Can we please start taking cyber-security seriously? (Updated)
By Gabey Goh January 3, 2014
- Over 60 websites and two government portals were defaced on New Year's Day
- Incident raises questions about the general state of IT security in the country
[Updated with additional comments]
THE start of the new year was marked by the defacement of several Malaysian websites, including those belonging to government agencies.
Digital News Asia (DNA) was originally tipped off via a tweet by reader @Syawal at 1am on Jan 1, pointing to the defacement of the Ministry of Education (MOE) website.
The MOE homepage was replaced with a new landing page wishing visitors a Happy New Year, with credit for the attack being claimed by Llurker from the EvilShadow Team.
In 2012, a group believed to be from China calling itself EvilShadow Team was allegedly behind the defacing of software giant Microsoft India's retail website. However, it could not be determined if the same group was responsible for these latest attacks.
Further research found that more than one Malaysian website had been defaced. A post by blogger Tetikus listed 30 websites that have been defaced, with the homepages of these sites being replaced by a new image purportedly in protest of the hike in prices that Malayia expects to see this year, while a post by blogger Mazudi listed another 36 affected websites.
Another government portal belonging to the Malaysia My Second Home programme was greeted by a pop-up which said “Greetz Marhaen.” The site also featured posters linked to the 'Turun' (Lower) street protest about rising prices and the cost of living, which took place in Dataran Merdeka (Independence Square) in Kuala Lumpur on Dec 31.
Responding to queries from Astro Awani, industry regulator the Malaysian Communications and Multimedia Commission (MCMC) confirmed that it was already investigating the attacks.
MCMC chairman Mohamed Sharil Mohamed Tarmizi said that the administrators of the websites were handling their respective sites, but added that the MCMC was also providing support and assistance upon request.
“At this moment, we will be investigating the incident. Some of the hacking attacks appear to be defacement-type hackings. We are verifying whether something more serious has happened," said Sharil.
He said that the MCMC was trying to establish if there are any offences, "whether it is improper use of network or facilities or something that falls under the Computer Crimes Act (1997)."
"We have to assess the damage and all that, if at all, then decide -- please don’t jump the gun and assume things."
The MOE site was taken down on Jan 1 and at time of writing, the site and the others affected have been restored.
Making a point
Members of the hacker community that DNA spoke to about the spate of website defacements noted that such attacks were usually conducted purely to make a point.
Defacing websites requires less lead time without a need for deep access to a company’s networks, and tends to not involve the stealing of sensitive information or data which is typically conducted stealthily to avoid detection.
According to checks done by hacker and security expert @sniiffit, most of the defaced websites resolve to the same IP (Internet Protocol) address which is allocated to Piradius, which means that these websites are under the same hosting company.
When asked for his take, Suresh Ramasamy, a security expert with Hack In The Box (HITB), said the hosting provider was probably running a vulnerable version of its software. He added that this is the risk of using a hosting provider, as the customer is subject to how secure the hosting provider is.
Suresh argued that companies on the Internet have yet to fully understand the magnitude of security, while some hosting providers take a lackadaisical approach to managing their servers and systems.
“[The] organisations affected will surely be on their toes as this incident has damaged their reputations,” he said.
According to Suresh, having good operational practices is key, and ensuring patch management is "religiously" followed goes a long way in preventing such incidents.
“Having the right processes, for example using the ISO 27001 [security standard], provides a foundation for security best practices that reduces such incidents, if followed effectively,” he added.
While all would be relieved that no sensitive data was stolen and dismiss the incident as a case of cyber-vandalism or hacktivism, the recent spate of website defacements only serves as a reminder to on-going questions about the general state of network security in the country.
If over 60 websites can be easily defaced, how prepared are our businesses and government agencies for attacks of a more insidious or monetary nature?
In 2013, there were two high-profile cases of DNS hijacking with national domain registrar MYNIC Bhd being breached; and the second incident involved one of its resellers which had fallen victim to the same crime.
In another case, Malay-language technology blog Amanz.my reported that telecomms giant Celcom’s systems had been breached by a hacker group calling itself GaySec, which then posted details – parts of names, phone numbers and MyKad (the national identity card) numbers – of some 3,000 customers from the company’s 2012 database.
“All I can say is this, to companies which want to do IT yet want it for cheap, you pay peanuts you get monkeys.
“There’s plenty of good, honest, real IT professionals with backgrounds in security and network infrastructure out there who would fix these holes for the right price,” said one hacker who declined to be named.
One IT veteran DNA spoke to noted that he had first pointed out the holes and vulnerabilities that enabled website defacements back in 1998, and in the 15 years since, not much has changed.
The question I’d like to ask is this: Why?
Must it really happen the way more than one security researcher or expert has cynically noted to me – that a serious, catastrophic event must first occur before real commitment to robust security protocols will be made?
Must we first have an incident like US retail giant Target, which was a victim of a hack resulting in the theft of encrypted debit card PIN (personal identification number) data affecting over 40 million customers?
Or will it be a case like Snapchat, where despite efforts by the security research community to inform the mobile app maker of serious security vulnerabilities, it was the target of a hack that resulted in the publication of the usernames and phone numbers of more than 4.6 million users?
The individual or team claiming responsibility for the hack responded to The Verge's requests for comment, stating that they were motivated to release the information in order "to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed."
"Security matters as much as user experience does," those responsible said.
Indeed it does, and companies must be mindful of the responsibilities they bear to their stakeholders and customers in ensuring that they do everything possible to protect and secure their digital assets -- especially as we move towards a more mature and digitally savvy society, for there is certain to be less tolerance for any commercial entity that does not actively demonstrate this.
My colleague A. Asohan has written much about the need for the Government and its plethora of agencies to get serious about national cyber-security, so I won’t touch on that. You can read his thoughts here and here.
Instead, I have only this final thought to share, and one directed squarely at the small and medium enterprises out there that power so much of our economy but don’t do as much as they should when it comes to security.
The big multinationals will always have better security measures, a critical investment for the continued growth of their business mandated by global protocols and the acute awareness that they are a big and attractive targets for attacks.
But hackers are not targeting them these days. They’re targeting you, the small fry with fewer security walls to break. And once they’re in, you’ll be lucky if stealing your company’s data is the only thing they do. May the market have mercy should they use your network to gain access to your larger, more valuable business partners – and everyone finds out, because they will.
Of course, I can't deny that myself and other journalists who track the IT security space would appreciate the traffic boost we'd get via covering any serious or massive hack of your company. But in the bigger scheme of things, I secretly hope I won't have to write too many of them because such stories, despite being juicy click bait, are frankly depressing and a little embarrassing.
If you have in-house IT personnel, empower and enable them to secure and protect. If you outsource your IT, demand service level agreements for stringent and regularly updated security measures from your vendors and providers.
Don’t let defacement become the prelude to a more sinister incident that will leave you red-faced. Or worse, bankrupt.