Thursday, June 5, 2014

A Breach Should Be Called A Breach

Enough to make you see red
You know respect for the prime minister has hit an all time low when, despite blustering and making ugly faces in parliament to insist that a spade should be called a spade, the Infocomm Development Authority of Singapore (IDA) is ignoring him and refusing to own up to a breach in security.

Faces at Crimson Logic turned red when they first discovered that SingPass account holders found password reset notification letters in the mail even though they had made no such requests. Account holders whose personal data, such as contact information, employer details and remuneration records, were in the custody of Crimson Logic, the appointed operator of the SingPass single-factor authentication system for all government e-services in Singapore.

IDA investigated, and discovered 1,560 user profiles were illegally accessed. At least 419 fell for the ruse, and their passwords were reset. Affected SingPass users had their account profiles modified and linked to a small pool of Singapore-registered mobile numbers - IDA refused to tell how many. The mobile number can be used in a two-factor authentication procedure. When the victim changes his or her password, this number will serve to "verify" the request. This is obviously too technical for IDA, "We continue to explore the use of two-factor authentication for e-government transactions, particularly those involving sensitive data..."  Nothing much has changed at IDA, ever since the very first chief executive famously said that although she knows zilch about technology, she can always hire someone who does.

The Managing Director for IDA, Ms Jacqueline Poh, is treating the incident as "a shot across the bow" and advised all individuals to "examine themselves" and take personal responsibility for their own cyber security, to borrow the phraseology used by one Arthur Fong about foreign intrusion. IDA has filed a police report, and since they are insisting that the SingPass system has not been compromised or breached, IDA must be saying the stolen addresses and IDs were looted from virtual personal premises. And not filched from the highly secured and firewalled database of the Crimson Logic operator. Go figure.

23 comments:

  1. The first questions that comes to mind is "Is it a S$2 company like AIM ? Is it too cheapskate to install the proper firewalls? How much is the company paid for providing such substandard services until hackers can also hack into the accounts ? "

    Again so many questions, few or no answers ? Are we not getting an incompetent does of government ?

    ReplyDelete
  2. Does not matter which company, systems or what not.

    But it is certainly the fault of you... the citizen, you are the one:

    Who chose opposition- its your fault
    Who did not save for retirement- its your fault
    Who cannot board the train- its your fault
    Who cannot find a job- its your fault
    Who read the 'wrong' news-its your fault
    Who did not upgrade skills-its your fault
    Who cannot afford medical care - its your fault

    Time I took responsibility for all my faults and correct it...


    ReplyDelete
  3. And as one nicole said:

    When you succeed, its the system that helped you, its meritocracy.
    When you fail, its all your fault.

    ReplyDelete
  4. Singpass breach do not amount to anything, up to now because seems like no one is being defrauded, this sugguests that government is wasting tax payers money to connect everyone.

    ReplyDelete
  5. They never make mistakes. Only the citizens do. Not even an apology. The arrogance and sneering at the hapless must be stopped once and for all.

    ReplyDelete
  6. Actually there is no breach, it is just a poorly set up password reset system. Any company who takes photocopy your IC front and back just need to enter the data to reset your password. But the mailer would still go to the user's address, unless someone is able to intercept the mails sent by Crimson Logic.

    If I were to implement such a system, I would include CAPTCHA to slow down the attacked. I guess those at Crimson Logic are mainly cheap Ah Neh programmer from India. Pay peanuts get monkey.

    ReplyDelete
    Replies
    1. I take back what I wrote above. It appears that an online bruteforce attack triggered the password reset on those 419 accounts with strong passwords. Another 1560 accounts were successfully hacked. A proper intrusion detection system would have minimised the damage. But users who use weak passwords are not faultless too.

      Delete
  7. ever since the very first chief executive famously said that although she knows zilch about technology, she can always hire someone who does.//

    Didn't the SMRT ms Saw say something along the same line too?

    ReplyDelete
    Replies
    1. Come to think of it, will we hear PM Lee proclaim the same thing, that all along he had no clue how to run the country but his father assured him it will never be a problem because they can hire 77 stooges who does ?
      Do you think this could be the main reason why the country is in such a mess ?

      Delete
    2. Or the former CEO of Singtel who boasted in his first press interview that he does not even have a television set at home and his children had to go to the grandparents' home to view TV shows.

      Delete
    3. The old man did once said , even you put a dummy as the conductor of a great orchestra, you can still hear beautiful music.

      Delete
    4. Each of the 77 stooges also thinks that he/she can hire other lesser mortals to do their jobs and so on. The whole country is now practically run by FTs who will soon outsource their job to their compatriots too.

      No wonder everything is falling apart - MRT, storm drainage,...

      Delete
  8. I think PAP using too much bananas to pay for their monkeys...and when the monkeys litter the banana peels after leaving the building...PAPies slip on those...and as usual blame others except the monkeys they originally "hired"....

    haizzzz

    ReplyDelete
  9. Who said we were hacked? It was you the sheeple who chose the unsafe reset option! You could have chosen the safe option and nothing would have happened. All your fault, you monkeys, even when we sppon feed you rubbish, you still eat! Not your fault whose fault? Certainly we the million dollar civil masters are never at fault, even if we are, we insist it is you who are at fault. If not, we sue you until we get the correct answer : its your fault! Now lets see who we should promote next to the next level of incompetence and award him/her a big GDP bonus.

    ReplyDelete
  10. The way they reply is exactly like Teo Ho Pin. There is no breach, we use strong padlock and maintain a proper key access system. LOL

    ReplyDelete
  11. Wonder if this has anything to do with the Heartbleed bug.

    ReplyDelete
  12. Without transparency there can be no accountability. Blaming the victim is an age old ploy. Just look at the ultra religious societies of the sub-continent where victims, especially women, are severely punished (read stoning) for 'not toeing the line'.

    ReplyDelete
  13. PAP Joke
    -----------
    Q: Why did the chicken cross the road?
    A: He had to reset his SingPass password.

    ReplyDelete
  14. Come on Sinkies.
    Please do no expect anyone, even the best civil engineer to be able to stop ponding when god makes it happens.
    Nor can a gangster chief remains to be one infinitely, for he will wither and die like any other mortals.
    Accident, mishap and mistake are part and parcel of living.

    ReplyDelete
  15. IDA's Managing Director, Jacqueline Poh Mae-Jean, is another elite with the right connection. Her husband is Andrew Tan, CEO of Maritime & Port Authority Singapore. Both are top civil servants.

    Andrew Tan used to be LKY's principal private secretary 10 years back.

    ReplyDelete
    Replies
    1. Well, that's meritocracy for you! Here, it's properly defined as "affinity and strength of connection to The Minister and His Cronies, via any orifice"; in the real world, they've known it's a myth for years!

      Delete
  16. This comment has been removed by the author.

    ReplyDelete
  17. With 3.3 million registered users and an e-service platform linking practically all government departments and services, it is almost criminal not to have a 2FA.

    And with the NRIC No. being used as User IDs - there is no need to guess the User ID. All the hacker needs to do is to guess the passwords, or use brute force to find the passwords.

    ReplyDelete