myIdentity/JPN/LHDN – So what happened?

This news probably has died down, as it’s been some time now. I decided to take some time before doing a piece on this issue, to gather some information and perhaps provide some insights into the matter. This will be a developing article, hence I will from time-to-time update this to reflect what’s going on. As they say, it ain’t over till the fat lady sings…

The discovery of this issue is courtesy of Adnan Shukor (Hi xanda!), who discovered it in one of the underground forums. This was the posting that was discovered.

Some interesting points to note. Data is between 1979 to 1998, containing not just details in the NRIC but also additional data points (i.e. mobile number, email). The rest can be found on the MyKad itself (MyKad is the Malaysian NRIC smart card). File offered is in the form of JSON/CSV (I’m not sure if they have all the data in 2 files, or some in JSON or CSV).

Secondly, the person claims that the data is obtained from LHDN (Malaysian Income Tax dept) through myIDENTITY API.

What’s myIDENTITY?

A good internet citizen like myself would visit the website to get more information. But then the website is not available. Why? I did a little investigation.

It seems that the DNS entry was removed from the authoritative server to remove access to the website.

UPDATE: The site is back up now. DNS admins updated the DNS Server recently and the site is back up.

MyIdentity, according to the website, makes it easy for Malaysians to conduct business with government agencies by making it simpler for personal information to be accessed. Hence, the API allows any agency to query, say based on the NRIC number, and get a dataset of that NRIC from JPN.

Sounds good, in fact it should be seamless for data to be shared, eliminates duplication and redundancy since it’s only an API call away. But I also found something else on the website.

The last line of the website reads like this.

“Penafian: Kerajaan Malaysia tidak bertanggungjawab terhadap sebarang kehilangan atau kerugian yang mungkin dialami akibat penggunaan maklumat yang diberikan. Testing CRS….”

I’m going to attempt to translate based on my high school Malay knowledge. Please excuse any inaccuracies

“Denial: Malaysian government is not responsible towards any loss that might be experienced in using the information provided. Testing CRS….”

Now, why would an official government facility put such a statement? I have no idea.

Back to the show.

So we’ve ascertained that the myIDENTITY does have an API. So how would this crime be committed. I look back at the dataset generated. Between 1979 to 1998. And the NRIC has the format of YYMMDD-XX-YYYY which is well documented. If I write a simple script in <insert your fav coding language> to run numbers using that format, I can generate the request parameters. All I need is to post that information into the API.

I did some mediocre Googling and I couldn’t find the API endpoints (I’m not as l33t as most of you, age is catching up…). So, I came to the conclusion that the API is most probably private (of course). Which leaves us to the next theory.

It can only be done by someone or some entity who has access to the API. Cue LHDN, whom the leaker attributes. That makes sense. So, someone, using myIDENTITY API, via script, through access (maybe) given to LHDN to access the data.

This leaves us with only 2 possible routes, assuming that LHDN was the source of query.

Possibility 1: Someone found a way to access the API through LHDN’s existing website. The website is the most likely user of the API, besides the internal systems. Maybe it’s the same system, at this point I have no clue of LHDN’s internal systems. Play along folks…

Possibility 2: A vendor whose maintain the system within LHDN who understands how the API works, decides to be curious and starts making API calls from one of LHDN system (maybe the API needs a specific IP address to allow access). He/She/They may have left it over the weekend, leaving the script to query endlessly. Come Monday, the vendor staff goes back to terminate the script, lo and behold, gigs of dataset. Bad year for the vendor (you know, pandemic and stuff), no bonus. Staff gets pissed and leaks data. (I’m just creating a story here, learning how to write stories so that my articles become more interesting).

So far, we’ve dissected the incident, there are nuggets of wisdom for blue team as well as developers to take note. Interestingly, I had such discussion with @Chan Wei Min about securing API on twtr. We’ll get to that at the bottom of this article. Good stuff always come last; otherwise how can I retain readership? (Be fair, don’t skip)

Let’s look at the news article.

LYN reports that a multi agency investigation, spearheaded by PDRM has begun. A demand of BTC 0.2 equivalent to RM35,495 has been sought as payment for the data. No news on whether someone bas purchased the data or not. LYN also confirms that police is not ruling out possibility of an insider threat in this situation (Possibility 2).

LHDN refutes the claim that it’s website is the source of the leak. LHDN confirms that it is only a user of my identity and does not own the platform. LHDN reveals that its own internal investigation showed that there was no leakage of information at its end.  LHDN insist that all the data and information under its custody is safe and protected by “recognized data security technology” (Sorry my brains may not be working today, but I have no clue in deciphering the double quote stuff, I’m thinking of ROT13, which is recognized in the industry). (Back to Possibility 1)

KDN, through its minister was a little kinder with information. TRP reports that YB mentioned that there are over 100 users (actual allowed users is 104)  of myIDENTITY, of which the leak could originated from any one of those, not just LHDN. YB also did not deny the validity of the data sold. He confirms in an article with MalaysiaNow that JPN insists there is no data leakage.

Technically there is no leakage at JPN itself, which makes the statement somewhat stretched to be to true. At this point, there are few unanswered questions.

  1. Is the data authentic and true? If yes, proceed to the next point.
  2. Was myIDENTITY the source of the data? (Seems like it, no one seems to be denying about myIDENTITY)
  3. LHDN mentions that their website isn’t the source of the leak. But there is still internal systems that use the data. So could it be that?

From logical deduction, it seems scenario 2 is most plausible, supported by the not ruling out of insider threat.

How to defend from these type of attacks

We notice that an API user is querying vast amount of data, most likely done over short period of time. Most of the time API’s are built for functionality, not security or analytics.

One way is to have a Web Application Firewall as a proxy to your API. This mitigates the usual types of attacks, but depending on the capability, it may provide some insight. Some WAF has capability of throttling or rate limiting requests, which makes it ideal for you to reduce (ab)use of your API.

I still believe that while you can “outsource” some of these security functions to WAF, the best place to discover and mitigate is still at the API itself.

Basic analytics needs to be available for you to know how your API is being used. What are the user trends of usage and when the API should be hit at all. Forget about public APIs, they’d be hit any time of the day. But API such as myIDENTITY? Unless if the govt agency runs batch jobs, high number of queries exceeding a certain threshold, and time of the query would give you insight into an impending incident. Of course, most professionals would recommend pumping your web logs to a SIEM for all those fancy bells and whistles.

Remember, to establish analytics for your API, you use the same tools as for your web server. It’s the same logs, but you may have additional logs generated by the API itself.

Additional considerations for your API deployment

  • Can you have rate limiting functions ? Pick any permutation, IP, session, client id, etc
  • How do you establish usage of your API, can you set threshold of queries?
  • How do you detect excessive queries, are there alarms or workflows triggered? (Besides server CPU going 100% or the Apache thread hung)

This matter was discovered post incident, which indicates that most likely such capabilities either (1) did not exist or (2) SOC folks fell asleep during their shift (poor overworked, underpaid SOC staffs) or (3) SIEM was under maintenance when the issue happened, so no visibility (maybe I should write about over reliance on technology in mitigating security issues).

Conclusion

I can’t conclude just yet, I’m sure there are more information waiting to be uncovered or released. I just wish (wish only) that the incident be documented and released publicly just like how the IHS breach in Singapore. But knowing Malaysia…

References

  1. [29 September 2021] MalaysiaNow – JPN confirms no data leakage (from KDN) – https://www.malaysianow.com/news/2021/09/29/home-ministry-confirms-no-leak-of-jpn-data/
  2. [28 September 2021] PDRM to investigate the JPN/LHDN data leakage – https://www.lowyat.net/2021/254222/pdrm-investigate-jpn-lhdn-db-leak/
  3. [29 September 2021] TheRakyatPost – No data leaks from JPN – https://www.therakyatpost.com/news/2021/09/29/no-data-leaks-in-jpn-dont-speculate-on-the-issue-claims-home-minister/

Cyber Vigilantism

Data Secrecy, PDPA and Cyber Vigilantism

“Those who create information (in any form) is doomed to safeguard it, until it has been completely destroyed” – Suresh Ramasamy (2005)

There was a buzz on social media about how the female gender in Singapore had compiled a list of persons who are not suitable for dating for various reasons. This became viral and spilled over in Malaysia, where someone started a similar list. Within hours, it was reported that over 200 entries were made into that similar list. In normal days, I would observe the trend to see where it went. I have no clue what data is captured there, so instead of making assumptions I decided to make parallel to the situation. A good friend had posted a message, saying men should do better, and that he wanted to have a daughter, but now thinking twice about it due to the current situation. I didn’t realize how impactful that message was, to the point my overthinking brain started writing this article mentally without me even pondering.

This article is written from an objective lens, analyzing the whole situation from a data, privacy, and activism context. It isn’t about what’s right and what’s not, but to give a perspective into the issue and understand further by making parallels into how data affects our daily lives, even without us knowing about it.

To help me describe this, I have created a fictitious story (no resemblance to the living unless if your name is 2 characters and 3 numbers) from a simple country called Kandaqstan (Hi Jahabar! As you can see, I am missing Penang food!).

This story revolves around the car dealership and its buyers. These are the characters in the story. Look out, loads of pun ahead!

CD007 – Well meaning car dealer

SA001 – Sales Agent

CB004 – Clueless car buyer

CB008 – Car buyer, brother to the owner of CD003

CD005 – A car dealer

CD003 – Another car dealer

CD007 has been an established car dealer. Sales has been brisk, but due to the pandemic (haha, I had to throw this in) sales has dropped. CD007 noticed that while traffic into the centers have reduced, there are people still coming in to test drive the cars. However, CD007 began to notice that there are people who repeatedly test drive, but do not buy the car. This frustrates CD007 and they decide to do something.

CD007 came up with an idea. Why not compile a list of customers who does repeated test drive without buying or even making a booking. This list is shared amongst the car dealers. In a way, this helps the car dealers to identify if the customer who came in had a “track record” of not buying the car. So, CD007 started this list and it became a hit as other car dealers began to use it and contribute. Soon, this list grew and had a lot of comments and even customer ratings (you have some irate customers, some that asks a lot, etc etc).

CB004 is a new car buyer. Poor sod, can’t differentiate between a nut and a wheel. He’s worked his way through the corporate ladder and had saved up a lot of money to eventually treat himself to a nice car.  Naturally, being careful about every single penny he earned, he wanted to get the best deal at the same time use the opportunity to learn. His colleagues told him that the best way to know a car is to test drive it.

CD007 was very close to his house and was somewhat his preferred car brand. So CB004 would visit the showroom, asks questions. CB004 would also request for test drive. Every time a new model or facelift comes up, CB004 would line up patiently and get his turn. This was observed by CD007 and decided to put CB004 in this list.

Soon after, CB004 realized the cold treatment he’s receiving from CD007. He wasn’t sure what he did wrong, he thought that’s what everyone did. So CB004 went to another car dealer, CD005. To his surprise, no one entertained him after getting his details. Puzzled, CB004 decided to take a break and thought maybe he was going through a rough spell. But the urgency of getting the car was increasing and he was close to deciding.

Similar situation happened to CB008. Having a family member in the dealership business, CB008 was much more pedantic compared to CB004. He could smell through bullshit miles away, and unfortunately Sales Agent are prone to that syndrome. CD005 decided that they will have none of it and put CB008 into the list.

CB008 was receiving the same lackluster treatment, decided to check with CD003. CD003 discovered that his brother CB008 has been put on to the list and decided to protest. CD007 was in a predicament, do you remove it or do you leave the entry? CB008 had no avenue to argue his case as the list is only limited to Car Dealers. This went on for a while.

Not happy with the situation CB008 decided to start his own list. This list would have rating and how car dealers behave and treat their customers. This news reached our friend CB004 who start subscribing to the list and actively contributing to the entries. Eventually customers started using the list and boycotted dealers the same way dealers were boycotting customers. The industry became a hostile ground, some dealer decided to stay out of the fight and decided to give each customer equal access. Those earned better sales, and CB004 & CB008 eventually bought their cars.

Intermission 

So lets analyse the situation.

Once this data is created (referring to the list), we know have a list custodian (aka the owner). We have contributors (who may or may not be attributed for the entry) and consumers who use this data. Note that there will be personal information in the list, so as to correctly identify who the person is on the name. Name may be synonymous (like mine is too common), so other identifiers will be included to ensure that the person is identified correctly.

Let’s look at data quality. It is a collaborative list, which means all contributors can add entry to the list. There may be some set parameters or selection on why the person is added to the list, those reasons that aren’t there may just be another selection of existing option just to put the person or dealer on that list. Who ensures that the data is accurate? How do you prevent mistaken identity (we have seen in the past loan sharks attacking innocent victims just because the previous tenant had owned money and the property is now splashed with red paint). How do you prevent personal vendetta from getting into the way of (ab)using the list?

Data management – how long does a person/dealer stay on that list? Is there an expiry term like a Statutes of Limitation? Or is it a permanent list? How do you resolve conflict? Who decided (or becomes God of the list) to say who stays and who leaves the list? Since the list is relied by many, getting on and off the list has consequences to both individual and dealer. In the case of CB004, he wanted to get a car, and had to go to a dealer who wasn’t using the list to complete the sales.

Now, the slightly bigger fish – Privacy.

This section is written based on Malaysia’s implementation of PDPA, citing its principles to explain the context.

If an organization retains a personal information, the organization is now duty bound to inform how that data is used. In this case, since the list was kept secret within the industry, no one informed anyone about their personal details being stored in this list. This is a violation of General Principle of PDPA.

Is this necessary for the car dealership? No. Dealers can still do business even without access to the list. Hence it is not mandatory nor exempted under PDPA. Is it necessary to protect the vital interest of the data subject? Obviously is counterproductive to the customers nor the dealers.

Did the customer or the dealer receive a notice about the list? No. Notice and Choice Principle failed. Does the data subject has the right to review and correct the information? Obviously No. Is the list disclosed to anyone else? E.g. other industries? Maybe. No one knows for sure as sales agent who has access may leave the industry but still have access to the list and use it for his/her/their new job. Is it obligatory or voluntary for data subject to provide the data? No, because the data was entered without the data subject’s knowledge. Was the data provided by the data subject used for other than intended purpose? In this case, a customer provides information for test drive purpose, however now used for the list. It’s a No as well.

No data shall be disclosed without the consent of the data subject. In this case, data is actively being disclosed to consumers of the list without the knowledge of the data subject.

What are the security measures taken to safeguard the list? Well its just a list in Google determined by CD007 on who has access. CD007 gets a call from a fellow distributor and adds the email address into the access list. Is it sufficient? Maybe. Is there rigor in access management, I doubt that.

Earlier question – how long is the data retained? Perpetual, since the list was started. Does not meet Retention policy.

Does CD007 take every step to ensure that the data entered is accurate? No, CD007 relies on those keying into the database to ensure that the data is secure.

Is the data subject given access to the data and allow the data to be corrected? No. It’s a private list. Fails Access Principle.

Suresh, all this is fine and well, for this situation which involves dealers and buyers are commercial transaction. But the original topic talks about personal, which is not covered by PDPA.

You are absolutely right. PDPA does not cover data used for personal use. However, remember I didn’t end the story, but said intermission? Let me continue the story.

Chapter Deux

CB004 thinking about his financial commitments worry his current job may not be sufficient for him to take up this new car, even though he can cover his monthly bill. CB004 decides to apply for a job at a local motoring news outlet as IT Supervisor hoping to get a bump in his salary. The HR staff, whose an ex Sales Agent, SA001 does his due diligence on all staffs. Since he was formerly a Sales Agent, he has access into this private list. Looking at the entry of CB004, he decided to put a footnote to the hiring manager saying that this person’s attitude is not welcomed. CB004 was unsuccessful in his job application, and knowing the Malaysian HR process was simply ghosted without any further details.

I’m going to stop the story here.

While the list is private, its used can never be limited. Anyone having access could use the list for any reasons, beyond what it was intended. Hence, what set out to be a simple well meaning effort may eclipse into a bigger beast.

The actual whale – Defamation

A defamatory statement is a statement that:

  • Tends to lower a person in the estimation of right thinking members of society generally;
  • Causes a person to be shunned or avoided or to expose him to hatred, contempt or ridicule; or
  • Conveys an imputation on a person disparaging or injurious to his office, profession, calling, trade or business.

There are two methods of interpreting the words in an allegedly defamatory statement:

  • By their natural and ordinary meaning; or
  • By innuendo.

Based on this, it is sufficient to say that it meets the test where the list can be defamatory. This applies both sides, to the buyer and the dealer as well.

Final Words

Is there a solution on this? No. Cyber vigilantism may look all good and well, there are real world issues, from the beginning from the matter of data, privacy and legal in this manner. Does it solve a problem or exacerbate it? You be the judge.

To my friend, fret not. Have your daughter, raise her in every right way as a responsible father that you are. We are always thrown challenges in life; we usually swim it through even though we think that we’re drowning. Every generation has its own unique challenges and gives you a different battle scars, but it is a journey, not a destination. Hope this gives you comfort.

[CISO Series] What do CISO’s fear more?

For a start. it’s my favourite time of the year. Halloween. I still remember going trick or treat while in the US, and when I was back, my ex-boss used to throw awesome neighbourhood party over at his place, complete with haunted house setup. I think he spends a lot accumulating props and stuff. It’s one of those memories that brings your inner childhood out (playing dress up, and just looking more horrible than your usual $dayattire), which gives me great joy (and fright!)

So in line with the theme, let’s talk about fear. Specifically for the CISO’s – who do fear more? To put a more detailed context to the question, I’ll be asking – who do you fear more? Nation state actors or auditors?

Most of you know that I came from a long history of being in the telecommunications industry, and then transitioned into senior leadership role at a financial group. These experiences gave me an interesting perspective into how businesses operate, both in the regulated and unregulated space.

The fear for auditors

When I was in the regulated space, I was frightened to death of auditors. Fear-mongering on audit and results were just over the roof. We were constantly reminded that our career hinges on making sure there is no audit findings. Be it an internal auditor or an external auditor (what’s worse, if its a regulator whose auditing you). So a lot of time and effort is put in on making sure that you follow the policy to the dot. But then the operating environment is so big and that similar to the ant analogy against a house.

An ant only needs a tiny space to wiggle through and get into the house, while the house owner has to look at every nook and cranny to ensure there are no opportunities for the ants to come in.

What’s worse, the findings are just “face-palming”. “Oh, that system doesn’t have password expiry and your policy says you need to have it”. Or “you forgot to remove the user for the system which needs internal only access without VPN or any other profile, but since your policy says you are suppose to remove the user within X days, you didn’t meet policy requirements”. These findings go up to the board and CISO hangs his head in shame. Funnily at a large conglomerate, a board member even told the CISO to use Excel to keep track of account management for a 10k strong staff with hundreds of individual systems instead of considering Identity Governance and Administration systems.

Policy – bane of existence

The hung-tightness towards policy in some organization is beyond reprise. Often, a policy change in an organization implies that you are already compliant and should be ready for the next audit. But all organizations will fail because most will take some time, like getting a new system, instituting a process around what the policy requires to do. But auditors tend to be sticklers to policy and wants it to start working from the day its approved (and most policies are pushed by the auditors for implementation, even though it does no real benefit for the organization, but looks good on paper for governance). We’ll go into more details about policy and implementation and how organizations can avoid such pitfalls in another article.

For some business, compliance is business. If you look at an e-commerce site that relies on credit card transactions, then PCI-DSS is a must. In Asia we say “die-die” must do. Such business cannot survive if they are unable to make transactions, which makes business risk #1 and CISOs tend to gravitate towards ensuring that their career stays safe by meeting PCI-DSS requirements (remember, 7 character password is sufficient for PCI-DSS). Rationality goes out of the window and security becomes theatrics. Security becomes a tool to meet compliance rather than actually securing the business.

A CEO once asked – how many compliance people do you need if you have zero business?

From here, you can see that the CISO’s primary focus will be meeting compliance and governance requirements. Anything can be turned into a checklist and make sure you tick all boxes. Whether it makes sense, doesn’t matter, but the boxes must be ticked. A template approach is most feasible and gives the stakeholder a false sense of comfort. But is the organization truly secure against actual threats? I wonder how the conversation will be the organization does get breached –

“But I ticked all the boxes?”

Nation State Actors – The threat

 

If by chance the CISO does get to focus on what really matters, you will see the gaze of the CISO towards improving security while bringing value to the organization. This is the Type 3 CISO that I discussed in my earlier series article, the link is at the bottom if you want to have a read.

CISO’s focus would to constantly reviewing the threat posture of the organization, applying lessons learnt, looking at avenues to increase visibility, strengthening controls and bringing the organization forward every step of the way. As such, you see improvements, both tangible and intangible, having the pulse on the ground close to your heart and be able to advice if something has drastically changed which warrants the CISO to escalate and take immediate action. TTP’s become focus and having an operational cyber threat intelligence, coupled with a blue team for defense and red team for offense helps to improve the security posture. CISO can also put more emphasis on building the team capabilities to further strengthen the organization.

What’s the reality?

In reality, you find CISOs fear auditors more than nation state actors or threat actors in general. The common thinking is that “If my organization gets hit by ransomware, sure, my systems will be down, but we will be able to rebuild in time. But if I get a black mark at the board meeting, I might as well find a new job!”

There is no shared responsibility and accountability for security as CISO becomes the convenient scapegoat for a blame and swift action is taken by removing the person to show that the organization is doing “something” to address the issue. (Still thinking of being a CISO?)

So, how can you change it?

The general consensus is to remove the portfolio of governance and compliance and have a separate team (usually under Compliance) to handle such functions. These frees the CISO to focus on the role of securing the organization. Remember that the CISO alone cannot secure the organization, its a role that’s dependent on all other stakeholders. For e.g. you won’t be able to mount the firewall to the rack if the DC guys don’t give you physical access. If you want the CISO to be effective in his/her/their role, then you as an organization have to give them that focus to be able to make that difference for that portfolio. Bundling the 2 functions will only lead to disaster as one will demand more time and focus than the other.

All organization wanting to hire a CISO should ask themselves this key question – What is the main reason of wanting a CISO? Is it to meet a compliance/governance requirements of having one (which means the job scope is skewed towards governance and compliance and not security per say) or because the CEO can’t sleep at night, afraid his/her/their organization might be breached? This question will determine the focus and the “real” expectation towards what the CISO should be doing, instead of what the CISO is expected to be doing. Remember, what you expect may not be what you get, because of where the focus is being put.

Secondly, compliance and governance needs to be business sensitive and not be the “head-master” of policy document. Using risk based approach, have a balance between the document and the ground. There will be disparities. There will be deviances, but does it warrant a serious tone of a finding? Over-zealous auditors create more operational overheads on small teams that is struggling to meet basic operations, leading to a collapse of governance. Almost akin to a self-fulfilling prophecy so that there will be more audit findings. If the objective of an audit is to ensure 100% policy compliance, then your audit has failed to address the plurality of operations and business. Most often, business demands are retrofitted with security requirements, not vice versa. Purchase decisions are made primarily on price points and not how well the product meets technical requirements. Hence, how can you expect a 100% compliance when from genesis, the system was never meant to meet policy requirements? CISO then becomes the architect to retrofit and ensure there are security wrapper around the system to meet security objectives. Sure, we can write and sign off waivers on an annual basis, but that will eventually become a finding. (By the way, this is one of the primary roles of the team, where you are required to support business decisions, even though it may sound utterly ridiculous). Remember, security is a business function, not vice versa.

[CISO Series] What kind of CISO are you?

This question isn’t new. In fact in almost all of the interviews I have attended, this question always pops up somehow (besides how much lesser can you earn while doing a lot more!).

Everyone’s going to hate my answer, but here it is.

Yes, yes it does. Sad but true. But lets look further to understand why.

There are few factors that depends on where the CISO will focus his/her attention on. Firstly, expectation of senior management and Board, and the latter being the maturity of the organisation.

Scenario 1

An organization just hired a CISO. They had a small security team (essentially IT staffs told to take up the responsibility of security). Team was an organised mess, processes had been established but focused on operational matters rather than security focus (i.e. managing firewall ruleset for projects and deployment. Team’s security competence is medium, as they understood IT operations, but not the nuances of cyber security. CEO finds the team ineffective and has low confidence, hence onboarded a CISO to relook at the team and “make it better”. The team had a lot of questions and needed answers even to fundamental issues of understanding how NAT works. There are a lot of gaps on what the team is doing and there was no afterthought as the team was built out of urgency, and not proper planning.

In this instance, it is important for the CISO to be technically inclined. Focus of the CISO will be towards gearing the team up. CISO will be looked at the “subject matter expert” and be a reference point for the team to move forward. You’re a technical CISO more than anything else.

Scenario 2

An organization has a fully functional Cyber Security team. The team has sufficient (not the best) competence, and understands the nuances of Cyber Security and knows what needs to be done. Their attention is divided between operational work vs compliance/governance. The team reports to the Operations head.

You are hired to be under the Chief Risk Officer, acting as the head of Technology & Cyber Risk. You’re given the title of CISO, being accountable in ensuring the organization stays cyber secure. Your focus is in managing risks more than dipping your feet into technical matters (though you are required to bring to Board’s attention and explain the technical details). Your role acts as the second line of defense, keeping tabs on the security team and making sure they stay on top of their game. What’s interesting, while you are CISO, the budget for security operations is separate and you don’t get to dictate how they spend it or where they put priority?

Interesting question – Can CISO be effective being a completely separate/independent second line of defense? (We answer this question on an upcoming CISO series article)

In this case, as CISO, your focus is more risk oriented. You need to translate cyber happenings into business speak and show it in dollars and sense (intentional). Your participation in management forums and board committee becomes a focus. You act as force and counter-force to the existing security operations.

Scenario 3

You enter a fully mature organisation. Security operations and risk is well managed and has metrics for constant improvement. From a maturity model, your teams often inhibit level 4 for most of the processes. Your teams are well equipped and has respective subject matter experts guiding the team.

As a CISO, you turn your focus into business. Your question on your wall “How does Cyber Security add value to business? How can Cyber Security be the differentiating factor that affects your revenue positively?” You look at making Cyber Security a business positive aspect, building aspect of security and trustworthy as a differentiating factor that gains more customer and revenue.

What organizations want

Most organizations, if asked would straight go for Scenario 3, while in reality some often remains in Scenario 1. The details may change, but the situation remains similar.

Are the 3 scenarios mutually exclusive? Of course not. The scenarios highlight the dominant role of the CISO (in another word, where the CISO will spend most of his time). Eventually as time goes by, the gap in the organization will force the CISO to take up that responsibility. Having a mismatch of expectation will set the CISO up to fail. Senior management expects value, while there’s fire burning in operations. CISO is left with the task to be the bearer of bad news and in any instance, is ultimately responsible in ensuring that senior management is up to speed with the happenings in the ground.

For example, in Scenario 1, there are barely staff to handle all of the operational roles. But being in a highlight regulated industry, the expectation is to have compliance/governance/audit to be tip top. The CEO was visibly upset with the CISO when there are constant audit issues, and its up to the CISO to communicate that the team is simply not sized for compliance/audit activities. CISO’s focus will be putting out immediate fires at operational level.

This brings us to another interesting question – who does the CISO fear more? Auditor or Threat actor? (We cover this on the next CISO Series article).

Fellow CISOs – is there any particular topics you want to see discussed? Bring it on!

Week 25 in Technology

It was an interesting week, to say the least. While the news was filled with a lot of interesting bits and bobs, I found one company dominating international headlines.

Good ol’ Microsoft.

Let’s start with a high. Microsoft recently introduced Windows 11 (surprise, surprise). It is a surprise because Microsoft made an earlier stance of not introducing anymore (refer to the Forbes article on the reference section). Well that aside, the new Windows also comes with a few caveats.

Firstly, it will only be supported in the newer Intel platforms (I was sore because I had an ASUS NUC and it works really well on Win10 but cannot update due to “outdated” CPU). The list of supported processors is listed down on References section link. This seem to be a direction in tying hardware compatibility to a platform, which is a bad idea, as Apple recently announced support on IOS for their older phone as well. Windows 11 can technically run on older platforms, but that choice and direction is made by Microsoft (if you want to continue in their platforms. (My 7-year-old MacBook Pro runs the latest OSX with no performance sacrifice in comparison).

TPM (Trusted Platform Module) was introduced in 2006 was an addon/auxiliary module to add cryptography and its supporting function, including key generation and storage. A convenient way of locking licenses and everything down to a hardware. It also supports IRM (Rights Management module). Security experts were quick to identify the TPM chip to be a source of problem as well. A ransomware app can reinitialise the TPM chip, generate the public key for encryption and encrypt the hard drive in the background. With the key being generated and manipulated within the motherboard, this will surely be a forest fire in the making (courtesy @GossiTheDog).

Support for Secure Boot is now made mandatory. Most new (I quote as 5 years and younger systems) will have BIOS level support for Secure Boot. I still remember the last time I turned in on, it was hell trying to even get Windows to be installed. Obviously, some kinks need to be sorted out, but it offers boot level protection to ensure that your boot records aren’t tampered with. Consider it a Ring-1 to Ring1 security support structure.

Microsoft, in its defense, was quoted saying that these measures are necessary to improve the security for consumers and businesses.

In summary, Microsoft has started enforcing forced obsolescence (so much so even their own product Surface will not support Win11). If I was a Surface customer (thankfully I am on a different platform), I’d be fuming as well. I remember going through a very painful process of justifying why an asset class in my previous employer needs to upgrade from Win7 to Win10 (which included both hardware and software upgrade).  Windows 11 just made lives of CIO/CTO one notch harder and make Microsoft even more hated. It’s a serious financial pain now to remain on the Windows platform, and with alternatives such as Chromebook, *NIX and OSX, consumers and businesses may re-evaluate their choice of platforms.

And now for not so savoury stuff.

Microsoft made a blog post on their tracking of Nobellium activities and hack. For the uninitiated, Nobellium is the Microsoft name for the Solarwinds attackers.There’s something that stuck out on the blog, which I will put it out here for everyone to review.

As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers. The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign. We responded quickly, removed the access and secured the device. The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our Zero Trust “least privileged access” approach to customer information. We are notifying all impacted customers and are supporting them to ensure their accounts remain secure. ”

Notice anything funny in that statement? Let’s break it down.

A customer support agent of Microsoft had a malware installed on their machine.The threat actor used that information to launch other attacks.

That’s the preface. Let’s dive in one more level.

Support agents are configured with minimal set of permissions as part of Zero Trust “least privilege access”.

This raises a lot of question.

  1. How did the malware install itself into the support agent’s machine if the support agent had least privilege?
  2. Are you saying, despite having Zero Trust, it failed? You mean Zero Trust failed?

When asking these questions, remember that you are posing these questions to Microsoft, the very people whose tools are used to build the OS, sells those tools, and provides a complete set of security capabilities that you trust to secure your environment.

It seems to me that not all details are being released. I mean, you’re talking about Microsoft. Whom (by right) should have everything (I mean all security features) turned on, tuned and working tip top. Including stuff like no local admins, no remote access… the works! (You get what I mean). Not another enterprise that breaks controls for reasons only justifiable to them.

Not too long ago I posted this on my Linkedin.

In one hand, I feel sorry for Microsoft. They’ve put so much effort in improving the security of their tools and platform. In another, these marketing bits get them into whole load of trouble.

Reference:

 

  1. https://blogs.windows.com/windowsexperience/2021/06/24/introducing-windows-11/ Introducting Windows 11
  2. https://www.forbes.com/sites/gordonkelly/2015/05/08/microsoft-windows-10-last-windows/ – Forbes on why Windows 10 will be the last
  3. https://docs.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-intel-processors Windows 11 Processor Support list
  4. https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/

SUCI Catcher – a 5G security issue

Introduction

5G had introduced vast improvements over its predecessors, namely 2G, 3G, and 4G. The issue of IMSI catchers plagued users and threatened the security and sanctity of mobile networks globally. I briefly discussed Stingray/IMSI catchers in my previous article, a look into 5G. However, recent developments revealed a new vector of attacks, discovered by researchers from Ruhr University Bochum Germany together with NYU Abu Dhabi.

What are IMSI catchers?

In a nutshell, IMSI catchers are fake base stations. They act as a silent relay between the UE (mobile phones) and the actual base station. During masquerading, these fake base stations request the user’s permanent identity. This affects all users who are within range of the fake base stations. This attack targets everyone within its vicinity, and the attacker narrows down to his choice of the target within that list.

IMSI catchers perform their activities by forcing the communications to be over 2G since 2G protocols have several security weaknesses (also part of backward compatibility support). When the target is connected to the IMSI catcher, the IMSI catcher performs a MITM (Man in the Middle) attack, putting itself directly in between the target UE and the cellular network.

In a 2G environment, the IMSI catcher uses the IMSI stolen from the UE to complete the identity request from the cellular network and then uses the target device to complete a challenge that requires the SIM card’s secret keys.

IMSI catchers are primarily used for the following reasons.

  • Spyware delivery: Some high-end IMSI catchers can deliver spyware to the target device. The spyware provides RAT (remote access trojan) capabilities such as ping the target location directly and also transfer audio/text/images) through the device.
  • Data Extraction: Capture metadata such as calls made (A party, B party), call duration, date/time of call, including contents of unencrypted calls/text, and even data usage (sites visited).
  • Data interception: Some IMSI catchers advertise the ability to divert calls and text messages, edit messages and spoof the user’s identity in calls and text messages.
  • Location tracking: IMSI catchers can force a target UE to respond to a precise location using GPS, or using the signal strength of towers, allowing the use of triangulation to accurately pinpoint user location.

What about SUCI?

In 5G networks, the UE stores the permanent identifier and key un the USIM (Universal Subscriber Identity Module). These are the credentials used to by the UE to establish mutual authentication with the 5G network. Through this process, 3 identifiers become important. Firstly the permanent identifier SUPI (4G: IMSI), the hidden/concealed identifier SUCI and the temporary identifier (5G:GUTI).

The diagram above shows the basic message exchange for the user registration and authentication. The initial stages require SUCI to be transmitted. However, if the temporary identity cannot be established then the permanent identity is requested. Somewhat like websites using cookies to keep you logged in instead of getting you to authenticate all the time. This process should happen bothways, users authenticating the network; and the network authenticating the user. AKA messages are UNPROTECTED; encryption happens only AFTER session key is agreed upon.

SUCI vs SUPI

In 5g networks, permanent identifiers are avoided from being sent using the operator’s public key which is stored in the USIM. The permanent SUPI is encrypted with this public key before transmission (aka SUCI). As the key is encrypted with the operator’s public key, only the operator is able to read the SUPI to reveal the subscriber’s identity. SUCI is regenerated before every usage to prevent linkage of SUCI (aka perfect forward secrecy), preventing the attacker from identifying if the SUCI refers to the same user (even if the user connects multiple times).

Since the SUCI varies, it gives the notion that different users are connecting to the network. SUPI concealment is an OPTIONAL feature, which needs to be configured by the operator.

SUCI Catcher attack

Discovery Phase

Using the AKA linkability, the attack focuses on the UE giving up its own identity. In order for this to work, the attacker must learn any of the SUCI used by the target UE previously. This is done by (1) sniffing the traffic for SUCI messages, with the full knowledge of the location of the UE or (2) using the IMSI, the attacker can perform the encryption (either EC25519 or secp256r1), with the assumption that the operator’s public key is known. Using either a downgrade/SS7/mobile app based attach the IMSI can be discovered.

Attack Phase

Completing the discovery phase, the attacker now has SUCI of the target UE. When an unknown UE connects to the catcher, attacker tries to find out if this unknown UE is identical to the subscriber

Using the obtained SUCI, the attacker makes a Registration Request (since the request requires no authentication to execute). This request will only be responded with the Authentication Request which is responded by the UE associated.

However, there may be 2 outcomes with the Authentication Request. First, whereby the unknown UE is actually the searched-for-UE authenticated successfully and responds with Authentication Response or Authentication Failure, with the reason Sync Failure (sequence number SQN needs to be synchronized). Secondly, if the searched-for-UE isn’t the one, UE sends Authentication Failure with the reason MAC Failure to the SUCI catcher. In order to handle the Sync failure, the attack prepends a reset stage which performs the successful AKA between the UE and then network BEFORE the actual probe. This also handles the resynchronization of the sync number to handle Sync Failure errors.

While the method highlights attack for one UE, it scales well when multiple UE are also searched for.

SUCI Catcher Countermeasures

There are mechanics which needs to be successful in order for the attack to be successful.

The SUCI catcher exploits pre-authentication traffic between the UE and the network .3GPP TR 33.809 discussed message to secure broadcast information. If the pre-authentication traffic is protected, SUCI-catchers will fail to work. This has yet to be standardized by 3GPP and at the moment has no mitigation for the current %G standards.

Linkability is also a factor promoting this attack. Mitigation of linkability of the authentication responses is optional. The 3GPP study TR33.846 proposes to hide the failure reason in the authentication reject. This is not a critical dependency to the attack as failure messages only help, but not deter the attack. Observation of the traffic between the UE and the network will confirm if a link is established.

A network-based detection and prevention (NDP) capability would be a supplementary control. The attack uses the network as an oracle to generate fresh authentication vector. The NDP could throttle the attack’s scalability effectively and requires little efforts for adoption. Operators can keep track of already used SUCI and use this to detect large scale SUCI Catchers. This detection will not work if the attacker generated SUCI from a known IMSI. A custom SUCI scheme can be deployed to detect attacker-originating requests, by guaranteeing freshness and the SUCI’s authenticity (i.e. using a counter and UE’s public/private keypair.

Some controls can be performed at the UE level. The UE can detect a SUCI-Catcher attack by detecting anomalous protocol behaviour. For example, multiple repeated authentication is a dead giveaway. The UE or the USIM can limit or delay responses, which degrades the attach scalability. If the number of responses is limited to small numbers, the attacker will have few attempts to correctly guess authentication token. Apps such as SnoopSnith that access to the baseband can be integrated with such functionality.

Conclusion

5G aims to eliminate the errors from the past generation networks. New functionality brings new vector of attacks, and surely this is the beginning of more and newer attacks. With researchers scrutinising these new stacks, standards need to catch up faster so that issues can be mitigated soonest possible.

Reference

  1. 5G SUCI Catchers: Still catching them all? https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2021/06/02/5G-SUCI-Catcher-WiSec21.pdf

Malaysia’s International Trade and Industries CIMS 3.0 – Case study

Background

We’re in this pandemic for over a year. Malaysian government has recently issued a decree for a “total lockdown”, which requires everyone to work from home. Only selected sectors that has been predefined, or which has approval from the ministry is allowed to operate.

MITI’s role

In order to obtain the approval, one has to fill in the details make the submission to MITI, through its CIMS portal. The portal was developed by MARII, an agency under MITI. In this case study, we look at the portal’s operational effectiveness and a view into governmental online services or its digitalization process.

The lockdown was announced to be effective 1 June 2021 till 14 June 2021 (ignoring the fact that Health Director General mentioning that it will take between 3-4 months for the lockdown’s effectiveness to bear fruit). From the onsite, doubts shrouded over the process of applying, with multiple ministries involved in the approval process. After much ado, it was decided that MITI’s CIMS3.0 will be the single point of application.

CIMS in production

The system was being used in the previous lockdown, however not much documentation about its effectiveness was made available. Hence, during this “supposedly final” lockdown as vaccination drive intensifies, it was imperative for me to document the effectiveness of this system.

The system seems to have been tiered based on current practices. The front-end is guessably using Varnish Cache server, to speed up the page delivery to the clients. This was discovered as there were constant Varnish errors that appeared throughout the usage of the system.

The backend seems to be via an nginx web server which would have acted as a proxy to the actual web application or web services. This was also evident from the error page seen from the errors displayed.

One interesting to note is that while the nginx system was in the backed, it displayed the version number 1.16.1. The current version for nginx is 1.17.0 while 1.16 branch is only maintained for fixes. The version of nginx used has been reported to be vulnerable to CVE-2021-23017 which results in RCE (remote code execution). Based on the CVE creation date, the vulnerability was known as far as January 2021.

It seems that MITI seems to have their ears on the wire. Based on the feedbacks provided, MITI quickly set up specific error pages to mask the underlying daemon messages. Good first move, but damage done, and information now made available.

Looking within the layers

While it’s only the system owners knowledge how the application is tiered, its fairly obvious that it follows the standard 3 tier architecture, with front load balancers in the form of Varnish, and backend with nginx. Architecture may be sound (based on assumptions), but where the system fails is at the capacity management. This isn’t just unique to MITI, but also other government agencies (for another would be the JKJAV/CITF web failure for the vaccine registration, and the occasional MySejahtera errors that appear).

Reviewing the errors that was constantly displayed, it can be concluded that CIMS was running out of capacity managing the sudden workload that was demanded of it. No actual numbers were published on the amount of traffic or number of requests received, but the errors indicate that the backend infrastructure was unreachable. At times, even the login page was not reachable, indicating that Varnish itself had run out of steam.

Strategy for service

We’re seen what has happened to the service, now let’s explore what can be done to improve the services.

Request tiering

The key issue is that everyone is using the service at the same time. All states, all industries, all at the same time. One way to prevent overuse is to tier the request based on a set parameter. For example state. So state A, B C makes request for a certain days, followed by D E F. Or divided by certain industries. This allows effective use of the resources without scaling up too much. However, this requires adequate time before the lockdown process comes into effect. Unfortunately, due to the circumstances in play, this cannot be done.

Elastic resources

Government agencies in Malaysia is managed centrally by MAMPU. Creation of a central compute pool (aka private cloud) will allow services to be deployed on this cloud. The govt cloud will allow any ministry to tap onto a larger poolset of resources, when it is anticipated that a certain services will grow beyond its average use. This cloud can be an on-prem or hosted in an existing cloud provider.

Service architecture

It is important that any govt digital services is built with scalability at heart. Making an app work is primary, but making it scale is paramount. Service metrics should be introduced to identify performance level, and scaling capabilities (e.g. triggering an ansible playbook to provision a new web server and assigning it to the default pool) should be made as primary functionality in tandem with usage functionality (to cover both scale up and scale down abilities). One sample resource that can be tapped is that Google published a free book called “Building Secure & Reliable Systems – Best Practices for Designing, Implementing and Maintaining Systems” published by O’Reilly Media.

Conclusion

This issue isn’t new, and isn’t going to go away. As a nation that is focusing on digitalization, service reliability will be critical in ensuring success of the implementation. Proper service architecture, engineering, implementation and operations management is critical in ensuring “always-available” service for its customers.

Reference

  1. https://www.thestar.com.my/news/nation/2021/05/30/covid-19-curve-can-be-flattened-in-three-to-four-months-if-all-follow-sop-says-health-dg
  2. https://www.cybersecurity-help.cz/vdb/SB2021052543
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017

5G Security Primer

The sum of the whole is greater than the individual parts put together.

This is the mantra when it comes to mobile security. As one does not lose sight of the forest against the trees, the network is as strong when it’s individually and collectively secured. In building the security standards, global organizations such as 3GPP, ETSI, IETF, and ISO have joined hands in getting the security standards done in the right way.

This brief article is going to investigate the key security enhancements into 5G.

In any system, the most important component is the authentication piece. The authentication framework in 5G will be flexible and robust, allowing different sets of credentials besides the SIM cards; enhancing subscriber privacy features by mitigating the IMSI catcher issue that’s been long plaguing the networks. Additional layer security for higher protocol is implemented on the new service interfaces as well as integrity protection of user data over the air interface to further strengthen confidentiality.

Inheritance from the former standards

While the earlier standards were never so focused on security, there were incremental improvements on the network requirements, starting from 3G. These functionalities were bought forward, in tandem with implementing new features specific to 5G. Hence, you will find features that are bought forward and implemented as part of 5G.

Sets of mechanism

The network access security mechanism is contained in the first set. The first set contains security features that provide users with security access to services through the User Equipment (UE/phone) and is protected against threats facing the air interface, between the US and the radio node (known as eNodeB on LTE and gNB on 5G)

The second set of mechanisms contains the network domain-related security mechanisms. This contains features that enable nodes to securely exchange network signaling data and user data between the network elements (i.e. radio nodes and core network nodes).

A simplified version of the security architecture of LTE and 5G, showing the grouping of network components/entities that need to be secured in the Home/Local and Visited/Foreign Network and all the links that must be secured.

New Authentication Framework

In the review of 3GPP networks, the access authentication, which holds the key central security procedure in all network generations. This is known as primary authentication in the 5G security standards. This procedure is typically performed during the initial registration, known as initial attach in the previous network generations, happens when a UE/device is turned on for the first time.

Once successfully authenticated, the session keys are established. This session key is used to protect the communications between the UE and the network. The authentication procedure has been designed to support EAP, a protocol standardized by IETF. EAP is used extensively, even in implementations of IEEE802.11 (aka WiFi).

The benefit of using this protocol is that it allows the use of different credentials and supplicants, extending beyond the traditional SIM approach. This includes digital certificate (X.509), preshared keys, and even a username/password pair. This provides flexibility for use cases beyond the typical mobile-based approach into a seamless, beyond industry and better proliferation into the IoT networking.

EAP also allows secondary authentication, where this function is performed for authorization during the set-up of user-plane connections. Use cases include establishing phone calls, surfing the web, and even delegating to third-party authorization for OTT services such as streaming, or social media validations. Extension of authentication from the network provider allows seamless user experience as well as providing secure credentials for supporting services.

Enhanced privacy

The previous generation of networks had many issues surrounding the privacy of subscribers. This includes attacks originating from fake base stations, popularly known as IMSI catchers or Stingray devices.

File picture of Stingray device

The new measures have made it impractical for fake base stations to identify and trace subscribers by using conventional methods such as passive eavesdropping or active probing of permanent and temporary identifiers (SUPI and GUTI in 5G).

Together with these improvements, 5G makes it much more difficult for attackers to correlate protocol messages and identify a single subscriber. This is due to a limited set of information is sent in cleartext even during the initial attach protocol message.  The rest, of course, is hidden. Another improvement is a general framework for detecting fake base stations, which is based on the radio state information reported by UE in the open, make it difficult for fake base stations to remain undetected.

 

Interconnect and Service based architecture security

A paradigm shift has been bought about by 5GT to the mobile networks, moving from the classical model of point-to-point interfaces between network functions into a Service-based Interface (SBI) model. In an SBA, different functionalities of a network entity are refactored into services exposed and offered on-demand to other network entities.

SBA has also pushed for greater protection at higher protocol layers (e.g. transport and application), in addition to the protection of the communications between core network elements at the IP layer (usually done through IPsec). Hence, the 5G core network function supports the latest and greatest security protocols such as TLS1.2 and TLS1.3 to protect communications at the transport layer and OAUTH 2.0 framework at the application layer to ensure that only authorized network functions are granted access to a service offered by another function. This sees the move away from traditional mobile-only protocols and methods, into a more standardized universal approach towards security.

3GPP SA3

The SGPP SA3 provides many improvements towards interconnect security(i.e. security between different operator networks) consist of 3 building blocks:

  1. A new network function called the security edge protection proxy (SEPP) was introduced in the 5G architecture. All signaling traffic across operator networks are expected to transit through these proxies.
  2. Authentication between SEPPs is required. This enables effective filtering of traffic coming from interconnect.
  3. A new application layer security solution on the N32 interface between the SEPPs was designed to provide protection of sensitive data attributes while still allowing mediation services through the interconnect.

The main component of the SBA security is authentication and transport protection between different network functions using TLS, authorization frameworks utilizing OAUTH2.0 coupled with improved interconnect security designed by 3GPP.

5G roaming scenario using the service-based architecture (simplified)

 

User plane integrity protection

Integrity protection of the UP (user plane) between the UE and the gNB was introduced as a new feature. The support t of integrity protection, like the encryption feature, is mandatory on both the devices and the gNB while the use is optional and under the control of the operator.

It is well understood that integrity protection is resource-demanding and that not all devices will be able to support it at the full data rate. Therefore, the 5G network allows the negotiation of the rates which are suitable for the feature. For example, if the device indicates 64kbps as the maximum data rate for integrity-protected traffic, then the network only turns on the integrity protection for the UP connections where data rates are not expected to go over the 64 kbps limit.

Summary

5G has been a huge step up, with 3GPP and all other bodies working together hand in hand to improve the security posture of this new generation network. Adoption of existing security protocol across standards body shows that the networks have been built with security considerations in mind, a good and right step forward.

Make or Break – Paradox of Choice

I decided to take a break from writing my usual tech/cyber related stuff and focus on other topics of interest. For the longest time, I have always been fascinated by the faculty of the mind, understanding mental patterns and how to “optimise” thinking. This article stemmed from my conversations over the weekends, as well as deciphering recent turn of events which perhaps, may serve as a guide to others. This article of more towards decision-making, behavioural analysis and how human-social interaction makes a difference in day to day situations.

When it comes to a point where one has to decide, the choice to make is almost binary in 90% the time. The choice to be made is always around either make, or break. Some might argue that it’s non-linear or non-binary as not making a decision is a decision itself. In a macro-context, non-decision can still be clubbed into either make or break, depending on the situation. If non-decision keeps the status quo, it is deemed as make. However, if non-decision leads to erosion and destruction, one becomes complicit and the choice is obviously break. Hence for the simplicity of this article, the choices are focused around make or break.

Make, in simple terms, is making decision that supports the notion. Example, when a person is arguing with his friend over which food to buy and share, going through the choice of make meaning that the person “gives in” or “gives way” for the other. Make promotes keeping the relationship alive, putting the interest of others above self, and often seen as being submissive at the interest of others. Simply put, to keep the relationship alive and healthy, one does anything necessary to support that relationship.

Break, on the other hand, can be simply the direct opposite of make. If make is selfless, then break becomes self oriented. While make is giving in, break means putting self above others, making sure one’s need and choices are met and honoured. Break promotes “my way or the highway”, putting self preference above others, making it known to everyone and will not hesitate to walk away when the situation is unfavourable.

Is the choice of make or break seamless? It primarily depends on a few factors. Firstly, is the default predisposition of the person. If the person is naturally accommodating and group oriented, then make will be an obvious choice. If the person is deemed to be hard headed, the natural choice is break. Secondly, equation of power. A person of higher authority tends to be break more than make, whereas those in the lower ranks tend to be make at the reason of self preservation. This can be further differentiated on the traits of manager versus a leader. Thirdly, level of patience tend to influence choice of either make or break.

Each choice has its own pro’s and cons. Let’s dive into it.

Make promotes growth. Makes keeps the relationship alive and creates situation for longevity. In the general view, make seems more positive. Make is the choice of most people to agree and go with the flow. Make moves forward, keeps it alive. But make can have devastating effect. In Stockholm syndrome, choice of make by the victim is caused by the sense of belonging and attachment to the abuser, creating a negative net relationship. Hence, abusive relationships continue due to the mental attachment towards sense of belonging and fear of being alone. Stanford Prison experiment showed the relationship between the prisoners and withstanding the abuse of the wardens, despite the prisoners actually being free people who willingly participate in the experiment. Choice of make is often seen by many as a non-alternative or submissive, but in actual fact may be the effort of the individual doing his/her best to keep the relationship alive.

Break seems like a cut and dry approach. “My way or the highway”. I want my choice or its no go. Break seems authoritarian, and at times the ultimate decision. Break creates a constant state of watchfulness, being aware of what the person wants. A person with predominantly break mindset will be deemed as selfish, or self centered, looking at his/her own preference. If make is the submissive partner, then break is the dominant partner. Choice of break seems harsh and at times, rude, but break is the choice for those who has had enough practicing make and decides that for once, one’s self need is necessary.

Make and break works in pairs. Someone wants to break will need someone who wants to make. Otherwise, those who makes have a better social outreach compared to those who primarily breaks. In a master/slave relationship, the balance of power actually resides with the slave. Without a slave, master does not have anyone to dominate.

In work environment, the make choice is usually by lower ranking personnels, whereas break is practiced by management. When a lower ranking staff is unhappy or decides to do something about their career, the break opportunity happens when he/she tender her resignation, or puts in a transfer request out of the section.

Guiding decision making using these choices depends on factors influencing the decision and its outcome. In essence, the choice is really between make or break, in any situation. Life, in its own journey, is a culmination of makes and breaks. The paradox of choice here, is more than just 2 options dependent on the intended or perceived outcome of those choices. In our limited wisdom, we tend to see it from our own views, but not a bird’s eye view of choice and outcome.

“If you ask me to jump, I’ll see you down there!”

Yet another Facebook leak… 533M records!

Almost everyone on this planet, including their dog, cat, pet parrot and all other being is listed on Facebook (but this also means other social media, not at the scale how penetrative Facebook is).

Started off as a college fling tracking site, Facebook quickly outgrew its pubescent phase and matured as a global social media giant. This, as willing John Q. Public happily providing their personal data (and scary at times). Facebook quickly became an advertisement darling and a platform for marketing, social outreach and often information warfare battlegrounds (as seen recently during the last US presidential election campaigns.

In 2019, there were 2 breaches that affected Facebook. One in March/April and the other in September. The most recent one affecting 533M records (supposedly), was slated to be due to the September incident. However, a more detailed view reveals that the vulnerability may be lingering since 2012!

The March/April breach (which Facebook claimed has addressed) seem to have been due to its own API abuse. The Graph/Marketing API was seen abused, also attributed to the Cambridge Analytica debacle as well. Facebook stepped in to disable its “supposedly” harmful API to prevent further abuse, but not without receiving backlash to the extent of what Cambridge Analytica had caused damage.

Lucian Constantie, a senior writer for IDG News Service wrote on ComputerWorld (8 October 2012) that an independent researcher Suriya Prakash found a vulnerability via Facebook’s Mobile site. Facebook allows users to associate their contact list with existing Facebook users account. Facebook, earlier, had requested users to submit their mobile number in order to enable SMS based 2FA to protect their accounts. Now that Facebook has contact information, it also provided users an option to search for other users by specifying their number. To make it easier, a setting was introduced. In facebook, a user can head on to “Privacy Setting” > “How You Connect” > “Who can look you up using email address or phone number you provided” with the default setting of “Everyone” (!)

This means that even if you set your phone number visibility to “Me only” on your profile page, anyone who knows your number will be able to look you up unless if that setting was changed accordingly. Most people, unaware of this would leave the setting default, falling prey to this type of attack.

Suriya Prakash claimed that he shared the information with Facebook Security team in August and after an initial response on 31 August, his emails seemed to have ended up in /dev/null. A facebook representative responded and said that the rate of a user being found is at a restricted rate.

This became the actual issue which caused the most recent data breach for Facebook. Facebook however claimed that there were no hacking, and that this was just another scraping method. Scraping, is means of obtaining information crawling through the site. However, from my assessment, I find it more closer to an IDOR (Insecure Direct Objet Reference).

In a typical IDOR attack, the attacker simply enumerates the object, by incrementing the ID number. e.g. http://website/id=1

The ID value is incremented, revealing all other objects until the enumeration is complete. In this case, the ID happens to be the mobile number. The attacker created a phone book with ALL possible phone numbers, uploading to Facebook and referencing it against Facebook’s own database. Based on the numbers enumerated, one of the victim of this attack is Mark Zuckerberg himself, later identified having Signal app running on his phone (surprise, surprise!).