/3/24, 11:49 am - +Rama: Long wait for someone to answer!

22/3/24, 11:49 am - +Landon: And don't tell me to block, because I can block from the dbs or OCBC app.

22/3/24, 11:49 am - +Rama: 😳🤦‍♂️😔

22/3/24, 11:49 am - +Landon: Yes, always so long.

22/3/24, 11:50 am - +Rama: Testing a person patience!

22/3/24, 12:04 pm - ☸️  Danny 心: 

1. CSA cannot let SME and small businesses to do their own cybersecurity protection - because they lack IT professionals and cybersecurity talents to run their IT infrastructure and services.

2. In fact I notice some MNCs and big organisations also not as well protected - because it requires a good mix of IT infrastructure talents, software talents and cybersecurity talents to run an organisation IT infrastructure and services well.

3. Hence, engaging and experience 3rd party IT Security organisation to jumpstart and beef up SME and small businesses cybersecurity will be needed - the like of CSA functions to the 11 CII.

22/3/24, 12:04 pm - ☸️  Danny 心: 

"Germany’s Taurus missile leak story

Germany claims web-based discussion compromised in Singapore but it’s just as likely the security breach happened at home"

 https://asiatimes.com/2024/03/the-holes-in-germanys-taurus-missile-leak-story/#:~:text=Germany%E2%80%99s%20Taurus%20missile,happened%20at%20home

22/3/24, 12:08 pm - ☸️  Danny 心: 

This breach come from the used of unsecured comms via WebEx - I think should be Cisco video and teleconferencing platform in a Singapore hotel.

If this general use the hotel WiFi or 4G through his handphone, the end to end encryption will have been broken - and can be intercepted by hackers through man in the middle attack via wireless long antenna - and record the video conferencing or teleconferencing session.

22/3/24, 12:10 pm - ☸️  Danny 心: 

Using a fixed phone - that cannot be tapped and with end to end encryption - at least a RSA 2048 bits encryption - will have prevented the leak.

Because difficult for hackers to break into a switchroom to do wiretapping.

22/3/24, 12:20 pm - ☸️  Danny 心: 

Also hacker cannot plant malware into a fixed phone.

Whereas for smartphones, hackers can plant malware using wireless means eg. 4G, WiFi, Bluetooth, NFC.

22/3/24, 12:21 pm - ☸️  Danny 心: 

This breach sounds like 007.

22/3/24, 12:29 pm - ☸️  Danny 心: <Media omitted>

22/3/24, 12:29 pm - ☸️  Danny 心: <Media omitted>

22/3/24, 12:29 pm - ☸️  Danny 心: <Media omitted>

22/3/24, 12:31 pm - ☸️  Danny 心: 

See many people turn on their Bluetooth, WiFi and NFC in public.

Easy for hackers to do man in the middle attack - and use dictionary attack to crack the password or pin to establish connection - and then plant malware.

22/3/24, 12:31 pm - ☸️  Danny 心: 

Don't even need long range antenna.

22/3/24, 12:32 pm - ☸️  Danny 心: 

Also don't need 007.

22/3/24, 12:36 pm - ☸️  Danny 心: 

The fixed phone however must be a Cisco IP phone with authentication and encryption features that support WebEx.

Then hackers cannot write tap or intercepted via internet.

22/3/24, 12:37 pm - ☸️  Danny 心: 

And the hotel must use cisco IP PABX that support SIP with authentication and encryption features.

22/3/24, 12:50 pm - ☸️  Danny 心: 

1. Another aspect of IT services and infrastructure - is resiliency and high availability.

2. Notice that some big organisations also don't design IT infrastructure that are at least 99.99% to 99.999% - with full redundancy features.

3. Some are using Active-Backup design - that requires manual intervention to start up backup system - and this involves downtime to public users.

4. A good example is DBS system.

5. Minimally, all IT infrastructure and services must be designed with Active-Active IT infrastructure and services with 99.99% minimally.

6. With the advent of network virtualisation, server virtualisation and cloud computing - such demand is not over-reach - as resilient VM (Virtual Machine) - can be created with a click of the button.

7. Server load balancers and global load balancers - to support Active-Active systems are easily available.

22/3/24, 12:57 pm - Your security code with ~ Terrie Wong changed. Tap to learn more.

22/3/24, 12:58 pm - Your security code with ~ Terrie Wong changed. Tap to learn more.

22/3/24, 1:17 pm - ☸️  Danny 心: 

Eg. 

1. A private SOC (Security Operation Centre) with 24x375 SIEM can be engaged through a government tender call by CSA.

2. Minimally 2 SOC in 2 data centres - to ensure 99.999% availability.

3. SME and small businesses are encouraged or mandated to engage this SOC for cybersecurity assessment, updated to ensure minimal cybersecurity hygiene and then join for continuous assessment to prevent against active hacking, ransomware, DDoS attack, infiltration, cyber spoofing, port, TCP, UDP scanning, cyber surveillance etc.

4. Cybersecurity assessment ensure all business IT severs, devices, equipment etc are installed with the latest OS version, security patches, updates etc.

5. Minimal security protection are deployed such as firewalls, anti-virus software, IPS etc.

6. Agent and agentless are loaded into all servers, end devices for SIEM monitoring.

7. SME and small businesses pay a monthly small fees for such services.

This pooling of cybersecurity protection - through central monitoring will save manpower crunches, cybersecurity and IT talents, and centrally protected by the professionals - and hence can save money for business rather than they setup their own IT resources and may not get the best talents on their own.

22/3/24, 1:40 pm - +Kenneth Lee WM: Need to also remember social engineering. Eg modified email headers that seems to come from CFO, asking accountant to transfer money to scammer bank account.

Right now, report to police, police just ask victim-to-be to file a report. Nothing seems to be done except end of year make a report saying how many people made report. Police say crime hasn’t happened yet as money not transferred. <This message was edited>

22/3/24, 1:42 pm - +Kenneth Lee WM: Don’t want to follow money trail starting with bank account <This message was edited>

22/3/24, 1:43 pm - ☸️  Danny 心: 

1. Also this central SOC can engage AI talents to protect against APT (Advanced Persistent Threat) AI attacks - mainly pull by State Actors or organised skilful hackers.

22/3/24, 1:51 pm - ☸️  Danny 心: 

2. With quantum computing getting more and more mature, cybersecurity attacks from quantum computers can be more devastating - that can crack virtually all currently used authentication and encryption algorithms and standards.

3. Current IT use binary bits of 0 or 1 - that will be crack by qubits and superposition in no times.

4. Quantum computing used qubits 0 and 1 - superposition, quantum entanglement.

5. Even the strongest encryption with 2048 bits, 4096 bits can be cracked within hours or just days - instead of months or years.

6. All bank security, defense security, home security - will be broken - comes the maturity quantum computing.

Hence, we must be ready to meet this formidable challenges.

Understand that SingTel will be setting up quantum ready network at the Telco end.

Hope more information can come out from this initiative - and end users, banks, security organisation need to do anything or invest in quantum cybersecurity to protect against quantum threat?

If yes, what needs to be done? <This message was edited>

22/3/24, 1:57 pm - ☸️  Danny 心: 

If no need for organisations to invest in quantum computing - does SingTel quantum network suffice to protect against quantum cyberattacks?

22/3/24, 2:00 pm - +REACH: *📢 Topic 📢*

22/3/24, 2:07 pm - ☸️  Danny 心: 

The scary part is, this State Hackers can even crack 4G network to do man-in-the-middle-attack.

To pull off this feat, other than a long range antenna, the State Hackers could also have smuggle in a 4G base station to intercept this General 4G radio signal and trick it to associate and authenticate with this rouge 4G base station.

Only a State Actors can pull off such feat.

4G network are considered secure by standard - because it requires authentication and encryption.

Yet this State Actors can pull off the 4G attack. <This message was edited>

22/3/24, 2:08 pm - +Rama: 😳😔🤦‍♂️

22/3/24, 2:10 pm - ☸️  Danny 心: Because a person cannot smuggle in a 4G base station under the baggage x-ray scanners in Changi airport.

It will be easily detected - because it is so bulky.

Unless through diplomat channel? <This message was edited>

22/3/24, 2:12 pm - ☸️  Danny 心: Also how to power up a 4G base station in a car outside a hotel without getting detected?

If not 007, who else can do it?

22/3/24, 2:18 pm - +Rama: We have a current case before the court of a senior civil servant from MFA.

22/3/24, 2:18 pm - ☸️  Danny 心: That one not cyberattack.

22/3/24, 2:18 pm - +Rama: I know

22/3/24, 2:19 pm - +SL: Mitm is not limited to state actor, mots is common in the cyberworld, less complicated as compared to mitm

22/3/24, 2:20 pm - ☸️  Danny 心: Unless the hacker know how to crack SingTel 4G authentication and encryption.

22/3/24, 2:20 pm - ☸️  Danny 心: 4G base station mitm don't need to crack authentication and encryption.

22/3/24, 2:32 pm - +SL: Not referencing any network provider, in the cyberworld, unauthorized threat actors have tools that allow them to via the radio network, signaling connectivity, sim etc. On top of deterrence, early incident detection, identification and early treatment, police report is one of the best ways to reduce reduced such incidents.

22/3/24, 2:36 pm - ☸️  Danny 心: Yes.

This are known techniques to do mitm.

But looking at the news article, it doesn't look like a targeted attack but a random scan.

To do a random scan, deploying rouge 4G base station with long range antenna - is the best method - because it will attract all the hotel radio signals into this rouge 4G base station.

The hackers can easily record all signals passing through and associating with this rouge 4G base station.

22/3/24, 3:05 pm - +SL: “The German statement said either it was caused by a cellular phone using the insecure hotel wifi, or it was caused by a cell phone internet connection on a cellular network.” sounds like this conversation using an application; if the device is secured and the communication application is encrypted end to end, is the breach via wiretapping and not due to internal hotel network? 

If the issue is the device was connected to the fake 4g base station (enodeb), usually this CSS enodeb has unique characters that can be identified and managed with tools, in general the default pre-authentication vulnerability of 4g remains since 4g was introduced; and not sure whether industrial have a good solution in fixing it.

22/3/24, 3:10 pm - ☸️  Danny 心: Yes.

We are not sure how the State Hackers hack the signals - there are various channels.

But wireless means are the most likely avenue.

Hence, vigilance to ensure that all wireless comms must be secure or disable if not used.

The best is via a wired secure channel that can't be wireless spoof or tap.

Evidently, cyber hygiene was breached - when top secret stuff are discussed over an insecure channel.

22/3/24, 3:15 pm - +SL: I agree, that cyber hygiene is important in all expect of life. 

Like what you said, people working in sensitive industries are required to follow proper approved communication protocols.

22/3/24, 3:21 pm - +SL: Sorry, missed out on this point : article mentioned an application was use for communication.The product got end to end zero-trusted identity management and aes256 encryption.

22/3/24, 3:24 pm - ☸️  Danny 心: The application used is WebEx - a Cisco video conferencing and teleconferencing platform.

It had an end to end encryption.

But if he use mobile apps, the end to end encryption is broken.

Hence mitm is possible as no encryption.

22/3/24, 3:24 pm - ☸️  Danny 心: AES 256 encryption broken.

22/3/24, 3:27 pm - ☸️  Danny 心: Only Cisco IP phone can do authentication and AES encryption - that connect with cisco IP PABX.

Not sure whether cisco got mobile apps that do the AES encryption. It is very resource intensive.

22/3/24, 3:28 pm - ☸️  Danny 心: Because it also need to access the directory services - the phone list - equivalent to LDAP directory services. <This message was edited>

22/3/24, 3:34 pm - +SL: Articles mentioned that are participants in the call. Did the breach happen in any of the devices? The application itself also has recording by default to facility playback. There are too many possibilities.

Adopting zero trust access management and defense-in-depth architecture for cybersecurity is good to consider by any organisation.

22/3/24, 3:36 pm - ☸️  Danny 心: Possible. Could be other participants as well.

Also WebEx can be recorded and playback - because it is IP based.

Basically WebEx is not classified as a real secured comms platform for defense security.

22/3/24, 3:38 pm - +Smiley face: This message was deleted

22/3/24, 3:40 pm - +Smiley face: Hi SL....

22/3/24, 3:42 pm - +SL: It is a commercial application…

22/3/24, 3:43 pm - +Smiley face: CDMA, the legacy of 2G/3G wireless comm formerly used by the Japanese....

22/3/24, 4:01 pm - +REACH: *📢 Topic 📢*

22/3/24, 4:18 pm - +Smiley face: 22 March, 2024

"Digital: Transactions, Transcriptions and Threats"

Digitisation and AI are highly complicated data & hardware engineering processes and it inherits many complex mathematical problem solvings to add on to the threats of cyber loopholes up for hacking in real time operations, 365 days of these sleepless data.

The key is gateway and gatekeep as the entering point and checking point of all Cyber transactions and threats. The gateway starts from a simple digital device to a big digital system running in multiple millions ways, in and out. That's just a tip of the iceberg!

22/3/24, 4:44 pm - ☸️  Danny 心: 

Another thing about public WiFi:-

1. Try not to turn on our smartphone WiFi to access public WiFi - because it is alot easier to do man-in-the-middle-attack compare to a rouge 4G base station.

2. Because WiFi access point is smaller and more compact - can easily stuff into a bag.

3. By using a strong antenna, rouge WiFi access point can easily attract victims to associate with the rouge AP and record all the WiFi Radio signals.

4. All the strong security such as IEEE 802.11i, EAP (extensible authentication protocol) such as PEAP, TLS etc, AES, 3DES encryption with strong keys are render useless - as the rouge AP intercept the association and connection.

5. People doing security stuff, financial, business, banking or privacy should try to avoid accessing public WiFi AP.

6. Those who have no choice, but to use public WiFi - better setup VPN connection to do so using strong encryption algorithms such as AES or 3DES with strong encryption key.

22/3/24, 4:47 pm - ☸️  Danny 心: 

7. But people in defence or home team security - should abstain from using public WiFi.

22/3/24, 4:58 pm - +Frankie Wee: Hacker can speed technology spyware.

1 mins database stole

1 mins report alarm system 

1 mins back up blocked

1 mins definitely 

1 mins report break news 

Total 5 mins even can break fast with Ai capacity high crime.

22/3/24, 4:59 pm - ☸️  Danny 心: <Media omitted>

22/3/24, 4:59 pm - +Frankie Wee: Strong cryber security more room improved next stage will safeguard and not eventually happened lose.

22/3/24, 5:01 pm - ☸️  Danny 心: 

See the moment I turn on WiFi, I got connected to a rouge WiFi.

No chance even to set up a VPN.

Hence very dangerous.

If I am not IT literate and stay alert, I could be accessing internet via this rouge WiFi - and then my network traffic kenna stolen. <This message was edited>

22/3/24, 5:06 pm - +Frankie Wee: https://www.straitstimes.com/tech/tech-news/cybersecurity-workforce-to-be-beefed-up-amid-ai-threats

22/3/24, 5:10 pm - +Frankie Wee: Someone whom trying to sent Ai virus its turn threat the system. Ensure human will have safeguards against the Ai failure system.

ECO system building may affected. 

We must defence stand against turn back Ai system back up.

Example military Ai solider will turn terror threat. <This message was edited>

22/3/24, 5:11 pm - +Frankie Wee: https://cloud.google.com/blog/products/ai-machine-learning/building-an-open-generative-ai-partner-ecosystem

22/3/24, 5:24 pm - ☸️  Danny 心: 

US legal woes will not affect Eat Just’s cultivated meat plans in Singapore: CEO.

https://www.straitstimes.com/singapore/us-lawsuits-will-not-affect-eat-just-s-cultivated-meat-plans-in-singapore-ceo

22/3/24, 5:27 pm - ☸️  Danny 心: 

Even setup VPN no used - because the rouge WiFi AP could have recorded my passwords when setting up the VPN - WiFi is layer 2 whilst VPN is layer 3.

Rouge WiFi AP still can crack my VPN setup and steal my WiFi traffic.

Hence public WiFi not safe. <This message was edited>

22/3/24, 5:31 pm - +Smiley face: "A serious cyber attack can turned into a cyber crisis at national level to an international threats whereby trust within and outside of the digital ecosystem is compromised severely to the extend of stoppages and the resilient of digital ecosystems will be under tremendous stress and tested to its limit. It's therefore wiser to start examining all points of attack within a system and the interconnected infrastructure of a digital ecosystem."

-- anonymity

22/3/24, 5:37 pm - +SL: The most valuable item in a digital world is data. With the appropriate approach to safeguard the data, a workable and sustainable infrastructure architecture can be established by the organization, and that scope can also address the gap in the entry point of attack.

22/3/24, 5:37 pm - +Smiley face: Yes, absolutely bingo !

22/3/24, 5:38 pm - +Smiley face: The next-generation interconnectivity is closing the gap between the digital and physical worlds, and exposing some of our most essential threats to our digital ecosystems in the making. Our strategic assets from banking & financial manufacturing, power grids, water treatment facilities, transportations of air hub, land hub, sea hub, civil defence to self defence are among the critical infrastructures from semi-digital control systems into full automation. With the next-gen advanced wireless technologies via the outer-space capabilities such as GPS for both civilian and military uses will enable all weather surveillance across any part of the world and most importantly, the global daily needs for digital feeds. All of these advancements in the next gen technologies will accelerate performance into massive increases in  productivity of nations who adopted all of it. Thus it becomes clear targets for malicious* cyber attacks to happen and impact a nation's down to its inability to react on time and on-line! Thats it, that's the real threat, a systemic crash of digital ! Let's prepare for this D-day!

*(espionage, intellectual property theft, damaging attacks against critical infrastructure, ransomware attacks and influence campaigns designed to prior to election period. Foreign spyware, are now widely available and these spywares enable a growing threat from organized criminal syndicates and anonymous hackers working for foreign entities)

22/3/24, 5:42 pm - +Smiley face: This message was deleted

22/3/24, 5:42 pm - +Smiley face: This message was deleted

22/3/24, 5:43 pm - +SL: From the perspective of helping SMEs, service providers should encourage subscribers to upgrade their current routers to the latest wifi 6e or wifi 7 version which these products come with inherent banking-grade application firewall. With a proper setting in the firewall by the service provider technician, the number of type of cybersecurity incidents can be managed and reduced.

22/3/24, 5:46 pm - +Smiley face: This message was deleted

22/3/24, 5:46 pm - +Smiley face: This message was deleted

22/3/24, 5:47 pm - +Smiley face: This message was deleted

22/3/24, 5:48 pm - +Smiley face: This message was deleted

22/3/24, 5:51 pm - +SL: Similar to households their routers should be correctly set up on the application firewall and or data loss prevention application. The application firewall will help in blocking well-known malicious websites. Hence protecting the computer and handphone accessing websites while at home. If the workplace, home, and agency premises are secure, only the public space with AP needs to be managed.

22/3/24, 5:52 pm - +SL: Or when the device left Singapore.

22/3/24, 5:56 pm - +Smiley face: This message was deleted

22/3/24, 6:00 pm - +SL: @ 😁Sorry the last one?

22/3/24, 6:00 pm - +REACH: *📢 Topic 📢*

22/3/24, 6:02 pm - +Smiley face: This message was deleted

22/3/24, 6:07 pm - +SL: The most effective way I think of resolving some types of ransomware cases is not paying the ransom (restoring from backup), plugging the entry point of attack of the malware, and improving the detection malware in the network.

22/3/24, 6:19 pm - +Jimmy Chew: Good idea but they may have penetrated the system one or two years ago. And Just ready to attack after understanding your vulnerabilities <This message was edited>

22/3/24, 6:22 pm - +Smiley face: "Cyber Command and Control system? (CCC)

In the defence of any cyber attack, deterrence is one early measure but on a longer strategic point of view, to deter is just not good enough! In all warfare, you defend and you attack and counter attack if you are strategically competitive even more so if you are superior in doing so. Therefore, in all war, there is action and reaction and thereafter persistence actions till your enemy surrenders their bad intentions on you! Isn't all of these worth extra thinking?"

-- anonymity

22/3/24, 6:26 pm - +SL: Hypothesis speaking, they will not lock the system with Ramdsoneware as they remotely view all live data anytime without discovery until they decide to leave with locking the system.

22/3/24, 6:28 pm - ☸️  Danny 心: 

Such anomaly behaviour is known as APT (Advanced Persistent Threat).

If the whole system and infrastructure is monitored by an SOC (Security Operation Centre) using Siem (security incident and event management) - such anomaly behaviour will be detected and pick up.

Remedy actions can be done to remove such APT threat.

22/3/24, 6:35 pm - +Smiley face: In the context of the public, there is a big lack in knowledge of Cyber threats and the know-how of securing and eliminating such constant invincible threats within and outside of our parameters of operating the digital devices from personal mobile phones to an integrated digital system in an organisation. The fact is the complacent and ignorant layperson will never fully understand how cyber security will prevent all infiltration into any digital devices from a simple execution of a click and thereon spread like viruses onto the next device and the systemic effects of hacking occured within minutes and the system will have to be shut down to search for these embedded threats and more oftentimes unique codes of disruption that displaced productivity to zero for as long as the system is downed.

22/3/24, 6:36 pm - ☸️  Danny 心: 

Also APT security measures include detection of anomaly, and ransomware will be immediately thrown into a sandbox, detonate, isolate and contain within the sandbox.

Forensic can be conducted on the malware contain in the sandbox to be quarantine or removed. <This message was edited>

22/3/24, 6:41 pm - +SL: In general, the investment an organization is willing to spend on data protection (affordable cost and on a regular basis) determines how secure the data would be.

22/3/24, 6:43 pm - +Smiley face: Let's begin and explore our discussion with Open AI, Microsoft at a high level collaboration, aka international partnership agreement.

22/3/24, 6:45 pm - +REACH: *Dear Contributors,*

⏰ We will be closing the chat in *15 minutes* ⏰

Thank you very much for being part of our WhatsApp chat and participating actively.

Goodnight!

Megan 😊

22/3/24, 6:45 pm - +SL: If I am willing to spend $2000, to protect my data, the solution is offline data storage, storing the hard disk in a safe with a key. 

If I am willing to spend millions, a cloud platform with various security can be installed and 24/7 monitoring the remote access, DLP, APT monitoring, data in blockchain, biometric multifactor authentication access etc

22/3/24, 6:47 pm - ☸️  Danny 心: 

I don't think Microsoft or Open API are security organisation.

Trend micro, Symantec and other security organisation such as Palo Alto, etc may be more suitable.

22/3/24, 6:48 pm - ☸️  Danny 心: DLP, APT, multiple factor authentication come from IT security organisation.

22/3/24, 6:49 pm - +SL: Office 365 have features on dlp and mfa…. 🙏

22/3/24, 6:50 pm - ☸️  Danny 心: Oh I see..

22/3/24, 6:51 pm - +SL: As you said, more advanced dlp and mfa maybe need to come from the security product company..

22/3/24, 6:54 pm - ☸️  Danny 心: Microsoft security - average.

IT security products more solid.

Eg. Our laptop may have windows defender and Antivirus features.

But we also need to install trend micro, Symantec etc security products.

22/3/24, 6:55 pm - +Rama: Microsoft!?

22/3/24, 6:55 pm - +Smiley face: When you pay big bucks....you will get big stuffs!

22/3/24, 6:55 pm - ☸️  Danny 心: Can use but not guaranteed

22/3/24, 6:56 pm - +Smiley face: Investments in Next Generation technologies, is the way out of all the hassle!

22/3/24, 6:56 pm - ☸️  Danny 心: Some malware still can slip through. <This message was edited>

22/3/24, 6:56 pm - +Rama: Utterly disappointed!

22/3/24, 6:56 pm - +SL: Big stuff is not fully automated and it will need to be supported by a big team (human resources)

22/3/24, 6:56 pm - +Smiley face: Mistral AI.... worth looking into.....side bets!

22/3/24, 6:57 pm - +Smiley face: MS will craft it for you....pay !

22/3/24, 6:57 pm - +SL: Annual….

22/3/24, 6:58 pm - +Smiley face: Special deals under FTA !

22/3/24, 6:59 pm - +SL: the agreement it cover? 🤔

22/3/24, 6:59 pm - +Smiley face: International collaboration and partnership agreement

22/3/24, 7:00 pm - +Smiley face: <Media omitted>

22/3/24, 7:00 pm - +REACH: *Dear Contributors,*

We will be closing the chat for today.

Thank you very much for being part of our WhatsApp chat and participating actively.

Goodnight!

Megan 😊

22/3/24, 7:00 pm - ~ REACH Singapore changed this group's settings to allow only admins to send messages to this group

====