DNS hijack that affected websites in Malaysia underscores need for greater responsibility and accountability
Agencies, as well as media reporting on such issues, should be held to the highest professional standards
IT was a week that was all about security, trust and standards in the online sphere – and quite a bit about the lack of all these, when it comes to Malaysia. And not just in the online space, but also the media.
If that sounds harsh, just consider this: On Monday July 1, the domain registrar MYNIC Bhd had its servers compromised, leading to what is known as DNS (Domain Name Server) hijacking or poisoning. Queries for certain websites that ended with the ’.com.my’ domains were directed to temporary sites set up to give everyone the impression that these sites had been hacked.
So no wonder the first reports by non-tech online news outlets were that the Malaysian websites of multinationals like Dell, Google and Microsoft had been hacked. It’s too bad they weren’t keeping an eye on Digital News Asia (DNA) or Lowyat.NET founder Vijandren Ramadass’ blog, which had both reported that day itself that the websites had NOT been hacked.
The general news outlets would not let such a fact get in the way of a good story, apparently, because for the next couple of days, there were still reports coming out about the websites being hacked and how MYNIC and industry regulator the Malaysian Communications and Multimedia Commission (MCMC) were investigating the matter.
One even had a follow-up piece about how the websites concerned had been ‘fixed’ and were back to normal operations after having been hacked, and another running a story on how the MCMC and police were investigating the hacking of the websites – with a delicious little sentence about how Google was denying its website was hacked, placed in such a way to imply the search giant was just in denial mode.
As an aside on the ‘never let the facts get in the way of a good story,’ there was also the Bernama report on Kinabatangan Member of Parliament Bung Mokhtar Radin, who essentially misled Parliament into believing that Britain and Singapore had social media licensing regulations.
As for general news outlets going with the ‘websites hacked’ story, you can’t really blame them in some ways, thanks to the MCMC’s statement on the issue which did not correct that misconception and in fact, reinforced that view – unless you perused it properly and noticed the nitty-gritty.
It made me recall that incident in 2011 when Certification Authority (CA) DigiCert Sdn Bhd had its trust revoked by Entrust, the US-based CA whose imprimatur authorised it. “The omissions of DigiCert Malaysia appear to be a serious violation of CA security standards,” The Register reported on the issue. This led to Google, Microsoft and Mozilla removing DigiCert authentication from their browsers.
MYNIC is an agency under the Ministry of Science, Technology and Innovation (MOSTI) and is regulated by the MCMC, also under the same ministry. DigiCert is licensed by the Government to provide trust solutions for e-businesses in Malaysia.
The Government needs to stop its right hand looking after its left. The Kinabatangan MP was right in one respect when he described the MCMC as a “toothless tiger,” though he had all the wrong reasons for doing so.
It is perhaps time to make the industry regulator an independent body answerable only to Parliament, so that it can do more than slap the wrists of its fellow government agencies when they are derelict in their duties and responsibilities.
All this in a week which saw CyberSecurity Malaysia (CSM) – another MOSTI agency – launching its Malaysia Trustmark for Private Sector programme, again to promote trust and consumer confidence in e-business. Truth to tell, and it’s heartening in a way, CSM was the only MOSTI agency that seemed to know what was going on over the DNS hijack.
In their research paper on Cybercrime-as-a-Service, McAfee’s Raj Samani and François Page have exposed the scary and very professional underbelly of the cybercrime world. Earlier this year, in the wake of a ‘cyber-war’ between Filipino and Malaysian hackers during the Lahad Datu incursion, I wrote that our government agencies needed to step up. In the wake of the DNS hijack, security experts and professionals are asking governments to step in.
I paraphrase what I wrote in March: It’s time we got really serious about this issue. We need to harden our cyber-defences up for our national security; we need people we can trust to look into this; and we should hold them up to the highest standards of professionalism.
Week in Review: Cloud vendors targeting the wrong stakeholders?
Interested in my online bhangra class?
Week in Review: One different approach, one traditional one
Week in Review: Taking advantage of the runway
Week in Review: Telco tales
Week in Review: MDeC no longer sole ecosystem anchor
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.