3/22/2019

Govt log in data on sale

Front page news of thenewpaper read like this, ‘Govt log-in data on sale on dark web – Email addresses and passwords were ‘not leaked from government systems but from officers who used them for personal purposes’. Ok, the data were not leaked, but using them for private purposes would only reveal the email addresses, how did the passwords got ‘leaked’ or stolen? Passwords are not things that are laid in the open to be picked up.
 

The article said among the agencies named by a Russian cyber security company IB ‘were the Government Technology Agency(Gov-Tech), Ministry of Education, Ministry of Health and the Singapore Police Force. MOH has been in the news for losing 1.5 million SingHealth patients’ personal data, including Hsien loong’s, also breaches including illegal access of 72 HealthHub accounts and the infamous ‘leaked of information of 14,200 patients from the HIV Registry and improper handling of data belonging to more than 800,000 blood donors by a vendor last week’.
 

First question, were these leaked or stolen information arising from hacking by external sources? Or were they leaked by internal sources, or were they leaked due to mishandling or mismanagement? The ways the data were leaked or stolen have different implications. If from external sources hacking into the system, that is a protection problem, poor firewalls or anti hacking systems installed. If from internal sources, then who were the parties involved, Singaporeans, locals or foreigners hired to maintain the IT systems, or if due to mishandling or mismanagement, like the HIV case, the culprits and problems are different and needed to deal with differently.
 

The most frightening and dangerous part in the chain of IT protection is internal sources. Like they said, it is very difficult to prevent theft from within, thieves living inside the premises.
 

So what is what? Were the problems highlighted, with so many ministries involved, a matter of officers using their govt emails freely, indiscriminately, showing off their passwords to everyone, or was this a more serious problem that cannot be brushed away so simply and innocently? Cannot tell, don’t want to tell or telling it as something so innocuous?
 

Smart city with smart people or dumb city with dumb people?

22 comments:

Anonymous said...

Hi Uncle Redbean, you worry too much. The PAP newspaper has already told us that it is not serious. Please trust the PAP government to handle this. They will protect Singaporeans and the country will be safe. So, do not worry, go and enjoy your Swiss standard of life.

Anonymous said...

My guess of most likely cause of data leak in this case is "foreigners hired to maintain the IT systems" . . .

Anonymous said...

Hi

You don't know meh?

Sg is like that liao!

Here leaked there leaked everywhere leaked!

But not to worry. Just get use to it. It is ok!

This is the new normal!

Hahaha.........

Virgo49 said...

SMARTY nation indeed!!!

No one in all but Master of None.

Wah PMLee tell Singaporeans to take care of each other as fellow citizens.

True or not?

Even Sinkies employers shuned Singaporeans applicants.

Cheaper to enmploy foreigners.

But think Sinkies also deserved to be sidelined.

Many still said Opposition got no capable candidates.

Only PAP parrots best.

Real dafty smarty nation.

jjgg said...

Citizens secrets not important so leak oso nvr mind..state secrets like ho chings pay n Lee's wealth never leaked.. it's all probably handwritten in leather bound ledgers .. carried around by gurkkhas in red leather bags....)))

Anonymous said...

What's wrong with collecting more monies for sale? ...indeed 69.9% dafts r oked with it? ..so wat next?...stupidity has no cure eh.

Anonymous said...


Hi everyone......

Don't play play!

Our SGH is one of the top top top hospitals in the world!

You all should be very very very proud of this achievement!

Correct?

Yam Seng!

Anonymous said...

9.27am anon, u not tire meh Everyday posting the same stuff. Like some anons said before, u need to be sodomize lar to break your chain of thought that go round in circle. I must say not that I don't support your view but it boring after a while😀

Anonymous said...

9.27am anon, u not tire meh Everyday posting the same stuff. Like some anons said before, u need to be sodomized lar to break your chain of thought that go round in circle. I must say not that I don't support your view but it boring after a while😀

Anonymous said...

V922am

Don't be angry. Bad for health.

Sg is like that liao.

You can't change the thinking of the 70%.

Is like that.

Die die will vote for pap.

They are best in KPKBsssss and TCSSsssss!

So no use getting angry.

Anyway....be happy and worry less!

Enjoy while you can!

Cheers.........

Ⓜatilah $ingapura⚠️ said...

@ RB

It is evidently clear that it was a massively successful and neatly executed hack.

Passwords are stored as (cryptographic) hashes. However most people are crazy and lazy and have weak passwords which are easy to remember. They are mostly made up of literal words and numbers in predictable sequences. This is the weakness most exploited by hackers.

Kali Linux, Black Arch et al...are all flavours of Linux specifically designed for penetration/security testing and thus a favourite for hackers. You can even install Kali on your smartphone so you can hack people’s wifi, bluetooth, their cars...anything with connectivity….from a device you carry in your pocket. So you can imagine what a Pen Testing suite on a powerful computer is capable of.

Non-unique, low-entropy (low randomness = easily predicted) passwords are common. Using a suite like Kali, it only takes a FEW SECONDS to decipher the hashed password. So yeah, it is easy to see why these accounts were so easily compromised.

EG: Lo entropy password: fuckyoulah
Higher entropy: Fu¢1<¥0U£@h

Note: you increase the entropy (randomness) by adding from a choice of more characters --- upper case, numbers and special characters.

You should increase the entropy further by using more characters. These days 8 characters is unacceptable. My passwords are 30-99 characters long. Of course it is impossible to remember them, so use a PASSWORD MANAGER like LastPass or KeePass. Added security would be TFA and a hardware key like UbiKey. Govt officials should use hardware TFA. No excuse lah, cheebai.

The hack exposes the “tidak apa” attitude amongst people in-charge and trusted to LOOK AFTER OUR INTERESTS in HEALTH -- i.e. the difference between living and dying.

There are not enough words to condemn the govt for this unforgivable lack of care. No excuses lah. I don’t blame the hackers. Hacking is lucrative, and can be done offshore, and can make the hacker lots of money which he can hide in Bitcoin. Of course lah...many smart young ones will seek out opportunities in this area, especially if their governments and cyber crime operations are head hunting them. Hacking goes on all the time, even right now. It’s a multi billion dollar business --- bigger than drugs and illegal arms dealing.

Fuck the government lah. Get angry. Get very angry.

Ⓜatilah $ingapura⚠️ said...

PS. Kepala butoh lah. The password hashes were most probably stoeln from GOVERNMENT SYSTEMS, and cracked off site. As I mentioned, all the pen testing suites come with password crackers (brute force).

Yes, they could have been stolen from the officers' machines. Quite possible, and probably some personal machines were compromised by "social engineering" --- phishing, for e.g.

Ⓜatilah $ingapura⚠️ said...

@ The hard cruel facts of life:

“Intelligent” people are some of the most easiest to socially engineer. Why?

Because smart people tend to fancy themselves as “smarter than everyone else”, and thus think that they can “spot any con”.

Back in the 1980s James “The Amazing” Randi conducted an “experiment” (Project Alpha) where he managed to con a whole bunch of working PhD scientists. He was out to highlight that no one is immune to being fooled, especially the smarted cohort of a given population.

In 1996, physicist Alan Sokal perpetrated a hoax known as The Sokal Hoax/ Affair again with top PhDs, and in 2017 skeptic Peter Boghossian and James Lindsay did another academia con job in the Grievance Studies affair.

In all 3 examples, the successfully fooled people were in the highest IQ cohort --- tenured professors, doctorate holders.

No one is immune to being conned. The smarter you are, the harder you will fall. 😂🤣

Virgo49 said...

Ya Matilah, this Yahoo kena hacked and they insisted passwords be be one numeric alphabets and what's nonsense underscores to make it harder to be revealed.

Fed up tried so many combinations still rejected.

The end keyed fuckfuck××××#6969.

KNN they accepted.

So pai seh if want to ask someone to key passwords to share some paid subcriptions under email account.

Especially to ladies.

Cheers

Anonymous said...

As usual, there's no accountability.

Anonymous said...

It is not so many ministries' confidential data leaked only. I believe every mini$try also got hacked, breached (external culprits), licked (internal IT staff) and leaked (internal staff).

Also all the banks have been hacked into. They just keep quiet. Nevee want to reveal.

As IT Professional since 1980s, I can tell you that the Internet is NEVER SAFE.

Ⓜatilah $ingapura⚠️ said...

@ 208

>> Also all the banks have been hacked into. They just keep quiet. Nevee want to reveal. <<

Not only banks. Corporations too. If the damage is not great, and they can hush it up and repair the breach without revealing to their customers or the public...they will. Anything to protect their "brand"

Anonymous said...

"Singapore’s Ministry of Foreign Affairs (MFA) has countered Sri Lanka President Maithripala Sirisena’s recent accusation that Singapore is sheltering the nation’s ex-central bank chief who is wanted in connection with a US$74 million trading scam case.

In a statement on Monday (18 Mar), Sirisena publicly accused Singapore of sheltering the suspect Arjuna Mahendran who is now a Singapore citizen. Revealing that he appealed to Singapore Prime Minister Lee Hsien Loong for assistance in the case in Jan 2019, Sirisena lamented that PM Lee had promised that he would take action but so far, nothing had been done.

Adding that Singapore isn’t returning his calls either, Sirisena said: “He assured me that whether the person is a Singapore citizen or not, they will take action. Sadly, up to now, Singapore has not responded to my call.”"


What's MFA's reply? Oh, you never send us supporting documents, mah... We asked you for supporting documents leh....

No supporting documents, so CPIB, CID, CAD, the Police all these agencies of Singapore cannot make use of the lead and be tasked to investigate further and deeper? Cannot call up the rich man and interrogate him? Why?

Singapore suddenly from smart city become stupid city? Or pretending?

All because of money, isn't it? Just find out from him his bank accounts and check how much money he has parked in Singapore or Off-shore banks. Then tally with his annual salary and bonuses and ask him how he managed to get so much money? Make him prove his sources of income.

Alternatively, return him to Sri Lanka for trial.

Why make a simple straight forward case complicated? Going round the bush?

Anonymous said...

That guy is a wanted man on Sri Lanka's list of "Wanted Persons - Dead or Alive". Yet Singapore approved his application for Citizenship. No background checks? On what basis did he get his Singapore Citizenship? Just because he was Chief of Sri Lanka's Central Bank before? Just because he is a multi-millionaire? Criminal or not, never mind?

White cat, black cat or diseased cat, its okay; as long as it is a fat cat?

Anonymous said...

At Least 20,000 Of Facebook's Employees Know Your passwords!


The passwords of millions of Facebook users were accessible by at least 20,000 employees of the Facebook social network. This has been reported by a security researcher by the name of Brian Krebs.

Facebook's data protection failures, revealed again and again, is making users losing good faith and trust in the Management of Facebook, especially its CEO and co-owner.

The passwords that were exposed date back to 2012.

In a statement, Facebook said it had now resolved a "glitch" that had stored the passwords on its internal network.

In a detailed expose, Mr Krebs said a Facebook source had told him that "security failures had let developers create applications that logged and stored the passwords without encrypting them."

Commenting on Mr Krebs's story Facebook engineer, Scott Renfro said an internal investigation started after Facebook had uncovered the logs had not revealed any "signs of misuse".

In public comments, Facebook said it had discovered the issue in January as part of a routine security review.

And its investigation showed that most of the people affected were users of Facebook Lite, which tends to be used in nations where net connections are sparse and slow.

"We estimate that we will notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users," the company told Reuters.

But it added it would enforce a password re-set only if its taskforce looking into the issue uncovered abuse of the login credentials.

The news caps a long period of trouble for Facebook over the way it handles and protects user data.

In September last year, it said information on 50 million users had been exposed by a security flaw.

In early 2018, it was revealed that data on 800 millions users had been harvested by the Data Science Company called Cambridge Analytica.

Facebook has now become a suspected company that spies on its users for many reasons.

Anonymous said...

@ 2:33 pm:

"Not only banks. Corporations too. If the damage is not great, and they can hush it up and repair the breach without revealing to their customers or the public...they will. Anything to protect their "brand""


You are absolutely correct. Many MNCs, and even lucratuve med-range holding companies, have been hacked, breached, licked and leaked. They just keep silent in order not to arouse their customers' suspicion and thereby lose confidence, faith and trust, resulting in loss of business and maybe downfall.

Anonymous said...

ROME, 22 March 2019

Chinese President Xi Jinping and the Italian President Sergio Mattarella held talks in Rome on Friday (22-03-2019), and agreed to jointly push for greater development of the China-Italy Comprehensive Strategic Partnership (CICSP) in the New Era.

The two Heads of State agreed to guide the direction of bilateral ties from a strategic height and long-term perspective.