Thursday 2 March 2017

Cyber attack on MINDEF: Hackers steal data of 850 NSmen and staff in February 2017

By Irene Tham, Tech Editor, The Straits Times, 1 Mar 2017

The personal details of 850 national servicemen and staff at the Ministry of Defence (MINDEF) were stolen last month in what the ministry described as a "targeted and carefully planned" cyber attack possibly aimed at accessing official secrets.

MINDEF has ruled out casual hackers, criminal gangs and an inside job, leading experts to believe that the attack, the first in which MINDEF lost data, could be the work of foreign governments.

Early last month, MINDEF discovered that a vulnerability in its I-net system had been exploited, resulting in the loss of NRIC numbers, telephone numbers and birth dates of 850 personnel.

The I-net system provides Internet access on thousands of dedicated terminals to national servicemen and other employees working in MINDEF's offices and Singapore Armed Forces premises, such as army camps and naval bases.

At a briefing yesterday, MINDEF's deputy secretary of technology David Koh apologised for the breach.

He said that after the attack was detected, the affected server was disconnected from I-net and the security vulnerability was fixed. No classified information was stolen.

MINDEF, which is still seeking the culprit, added: "The real purpose may have been to gain access to official secrets, but this was prevented by the physical separation of I-net from our internal systems."

The delinking of classified systems from Internet computers prevents sensitive information from being accessed through the Web.

Explaining the delay in revealing the attack, MINDEF said it needed to investigate the incident before informing the public.

It added that it will contact all affected personnel within the week.

They will be asked to change their passwords and report any unusual activity related to the use of their personal information.

No breaches in other government networks have been detected, said the Cyber Security Agency.

Security experts say the attack may have been state-sponsored.

Mr Aloysius Cheang, executive vice-president of global computing security association Cloud Security Alliance, said: "It is common for states to sponsor such attacks to access other countries' infrastructure, and build a portfolio of information that can be used to their advantage."

Take steps to secure online accounts, experts urge
They advise against using birth date, NRIC or phone numbers as password
By Irene Tham, Tech Editor, The Straits Times, 1 Mar 2017

If you are using your NRIC and telephone numbers or birth date as a password to secure online accounts, change it immediately.

This is the advice of the Ministry of Defence (MINDEF) and security experts following a cyber attack discovered early last month, which resulted in the loss of the personal details of 850 MINDEF employees and national servicemen.

"Personal information is highly valuable to hackers since this can be used in further attacks or sold for monetary value," said Mr Nick Savvides, a security advocate for Asia-Pacific and Japan at cyber security software firm Symantec.

For instance, the stolen data could be used to access e-government services such as Central Provident Fund account balances, as one's NRIC number is the user name in many cases.

Hackers may also disguise themselves as the local authorities in e-mails embedded with malicious links or documents to trick users into downloading malware or divulging sensitive data, Mr Savvides said.

"Users need to be wary of follow- on attacks that may be crafted using the information gathered," he added.

MINDEF revealed yesterday that the unknown hackers exploited a vulnerability in its I-net system, resulting in the loss of the NRIC numbers, telephone numbers and birth dates of the 850 personnel.

The I-net system provides Internet access on thousands of dedicated terminals to national servicemen and other employees working in MINDEF's offices and Singapore Armed Forces premises.

Mr Alex Lei, regional director for South-east Asia at security systems specialist FireEye, said that targeted attacks are the "new reality" for governments around the world.

"Targeted attacks often reflect geopolitical tensions, and South-east Asia is no stranger to these tensions," said Mr Lei.

Mr Sanjay Aurora, Asia-Pacific managing director of cyber security firm Darktrace, said the incident highlights the importance of using advanced systems.

"It is a cyber arms race, and artificial intelligence technology that automatically identifies and takes action against genuine threats will be instrumental in safeguarding critical information and infrastructure," he said.

Mr Dan Yock Hau, director of the Cyber Security Agency of Singapore's National Cyber Incident Response Centre, concurred.

"We have to take steps to build greater security into software design and strengthen our systems to ensure resilience to cyber attacks," he said.

He also noted that trained cyber security professionals will play an important role to keep Singapore systems safe.

Public relations consultant Khairul Sufiyan uses his NRIC number and birth date as a password for some online accounts. "I better change them quickly," said the 30-year-old, who was worried he could be one of the 850 affected.


September 2014

The personal data of 317,000 customers of karaoke bar chain K Box was exposed on the Internet owing to lax security measures. Access to K Box's computers was protected by weak passwords made up of only one letter of the alphabet. K Box was fined $50,000 by Singapore's privacy watchdog as a result of the breach, which exposed customers' names, addresses, and mobile phone and identity card numbers.

June 2014

The Government discovered that 1,560 SingPass accounts were stolen. Three tampered accounts were fraudulently used to make applications for work passes. The use of easy-to-crack passwords was believed to be the culprit. SingPass is an authentication system that secures Singapore residents' access to 340 e-government services, including those for filing income tax returns and checking Central Provident Fund account balances.

March 2015

The personal data of more than 1,900 pupils from Henry Park Primary School was leaked when an Excel spreadsheet containing the children's particulars was mistakenly sent out to about 1,200 parents as part of an update about a school event. The file contained the names and birth certificate numbers of all 1,900 pupils in the school, and the names, telephone numbers and e-mail addresses of their parents.

January 2017

The Personal Data Protection Commission fined PropNex Realty $10,000 after the latter inadvertently caused the personal data of 1,765 people to be leaked online. A system flaw caused a PDF document listing one item or all of the personal information - name, mobile number, residential address and e-mail address - of the 1,765 individuals to be freely available online for months.

* Parliament: MINDEF sets up new cyber command to beef up defence against cyber attacks

Singapore strengthens cyber defence with new organisation
It will also bolster round-the-clock protection of networks, build force of cyber defenders
By Adrian Lim, The Straits Times, 4 Mar 2017

Singapore is setting up a new Defence Cyber Organisation (DCO) to bolster its defences against the growing threat of online attacks, as it moves to boost the round- the-clock protection of its military networks.

It will also build a force of cyber defenders - tapping national servicemen, both full-time and operationally ready men - who will lead the charge in this new battlefront.

These moves are vital in the light of the Defence Ministry's (MINDEF) disclosure earlier this week that the personal details of 850 NSmen and staff were stolen, a theft uncovered last month.

"We can expect more of such cyber attacks in the future," Defence Minister Ng Eng Hen said yesterday when announcing the DCO in Parliament during the debate on MINDEF's budget.

Dealing with such security threats, including fake news, is increasingly important for the Singapore Armed Forces (SAF), which as a fighting force is relying more often on computer technology.

Cyber warfare is a growing phenomenon. Dr Ng cited Ukraine's power grid being hit by cyber attacks and, in the US presidential election, the computers of the Democratic National Committee were hacked by unknown sources to discredit its candidate Hillary Clinton.

Fake news inflamed ethnic and political tensions in Indonesia, prompting it to form an agency to counter cyber crime and fake news.

"Modern militaries can no longer choose to ignore these external threats through the digital front,'' said Dr Ng.

Explaining the make-up of the DCO, he said it is "at the highest level of our organisational hierarchy".

It will have four formations, each with different roles, including overseeing the cyber security of all defence agencies and building up cyber defence capabilities.

The DCO will be led by a deputy secretary and the formations by a colonel or a flag officer, who is either a general or an admiral.

It fortifies the military's past efforts at securing its cyber defence. These include the 2013 Cyber Defence Operations Hub, which gathers its cyber-security experts under one command.

The round-the-clock monitoring of the military networks will be carried out by two units of the Cyber Defence Group (CDG) formation.

They are the Security Monitoring Unit and Incident Response and Audit Unit, whose teams will identify and neutralise cyber threats.

Under the units' watch, the security of SAF's networks will also be audited for resilience.

The CDG also has the Cyber Defence Test and Evaluation Centre, which has been operational since 2015 but was unveiled yesterday.

The ministry plans to have about 2,600 cyber defenders in 10 years - a big jump from the current numbers that "reflects the importance of this new battlefront", said Dr Ng.

SAF will also partner Singapore Technologies Electronics (Info-Security) and Nanyang Polytechnic to provide, among others, industrial attachments and joint development of cyber defence curriculum.

Two new defence technology labs are to be set up, to develop robotics, and exploit artificial intelligence and data analytics.

In addition, a new $900 million training ground covering 88ha will be built to give SAF soldiers a realistic combat experience.

Dr Ng said: "Even as we set up a new cyber command and technology labs... we must never neglect to train the SAF as a conventional force against traditional threats... and terrorism."

* Photos and IC numbers of army recruits published online by mistake, BMTC apologises
SAF sorry for recruit data leak
IC numbers and photos of graduating batch published online by mistake; info removed
By Chong Zi Liang, The Straits Times, 17 Mar 2017

The identity card numbers and photos of a batch of Singapore Armed Forces (SAF) recruits were published online by mistake last Saturday before the authorities realised the error and removed the information the next day.

In a statement, Basic Military Training Centre (BMTC) commander Desmond Yeo apologised for the blunder, adding that no other personal data was released.

He did not specify how many recruits were affected, but there are typically about 3,000 enlistees in one cohort.

The training centre had uploaded pictures taken at the recruits' graduation ceremony to Facebook. But it also included a link that displayed the soldiers' identity card numbers together with their portraits.

Colonel Yeo said that BMTC "recognises that making available our recruits' portraits, labelled together with their NRIC numbers on a platform accessible to the general public, was an oversight".

He added: "We apologise for the mistake."

Col Yeo explained that portraits of recruits are usually uploaded online so that they can share them with their families and friends. A recruit's photo is usually manually labelled with his platoon, section, and bed number.

But for the latest graduating cohort, the labelling was automated by scanning the recruits' SAF identity cards so as to speed up the process. This process labelled the photos by the identity card numbers.

"BMTC immediately removed the link to the portraits by noon the following day, when the oversight was realised. We are reviewing our procedures to prevent a similar recurrence," Col Yeo said.

Last month, the Ministry of Defence disclosed that the personal details of 850 national servicemen and its staff had been stolen in what it described as a "targeted and carefully planned" cyber attack.

Identity card numbers are highly valuable to cyber criminals, said Mr Nick Savvides, a security advocate for Asia-Pacific and Japan at cyber security software firm Symantec.

This is because such personal details - known as "non-perishable information" - do not expire and cannot be changed, unlike other types of data such as credit card numbers.

That is why stolen credit card details can fetch between 10 US cents and US$20 (S$28) on the black market, while "non-perishable information" costs an average of US$50, Mr Savvides added.

"This stolen information is often used in further attacks... For example, hackers may use the identity card data to lure unsuspecting victims into personalised attack campaigns, obtaining more information like banking details, which can then be used in malicious ways," he said.

** Parliament: Hacking of MINDEF system a 'covert' attack: Ong Ye Kung
Probe shows perpetrator used means to mask actions and intent
By Adrian Lim, The Straits Times, 4 Apr 2017

The cyber breach on the Defence Ministry's I-Net system was "consistent with a covert attack, with means used to mask the perpetrator's actions and intent", Second Minister for Defence Ong Ye Kung said yesterday.

Investigations into the attack, which was discovered on Feb 1 and revealed on Feb 28, are ongoing, but "findings will be kept confidential for security reasons", he added.

Mr Ong was giving an update of the incident in Parliament, in response to questions from MPs Lim Wee Kiak and Vikram Nair, both from Sembawang GRC, and Non-Constituency MP Dennis Tan.

Asked by Mr Tan if the culprit had been identified, Mr Ong said that he was unable to comment because it concerned a "security issue".

But the minister said the information loss is basic and no passwords were lost. "I do not think that, with this information, they can conduct further hacking," he added.

The Ministry of Defence (MINDEF) said on Feb 28 that the hackers had stolen NRIC numbers, telephone numbers and birth dates of 854 personnel, through a breach of its I-Net system.

The system provides Internet access on thousands of dedicated terminals to national servicemen and other staff working in MINDEF's offices and Singapore Armed Forces (SAF) premises.

MINDEF also said it had ruled out casual hackers, criminal gangs and an inside job, leading experts to believe that foreign governments could be behind the attack.

The affected server was taken offline after the attack was discovered. Affected personnel were asked to change passwords and report any unusual activities relating to the use of their personal data.

Mr Ong said MINDEF's IT systems are "no different" from others and, like them, experience "hundreds of thousands" of cyber-intrusion attempts, ranging from simple probes to cyber-espionage efforts.

But he said the I-Net system contains no classified information, and that networks which contain sensitive military information are physically separated from the Internet and protected with encryption and access controls.

This separation is critical, said Mr Ong, adding that the perpetrators in this breach "went through the window but couldn't access the house because the house is separate".

He also revealed that the breach occurred "weeks before detection" as he cited how the time taken before a breach is detected in other IT systems tends to be longer.

Referring to industry reports, Mr Ong said it takes an average of about 150 days, or five months, before a breach is discovered.

He listed examples such as the attack on the e-mail servers of the US Democratic National Committee in mid-2015, which was detected in April 2016, by which time all e-mails and chats had been stolen.

Mr Ong said MINDEF and SAF will develop better assessment tools, data analytics and content scanning engines to fend off cyber attacks. "We will also review the storage of personal data on our Internet systems to minimise risks of cybertheft," he told the House.

Breach in MINDEF's I-net System -28 Feb 2017
No Internet for Singapore public servants from May 2017

No comments:

Post a Comment