Sunday, 1 December 2013

Two charged over Istana hacking

By Lim Yan Liang, The Straits Times, 30 Nov 2013

THE Istana website was attacked four times by hackers in a span of minutes on Nov 8, a district court heard for the first time yesterday.

The cyber intrusions were said to have been committed by two suspects, who used a string of computer code to illegally access the website and cause it to display illegitimate images and insulting phrases.

Businessman Delson Moo and student Melvin Teo were each charged yesterday with two counts of unauthorised modification of the server which hosted the Istana webpage.



This, just over two weeks after they were first questioned by police over the hacking of the site.

The court heard that Moo and Melvin each made two successful and almost simultaneous intrusions just after 12.30am through the website's search box.

At 12.33am, Melvin allegedly hacked into the site to display the phrase "Patrick Tan For The Win". It is not known who he was referring to exactly.

The 17-year-old then repeated the attack within the next few minutes and posted what appeared to be a caricature of himself and the phrase "Melvin Teo For The Win", over what the webpage would normally display.

Moo, who is 42, allegedly used a similar method to break into the the Istana site twice, starting at 12.34am that same morning.

On both occasions, he caused the webpage to display a picture of an old woman pointing her middle finger, along with a string of offensive words in Hokkien.

The charges against Moo and Melvin were not read together - both their charge sheets also did not bear each other's name, which means they would likely be dealt with separately.

The two are, respectively, the second and third suspects to be charged after the recent string of cyber attacks reported here. The first was James Raj Arokiasamy, the alleged hacker who used "The Messiah" pseudonym.

The 35-year-old, accused of hacking a town council website last month, has been remanded for further investigations. Police had said previously that Moo and Melvin are not linked to James Raj. The businessman and James Raj are both represented by lawyer M. Ravi.

Yesterday, Moo arrived at court accompanied by his wife and Mr Ravi, while Melvin was with his parents.

Melvin was released on $10,000 bail, but Moo's bail was doubled to $20,000 after he was granted permission to leave Singapore for a family holiday in Thailand next month. He will be required to report to the police within 24 hours of his return.

Both men declined to speak to reporters when approached.

The pre-trial conference for both their cases will be held on Jan 24.





* Istana site hacker gets 12 months' probation
By Elena Chong, The Straits  Times, 5 Aug 2014

THE student who hacked into the Istana website last year has been given a shot at rehabilitation by a district judge.

Judge Lim Keng Yeow also advised the 18-year-old to apply his IT know-how to his studies - not to doing wrong.

Those comments were made yesterday when Melvin Teo Boon Wei was sentenced to 12 months' probation after he was found guilty of computer hacking.

"Use them for the good of other people rather than for harm. Use them to promote the well-being of other people rather than to act in mischief," said Judge Lim.

The Institute of Technical Education student is the second person to be convicted of unauthorised use of a computer service by hacking into a government website.

Delson Moo Hiang Kng, 43, was fined $8,000 two months ago for a similar cross-site scripting (XSS) attack on the Istana website last year.

Teo, a first-year electronics student, had admitted to one of four charges with the rest taken into consideration.

An XSS attack, one of the most common types of cyber attacks, "injects" a script into the Web application by exploiting a security vulnerability.

In this case, the application involved the Google search page embedded in the Istana website.

The court heard that while Teo's act caused no damage to the contents of the Istana Web server, the website operator and potential users were inconvenienced.

Judge Lim said the courts took a very serious view of any form of cyber intrusion or attacks that threatened cyber security.

"Even acts of lesser proportions are deplorable and unacceptable. They rightly draw public disapproval and should be expected to result in substantial sentences in court," he said.

This case involved "an act of immaturity and an act of wanton mischief", the judge said, but he added that there were no other serious consequences except for the disabling of the website's search functions for a few days.

He also noted that Teo has a history of good conduct at school and has good family support.

Under the probation order, Teo has to perform 80 hours of community service and remain indoors from 10pm to 6am.

His parents are also bonded for $5,000 to ensure his good behaviour.





* Teen admits hacking Istana site for 'a joke'
By Elena Chong, The Straits Times, 5 Jul 2014

A STUDENT has admitted hacking into the Istana's website in what he claimed was a "harmless joke".

Melvin Teo Boon Wei yesterday became the second person to be convicted of unauthorised use of a computer service by hacking into a government website.

The Institute of Technical Education (ITE) College Central student carried out a cross site scripting (XSS) attack on the portal on Nov 8 last year after communicating with Delson Moo Hiang Kng, 43, who was fined $8,000 on June 5 for a similar cyber attack around the same time.

The 18-year-old first-year Nitec electronics student admitted to one of four charges of gaining unauthorised access to the server that hosted the Istana webpage at about 12.45am on Nov 8.

He hacked into the site to display the phrase "Melvin Teo For The Win!" with two caricatures of himself and some Chinese characters.

The court heard that XSS attacks are performed by "injecting" a script into the Web application by exploiting a security vulnerability - in this case the Google search page embedded in the Istana website.

Instead of entering pure text search terms, Teo entered hypertext markup language (HTML) code that he had crafted.

Deputy Public Prosecutor Kumaresan Gohulabalan said Teo learnt about the vulnerability on the Istana website from other users on Facebook.

At the time, XSS scripts that had been used to compromise the Google search page on the Prime Minister's Office (PMO) website were being disseminated on the Internet.

After the search function on the PMO website was disabled, Teo injected the modified script into the Istana website.

DPP Kumaresan said that although Teo's defacement did not cause any damage to the contents of the Istana server, it had inconvenienced the website operator as well as potential users.

"XSS attacks can be used for more pernicious purposes than just defacing Web applications," he said.

"Attackers can create pages that look identical to Web applications where victims enter confidential personal information and, subsequently, use XSS to steal this information - such acts would be a form of 'phishing'."

He argued it was in the public interest to ensure cyber security and public confidence.

Teo's lawyer V. Esvaran said his client did not realise the serious nature of the offence at the time. He was very contrite, remorseful, ashamed and regretted his folly.

"The accused's naivety and curiosity, coupled with the encouragement and influence of mature, older individuals and his belief that he was only causing a harmless joke, caused him to commit the offence," he said.

Community Court Judge Lim Keng Yeow called for a probation report on Aug 4.

The maximum penalty for the offence is a $10,000 fine and three years' jail.





* Istana website hacker fined $8,000
By Elena Chong, The Straits Times, 6 Jun 2014

A BUSINESSMAN who was fined $8,000 yesterday for hacking into the Istana website is the first to be convicted of carrying out a cyber attack on a government website here.

Delson Moo Hiang Kng, 43, who runs an IT consultancy firm, admitted to one of three charges of unauthorised access to the server that hosted the Istana webpage in November last year.

On three occasions, starting at 12.34am on Nov 8, he caused the webpage to display a picture of an old woman pointing her middle finger, along with a string of offensive words in Hokkien. The two other charges were considered during his sentencing.

Moo had hacked into the website using a technique called cross site scripting and exploited a vulnerability in the embedded Google search bar, which helps users to search for items within the site.

The aim of Moo's cyber attack was to deface the webpage, said Deputy Public Prosecutor (DPP) Suhas Malhotra yesterday.

Attacks using cross site scripting, he said, can also be part of a wider criminal activity - for example, where such an attack is used to ''phish'' for information about a victim, which is then used to perpetrate some other crime.

Instead of entering basic text in the Istana website's Google search engine, Moo entered hypertext markup language (HTML) code that he had crafted.

As a result, the server hosting the Istana website processed the injected script, and generated a webpage incorporating the offending text and images put in by Moo.

DPP Malhotra said Moo learnt about the vulnerability on the Istana website from other Facebook users.

His act, however, did not cause any damage to the contents of the Istana Web server.

The DPP said Moo's offences took place at a time when concerns about cyber security were particularly heightened.

On Oct 31 last year, a video had been released by a person calling himself ''The Messiah'', and who claimed to be associated with a global activist hacker group called Anonymous.

In the video, Anonymous declared ''war'' on the Singapore Government through ''aggressive cyber intrusion'', and called on Singaporeans to stage a protest on Nov 5.

The alleged hacker who used ''The Messiah'' pseudonym, James Raj Arokiasamy, 35, has been charged, and his case is pending.

Similar cases against the alleged hacker of the website of the Prime Minister's Office, Mohammad Azhar Tahir, 28, and Melvin Teo 17, who is also accused of hacking into the Istana website, are still at pre-trial stages.

Pleading for leniency, Moo's lawyer, Mr Anil Balchandani, said his client was remorseful for his actions, which were made not only in a moment of folly, but also in a ''sense of adventurism''.

He said the Istana website was not permanently altered, and Moo's changes or processing were seen by his browser in his computer.

There was no way anybody else could have replicated the defaced site without the code that Moo had used, he said.

Moo was also said to be surprised that the Istana website was not protected against his attack.

Agreeing with the prosecution that a jail term was not necessary, District Judge Liew Thiam Leng took into account that there was no alteration or disruption of the data in this case on the affected website, no ''phishing'', and no steps taken by Moo to disseminate the hyperlink containing the cross site scripting attack.

''However, there is considerable inconvenience caused in the present case, and as highlighted by the prosecution, the website was not available for a certain period in time, and the necessary steps have to be taken to rectify the website,'' said the district judge.

The maximum penalty for the offence is a $10,000 fine and three years in jail.





Museum website hacked; MOM finds duplicate site
Singapore Art Museum and ministry file police reports
By Melody Zaccheus, The Straits Times, 30 Nov 2013

THE Singapore Art Museum (SAM) found its website was hacked on Thursday, less than a month after information on 4,000 people on its online mailing list was compromised.

This came on the same day that the Ministry of Manpower (MOM) filed a police report after discovering a duplicate of its website, also on Thursday.

A SAM spokesman said it was alerted by the Infocomm Development Authority (IDA) on Thursday that SAM was among a list of 1,500 "vulnerable websites" that was published on the Internet.

Internal checks uncovered links that had been added to a page on the SAM site directing visitors to another website, but they were dead links.

The museum immediately removed the links and lodged a police report. No data was compromised, said the spokesman.

The SAM website was taken down briefly to retrieve the affected files and eventually restored by 9pm last night.

This latest cyber intrusion comes even as SAM beefs up security of its site, after data including names, e-mail addresses and phone numbers were taken from its online mailing list and illegally published on a New Zealand-based storage website for at least two hours on Nov 5.

"It is an ongoing process. It takes some time," the spokesman said about the security measures.

Meanwhile, the fake MOM site, www.momgov.sg, was still accessible at press time. It features the same design as the original and the TrustSG trust mark, although not all the links work.

In a post on Facebook yesterday, Acting Minister for Manpower Tan Chuan-Jin said the public should use only the official MOM website - www.mom.gov.sg.

He also advised them to pay attention to punctuation: "A full stop makes all the difference", he wrote.

"At the same time, we would also like to assure everyone that access to the official MOM website remains unaffected, and no data has been compromised," he added.

The official site links the public to MOM e-services, where they can apply for work permits online, view foreign worker levy bills and pay fines and bills.

The fake site directs users to what appears to be the real site and in some instances, dead links.

An MOM spokesman said "there are measures to protect the MOM website".

This incident follows a series of cyber attacks since mid-October that resulted in several school websites being defaced and intrusions into websites belonging to the Ang Mo Kio Town Council, Istana and the Prime Minister's Office.

Five people have been arrested and three have been charged over these incidents.





2 men arrested over Istana site hacking
S'porean businessman and ITE student expected to be charged in court today
By Lim Yan Liang, The Straits Times, 29 Nov 2013

BUSINESSMAN Delson Moo and student Melvin Teo were arrested yesterday - more than two weeks after they were first questioned by police over the recent hacking of an Istana webpage.

The two Singaporeans, aged 42 and 17 respectively, are expected to be charged in court today for the "unauthorised modification of computer material under the Computer Misuse and Cybersecurity Act", said a police spokesman.

The spokesman did not release the names of the suspects. But The Straits Times previously reported that Mr Moo and Melvin were hauled up for questioning over the cyber intrusion of the Istana website.

This was after the police revealed on Nov 14 that two suspects were involved in the Istana attack, while two others allegedly hacked into the Prime Minister's Office (PMO) website on the same day - Nov 8. The two pairs are not connected to each other and did not act in concert, but "exploited a vulnerability of those sites to display pages from other sources", the police said then.

The Straits Times later learnt that the pair allegedly behind the PMO incident were brothers Mohammad Asyiq Tahir, 21, and Mohammad Azhar Tahir, 27. Both were arrested, but have since been released on police bail.

Their mother, who declined to be named, said on Wednesday night that her sons had moved out of their Tampines flat, and she was unaware of the developments in the case against them.

Police said yesterday that "investigations are ongoing for the PMO case".

Unlike the brothers, Mr Moo and Melvin were arrested only yesterday. They are believed to have been released on police bail, and will have to appear in court on their own to face charges today.

None of these four men is linked to James Raj Arokiasamy, whom court documents earlier identified as the alleged hacker who used "The Messiah" pseudonym. The 35-year-old accused of hacking the Ang Mo Kio Town Council website has been remanded for further investigations.

Melvin is an Institute of Technical Education (ITE) student. Mr Moo runs an online store selling baby products and women's clothes, and two IT-related firms.

Both active social media users, they became friends through Facebook. Both men declined comment when contacted last night. But Mr Moo said previously that he committed the offence in a moment of folly. He also admitted that he intruded into the PMO website, and it is believed he faces another charge for the act.

"It was purely a stupid mistake," he told The Straits Times on Nov 14. "My hand was itchy and... I got myself into trouble."

If found guilty, Mr Moo and Melvin may be fined - not exceeding $10,000 - or jailed for a term not exceeding three years, or both, said a police spokesman.



No comments:

Post a Comment