Cyber Vigilantism

Data Secrecy, PDPA and Cyber Vigilantism

“Those who create information (in any form) is doomed to safeguard it, until it has been completely destroyed” – Suresh Ramasamy (2005)

There was a buzz on social media about how the female gender in Singapore had compiled a list of persons who are not suitable for dating for various reasons. This became viral and spilled over in Malaysia, where someone started a similar list. Within hours, it was reported that over 200 entries were made into that similar list. In normal days, I would observe the trend to see where it went. I have no clue what data is captured there, so instead of making assumptions I decided to make parallel to the situation. A good friend had posted a message, saying men should do better, and that he wanted to have a daughter, but now thinking twice about it due to the current situation. I didn’t realize how impactful that message was, to the point my overthinking brain started writing this article mentally without me even pondering.

This article is written from an objective lens, analyzing the whole situation from a data, privacy, and activism context. It isn’t about what’s right and what’s not, but to give a perspective into the issue and understand further by making parallels into how data affects our daily lives, even without us knowing about it.

To help me describe this, I have created a fictitious story (no resemblance to the living unless if your name is 2 characters and 3 numbers) from a simple country called Kandaqstan (Hi Jahabar! As you can see, I am missing Penang food!).

This story revolves around the car dealership and its buyers. These are the characters in the story. Look out, loads of pun ahead!

CD007 – Well meaning car dealer

SA001 – Sales Agent

CB004 – Clueless car buyer

CB008 – Car buyer, brother to the owner of CD003

CD005 – A car dealer

CD003 – Another car dealer

CD007 has been an established car dealer. Sales has been brisk, but due to the pandemic (haha, I had to throw this in) sales has dropped. CD007 noticed that while traffic into the centers have reduced, there are people still coming in to test drive the cars. However, CD007 began to notice that there are people who repeatedly test drive, but do not buy the car. This frustrates CD007 and they decide to do something.

CD007 came up with an idea. Why not compile a list of customers who does repeated test drive without buying or even making a booking. This list is shared amongst the car dealers. In a way, this helps the car dealers to identify if the customer who came in had a “track record” of not buying the car. So, CD007 started this list and it became a hit as other car dealers began to use it and contribute. Soon, this list grew and had a lot of comments and even customer ratings (you have some irate customers, some that asks a lot, etc etc).

CB004 is a new car buyer. Poor sod, can’t differentiate between a nut and a wheel. He’s worked his way through the corporate ladder and had saved up a lot of money to eventually treat himself to a nice car.  Naturally, being careful about every single penny he earned, he wanted to get the best deal at the same time use the opportunity to learn. His colleagues told him that the best way to know a car is to test drive it.

CD007 was very close to his house and was somewhat his preferred car brand. So CB004 would visit the showroom, asks questions. CB004 would also request for test drive. Every time a new model or facelift comes up, CB004 would line up patiently and get his turn. This was observed by CD007 and decided to put CB004 in this list.

Soon after, CB004 realized the cold treatment he’s receiving from CD007. He wasn’t sure what he did wrong, he thought that’s what everyone did. So CB004 went to another car dealer, CD005. To his surprise, no one entertained him after getting his details. Puzzled, CB004 decided to take a break and thought maybe he was going through a rough spell. But the urgency of getting the car was increasing and he was close to deciding.

Similar situation happened to CB008. Having a family member in the dealership business, CB008 was much more pedantic compared to CB004. He could smell through bullshit miles away, and unfortunately Sales Agent are prone to that syndrome. CD005 decided that they will have none of it and put CB008 into the list.

CB008 was receiving the same lackluster treatment, decided to check with CD003. CD003 discovered that his brother CB008 has been put on to the list and decided to protest. CD007 was in a predicament, do you remove it or do you leave the entry? CB008 had no avenue to argue his case as the list is only limited to Car Dealers. This went on for a while.

Not happy with the situation CB008 decided to start his own list. This list would have rating and how car dealers behave and treat their customers. This news reached our friend CB004 who start subscribing to the list and actively contributing to the entries. Eventually customers started using the list and boycotted dealers the same way dealers were boycotting customers. The industry became a hostile ground, some dealer decided to stay out of the fight and decided to give each customer equal access. Those earned better sales, and CB004 & CB008 eventually bought their cars.

Intermission 

So lets analyse the situation.

Once this data is created (referring to the list), we know have a list custodian (aka the owner). We have contributors (who may or may not be attributed for the entry) and consumers who use this data. Note that there will be personal information in the list, so as to correctly identify who the person is on the name. Name may be synonymous (like mine is too common), so other identifiers will be included to ensure that the person is identified correctly.

Let’s look at data quality. It is a collaborative list, which means all contributors can add entry to the list. There may be some set parameters or selection on why the person is added to the list, those reasons that aren’t there may just be another selection of existing option just to put the person or dealer on that list. Who ensures that the data is accurate? How do you prevent mistaken identity (we have seen in the past loan sharks attacking innocent victims just because the previous tenant had owned money and the property is now splashed with red paint). How do you prevent personal vendetta from getting into the way of (ab)using the list?

Data management – how long does a person/dealer stay on that list? Is there an expiry term like a Statutes of Limitation? Or is it a permanent list? How do you resolve conflict? Who decided (or becomes God of the list) to say who stays and who leaves the list? Since the list is relied by many, getting on and off the list has consequences to both individual and dealer. In the case of CB004, he wanted to get a car, and had to go to a dealer who wasn’t using the list to complete the sales.

Now, the slightly bigger fish – Privacy.

This section is written based on Malaysia’s implementation of PDPA, citing its principles to explain the context.

If an organization retains a personal information, the organization is now duty bound to inform how that data is used. In this case, since the list was kept secret within the industry, no one informed anyone about their personal details being stored in this list. This is a violation of General Principle of PDPA.

Is this necessary for the car dealership? No. Dealers can still do business even without access to the list. Hence it is not mandatory nor exempted under PDPA. Is it necessary to protect the vital interest of the data subject? Obviously is counterproductive to the customers nor the dealers.

Did the customer or the dealer receive a notice about the list? No. Notice and Choice Principle failed. Does the data subject has the right to review and correct the information? Obviously No. Is the list disclosed to anyone else? E.g. other industries? Maybe. No one knows for sure as sales agent who has access may leave the industry but still have access to the list and use it for his/her/their new job. Is it obligatory or voluntary for data subject to provide the data? No, because the data was entered without the data subject’s knowledge. Was the data provided by the data subject used for other than intended purpose? In this case, a customer provides information for test drive purpose, however now used for the list. It’s a No as well.

No data shall be disclosed without the consent of the data subject. In this case, data is actively being disclosed to consumers of the list without the knowledge of the data subject.

What are the security measures taken to safeguard the list? Well its just a list in Google determined by CD007 on who has access. CD007 gets a call from a fellow distributor and adds the email address into the access list. Is it sufficient? Maybe. Is there rigor in access management, I doubt that.

Earlier question – how long is the data retained? Perpetual, since the list was started. Does not meet Retention policy.

Does CD007 take every step to ensure that the data entered is accurate? No, CD007 relies on those keying into the database to ensure that the data is secure.

Is the data subject given access to the data and allow the data to be corrected? No. It’s a private list. Fails Access Principle.

Suresh, all this is fine and well, for this situation which involves dealers and buyers are commercial transaction. But the original topic talks about personal, which is not covered by PDPA.

You are absolutely right. PDPA does not cover data used for personal use. However, remember I didn’t end the story, but said intermission? Let me continue the story.

Chapter Deux

CB004 thinking about his financial commitments worry his current job may not be sufficient for him to take up this new car, even though he can cover his monthly bill. CB004 decides to apply for a job at a local motoring news outlet as IT Supervisor hoping to get a bump in his salary. The HR staff, whose an ex Sales Agent, SA001 does his due diligence on all staffs. Since he was formerly a Sales Agent, he has access into this private list. Looking at the entry of CB004, he decided to put a footnote to the hiring manager saying that this person’s attitude is not welcomed. CB004 was unsuccessful in his job application, and knowing the Malaysian HR process was simply ghosted without any further details.

I’m going to stop the story here.

While the list is private, its used can never be limited. Anyone having access could use the list for any reasons, beyond what it was intended. Hence, what set out to be a simple well meaning effort may eclipse into a bigger beast.

The actual whale – Defamation

A defamatory statement is a statement that:

  • Tends to lower a person in the estimation of right thinking members of society generally;
  • Causes a person to be shunned or avoided or to expose him to hatred, contempt or ridicule; or
  • Conveys an imputation on a person disparaging or injurious to his office, profession, calling, trade or business.

There are two methods of interpreting the words in an allegedly defamatory statement:

  • By their natural and ordinary meaning; or
  • By innuendo.

Based on this, it is sufficient to say that it meets the test where the list can be defamatory. This applies both sides, to the buyer and the dealer as well.

Final Words

Is there a solution on this? No. Cyber vigilantism may look all good and well, there are real world issues, from the beginning from the matter of data, privacy and legal in this manner. Does it solve a problem or exacerbate it? You be the judge.

To my friend, fret not. Have your daughter, raise her in every right way as a responsible father that you are. We are always thrown challenges in life; we usually swim it through even though we think that we’re drowning. Every generation has its own unique challenges and gives you a different battle scars, but it is a journey, not a destination. Hope this gives you comfort.

[CISO Series] What do CISO’s fear more?

For a start. it’s my favourite time of the year. Halloween. I still remember going trick or treat while in the US, and when I was back, my ex-boss used to throw awesome neighbourhood party over at his place, complete with haunted house setup. I think he spends a lot accumulating props and stuff. It’s one of those memories that brings your inner childhood out (playing dress up, and just looking more horrible than your usual $dayattire), which gives me great joy (and fright!)

So in line with the theme, let’s talk about fear. Specifically for the CISO’s – who do fear more? To put a more detailed context to the question, I’ll be asking – who do you fear more? Nation state actors or auditors?

Most of you know that I came from a long history of being in the telecommunications industry, and then transitioned into senior leadership role at a financial group. These experiences gave me an interesting perspective into how businesses operate, both in the regulated and unregulated space.

The fear for auditors

When I was in the regulated space, I was frightened to death of auditors. Fear-mongering on audit and results were just over the roof. We were constantly reminded that our career hinges on making sure there is no audit findings. Be it an internal auditor or an external auditor (what’s worse, if its a regulator whose auditing you). So a lot of time and effort is put in on making sure that you follow the policy to the dot. But then the operating environment is so big and that similar to the ant analogy against a house.

An ant only needs a tiny space to wiggle through and get into the house, while the house owner has to look at every nook and cranny to ensure there are no opportunities for the ants to come in.

What’s worse, the findings are just “face-palming”. “Oh, that system doesn’t have password expiry and your policy says you need to have it”. Or “you forgot to remove the user for the system which needs internal only access without VPN or any other profile, but since your policy says you are suppose to remove the user within X days, you didn’t meet policy requirements”. These findings go up to the board and CISO hangs his head in shame. Funnily at a large conglomerate, a board member even told the CISO to use Excel to keep track of account management for a 10k strong staff with hundreds of individual systems instead of considering Identity Governance and Administration systems.

Policy – bane of existence

The hung-tightness towards policy in some organization is beyond reprise. Often, a policy change in an organization implies that you are already compliant and should be ready for the next audit. But all organizations will fail because most will take some time, like getting a new system, instituting a process around what the policy requires to do. But auditors tend to be sticklers to policy and wants it to start working from the day its approved (and most policies are pushed by the auditors for implementation, even though it does no real benefit for the organization, but looks good on paper for governance). We’ll go into more details about policy and implementation and how organizations can avoid such pitfalls in another article.

For some business, compliance is business. If you look at an e-commerce site that relies on credit card transactions, then PCI-DSS is a must. In Asia we say “die-die” must do. Such business cannot survive if they are unable to make transactions, which makes business risk #1 and CISOs tend to gravitate towards ensuring that their career stays safe by meeting PCI-DSS requirements (remember, 7 character password is sufficient for PCI-DSS). Rationality goes out of the window and security becomes theatrics. Security becomes a tool to meet compliance rather than actually securing the business.

A CEO once asked – how many compliance people do you need if you have zero business?

From here, you can see that the CISO’s primary focus will be meeting compliance and governance requirements. Anything can be turned into a checklist and make sure you tick all boxes. Whether it makes sense, doesn’t matter, but the boxes must be ticked. A template approach is most feasible and gives the stakeholder a false sense of comfort. But is the organization truly secure against actual threats? I wonder how the conversation will be the organization does get breached –

“But I ticked all the boxes?”

Nation State Actors – The threat

 

If by chance the CISO does get to focus on what really matters, you will see the gaze of the CISO towards improving security while bringing value to the organization. This is the Type 3 CISO that I discussed in my earlier series article, the link is at the bottom if you want to have a read.

CISO’s focus would to constantly reviewing the threat posture of the organization, applying lessons learnt, looking at avenues to increase visibility, strengthening controls and bringing the organization forward every step of the way. As such, you see improvements, both tangible and intangible, having the pulse on the ground close to your heart and be able to advice if something has drastically changed which warrants the CISO to escalate and take immediate action. TTP’s become focus and having an operational cyber threat intelligence, coupled with a blue team for defense and red team for offense helps to improve the security posture. CISO can also put more emphasis on building the team capabilities to further strengthen the organization.

What’s the reality?

In reality, you find CISOs fear auditors more than nation state actors or threat actors in general. The common thinking is that “If my organization gets hit by ransomware, sure, my systems will be down, but we will be able to rebuild in time. But if I get a black mark at the board meeting, I might as well find a new job!”

There is no shared responsibility and accountability for security as CISO becomes the convenient scapegoat for a blame and swift action is taken by removing the person to show that the organization is doing “something” to address the issue. (Still thinking of being a CISO?)

So, how can you change it?

The general consensus is to remove the portfolio of governance and compliance and have a separate team (usually under Compliance) to handle such functions. These frees the CISO to focus on the role of securing the organization. Remember that the CISO alone cannot secure the organization, its a role that’s dependent on all other stakeholders. For e.g. you won’t be able to mount the firewall to the rack if the DC guys don’t give you physical access. If you want the CISO to be effective in his/her/their role, then you as an organization have to give them that focus to be able to make that difference for that portfolio. Bundling the 2 functions will only lead to disaster as one will demand more time and focus than the other.

All organization wanting to hire a CISO should ask themselves this key question – What is the main reason of wanting a CISO? Is it to meet a compliance/governance requirements of having one (which means the job scope is skewed towards governance and compliance and not security per say) or because the CEO can’t sleep at night, afraid his/her/their organization might be breached? This question will determine the focus and the “real” expectation towards what the CISO should be doing, instead of what the CISO is expected to be doing. Remember, what you expect may not be what you get, because of where the focus is being put.

Secondly, compliance and governance needs to be business sensitive and not be the “head-master” of policy document. Using risk based approach, have a balance between the document and the ground. There will be disparities. There will be deviances, but does it warrant a serious tone of a finding? Over-zealous auditors create more operational overheads on small teams that is struggling to meet basic operations, leading to a collapse of governance. Almost akin to a self-fulfilling prophecy so that there will be more audit findings. If the objective of an audit is to ensure 100% policy compliance, then your audit has failed to address the plurality of operations and business. Most often, business demands are retrofitted with security requirements, not vice versa. Purchase decisions are made primarily on price points and not how well the product meets technical requirements. Hence, how can you expect a 100% compliance when from genesis, the system was never meant to meet policy requirements? CISO then becomes the architect to retrofit and ensure there are security wrapper around the system to meet security objectives. Sure, we can write and sign off waivers on an annual basis, but that will eventually become a finding. (By the way, this is one of the primary roles of the team, where you are required to support business decisions, even though it may sound utterly ridiculous). Remember, security is a business function, not vice versa.

[CISO Series] What kind of CISO are you?

This question isn’t new. In fact in almost all of the interviews I have attended, this question always pops up somehow (besides how much lesser can you earn while doing a lot more!).

Everyone’s going to hate my answer, but here it is.

Yes, yes it does. Sad but true. But lets look further to understand why.

There are few factors that depends on where the CISO will focus his/her attention on. Firstly, expectation of senior management and Board, and the latter being the maturity of the organisation.

Scenario 1

An organization just hired a CISO. They had a small security team (essentially IT staffs told to take up the responsibility of security). Team was an organised mess, processes had been established but focused on operational matters rather than security focus (i.e. managing firewall ruleset for projects and deployment. Team’s security competence is medium, as they understood IT operations, but not the nuances of cyber security. CEO finds the team ineffective and has low confidence, hence onboarded a CISO to relook at the team and “make it better”. The team had a lot of questions and needed answers even to fundamental issues of understanding how NAT works. There are a lot of gaps on what the team is doing and there was no afterthought as the team was built out of urgency, and not proper planning.

In this instance, it is important for the CISO to be technically inclined. Focus of the CISO will be towards gearing the team up. CISO will be looked at the “subject matter expert” and be a reference point for the team to move forward. You’re a technical CISO more than anything else.

Scenario 2

An organization has a fully functional Cyber Security team. The team has sufficient (not the best) competence, and understands the nuances of Cyber Security and knows what needs to be done. Their attention is divided between operational work vs compliance/governance. The team reports to the Operations head.

You are hired to be under the Chief Risk Officer, acting as the head of Technology & Cyber Risk. You’re given the title of CISO, being accountable in ensuring the organization stays cyber secure. Your focus is in managing risks more than dipping your feet into technical matters (though you are required to bring to Board’s attention and explain the technical details). Your role acts as the second line of defense, keeping tabs on the security team and making sure they stay on top of their game. What’s interesting, while you are CISO, the budget for security operations is separate and you don’t get to dictate how they spend it or where they put priority?

Interesting question – Can CISO be effective being a completely separate/independent second line of defense? (We answer this question on an upcoming CISO series article)

In this case, as CISO, your focus is more risk oriented. You need to translate cyber happenings into business speak and show it in dollars and sense (intentional). Your participation in management forums and board committee becomes a focus. You act as force and counter-force to the existing security operations.

Scenario 3

You enter a fully mature organisation. Security operations and risk is well managed and has metrics for constant improvement. From a maturity model, your teams often inhibit level 4 for most of the processes. Your teams are well equipped and has respective subject matter experts guiding the team.

As a CISO, you turn your focus into business. Your question on your wall “How does Cyber Security add value to business? How can Cyber Security be the differentiating factor that affects your revenue positively?” You look at making Cyber Security a business positive aspect, building aspect of security and trustworthy as a differentiating factor that gains more customer and revenue.

What organizations want

Most organizations, if asked would straight go for Scenario 3, while in reality some often remains in Scenario 1. The details may change, but the situation remains similar.

Are the 3 scenarios mutually exclusive? Of course not. The scenarios highlight the dominant role of the CISO (in another word, where the CISO will spend most of his time). Eventually as time goes by, the gap in the organization will force the CISO to take up that responsibility. Having a mismatch of expectation will set the CISO up to fail. Senior management expects value, while there’s fire burning in operations. CISO is left with the task to be the bearer of bad news and in any instance, is ultimately responsible in ensuring that senior management is up to speed with the happenings in the ground.

For example, in Scenario 1, there are barely staff to handle all of the operational roles. But being in a highlight regulated industry, the expectation is to have compliance/governance/audit to be tip top. The CEO was visibly upset with the CISO when there are constant audit issues, and its up to the CISO to communicate that the team is simply not sized for compliance/audit activities. CISO’s focus will be putting out immediate fires at operational level.

This brings us to another interesting question – who does the CISO fear more? Auditor or Threat actor? (We cover this on the next CISO Series article).

Fellow CISOs – is there any particular topics you want to see discussed? Bring it on!

Week 25 in Technology

It was an interesting week, to say the least. While the news was filled with a lot of interesting bits and bobs, I found one company dominating international headlines.

Good ol’ Microsoft.

Let’s start with a high. Microsoft recently introduced Windows 11 (surprise, surprise). It is a surprise because Microsoft made an earlier stance of not introducing anymore (refer to the Forbes article on the reference section). Well that aside, the new Windows also comes with a few caveats.

Firstly, it will only be supported in the newer Intel platforms (I was sore because I had an ASUS NUC and it works really well on Win10 but cannot update due to “outdated” CPU). The list of supported processors is listed down on References section link. This seem to be a direction in tying hardware compatibility to a platform, which is a bad idea, as Apple recently announced support on IOS for their older phone as well. Windows 11 can technically run on older platforms, but that choice and direction is made by Microsoft (if you want to continue in their platforms. (My 7-year-old MacBook Pro runs the latest OSX with no performance sacrifice in comparison).

TPM (Trusted Platform Module) was introduced in 2006 was an addon/auxiliary module to add cryptography and its supporting function, including key generation and storage. A convenient way of locking licenses and everything down to a hardware. It also supports IRM (Rights Management module). Security experts were quick to identify the TPM chip to be a source of problem as well. A ransomware app can reinitialise the TPM chip, generate the public key for encryption and encrypt the hard drive in the background. With the key being generated and manipulated within the motherboard, this will surely be a forest fire in the making (courtesy @GossiTheDog).

Support for Secure Boot is now made mandatory. Most new (I quote as 5 years and younger systems) will have BIOS level support for Secure Boot. I still remember the last time I turned in on, it was hell trying to even get Windows to be installed. Obviously, some kinks need to be sorted out, but it offers boot level protection to ensure that your boot records aren’t tampered with. Consider it a Ring-1 to Ring1 security support structure.

Microsoft, in its defense, was quoted saying that these measures are necessary to improve the security for consumers and businesses.

In summary, Microsoft has started enforcing forced obsolescence (so much so even their own product Surface will not support Win11). If I was a Surface customer (thankfully I am on a different platform), I’d be fuming as well. I remember going through a very painful process of justifying why an asset class in my previous employer needs to upgrade from Win7 to Win10 (which included both hardware and software upgrade).  Windows 11 just made lives of CIO/CTO one notch harder and make Microsoft even more hated. It’s a serious financial pain now to remain on the Windows platform, and with alternatives such as Chromebook, *NIX and OSX, consumers and businesses may re-evaluate their choice of platforms.

And now for not so savoury stuff.

Microsoft made a blog post on their tracking of Nobellium activities and hack. For the uninitiated, Nobellium is the Microsoft name for the Solarwinds attackers.There’s something that stuck out on the blog, which I will put it out here for everyone to review.

As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers. The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign. We responded quickly, removed the access and secured the device. The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our Zero Trust “least privileged access” approach to customer information. We are notifying all impacted customers and are supporting them to ensure their accounts remain secure. ”

Notice anything funny in that statement? Let’s break it down.

A customer support agent of Microsoft had a malware installed on their machine.The threat actor used that information to launch other attacks.

That’s the preface. Let’s dive in one more level.

Support agents are configured with minimal set of permissions as part of Zero Trust “least privilege access”.

This raises a lot of question.

  1. How did the malware install itself into the support agent’s machine if the support agent had least privilege?
  2. Are you saying, despite having Zero Trust, it failed? You mean Zero Trust failed?

When asking these questions, remember that you are posing these questions to Microsoft, the very people whose tools are used to build the OS, sells those tools, and provides a complete set of security capabilities that you trust to secure your environment.

It seems to me that not all details are being released. I mean, you’re talking about Microsoft. Whom (by right) should have everything (I mean all security features) turned on, tuned and working tip top. Including stuff like no local admins, no remote access… the works! (You get what I mean). Not another enterprise that breaks controls for reasons only justifiable to them.

Not too long ago I posted this on my Linkedin.

In one hand, I feel sorry for Microsoft. They’ve put so much effort in improving the security of their tools and platform. In another, these marketing bits get them into whole load of trouble.

Reference:

 

  1. https://blogs.windows.com/windowsexperience/2021/06/24/introducing-windows-11/ Introducting Windows 11
  2. https://www.forbes.com/sites/gordonkelly/2015/05/08/microsoft-windows-10-last-windows/ – Forbes on why Windows 10 will be the last
  3. https://docs.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-intel-processors Windows 11 Processor Support list
  4. https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/

SUCI Catcher – a 5G security issue

Introduction

5G had introduced vast improvements over its predecessors, namely 2G, 3G, and 4G. The issue of IMSI catchers plagued users and threatened the security and sanctity of mobile networks globally. I briefly discussed Stingray/IMSI catchers in my previous article, a look into 5G. However, recent developments revealed a new vector of attacks, discovered by researchers from Ruhr University Bochum Germany together with NYU Abu Dhabi.

What are IMSI catchers?

In a nutshell, IMSI catchers are fake base stations. They act as a silent relay between the UE (mobile phones) and the actual base station. During masquerading, these fake base stations request the user’s permanent identity. This affects all users who are within range of the fake base stations. This attack targets everyone within its vicinity, and the attacker narrows down to his choice of the target within that list.

IMSI catchers perform their activities by forcing the communications to be over 2G since 2G protocols have several security weaknesses (also part of backward compatibility support). When the target is connected to the IMSI catcher, the IMSI catcher performs a MITM (Man in the Middle) attack, putting itself directly in between the target UE and the cellular network.

In a 2G environment, the IMSI catcher uses the IMSI stolen from the UE to complete the identity request from the cellular network and then uses the target device to complete a challenge that requires the SIM card’s secret keys.

IMSI catchers are primarily used for the following reasons.

  • Spyware delivery: Some high-end IMSI catchers can deliver spyware to the target device. The spyware provides RAT (remote access trojan) capabilities such as ping the target location directly and also transfer audio/text/images) through the device.
  • Data Extraction: Capture metadata such as calls made (A party, B party), call duration, date/time of call, including contents of unencrypted calls/text, and even data usage (sites visited).
  • Data interception: Some IMSI catchers advertise the ability to divert calls and text messages, edit messages and spoof the user’s identity in calls and text messages.
  • Location tracking: IMSI catchers can force a target UE to respond to a precise location using GPS, or using the signal strength of towers, allowing the use of triangulation to accurately pinpoint user location.

What about SUCI?

In 5G networks, the UE stores the permanent identifier and key un the USIM (Universal Subscriber Identity Module). These are the credentials used to by the UE to establish mutual authentication with the 5G network. Through this process, 3 identifiers become important. Firstly the permanent identifier SUPI (4G: IMSI), the hidden/concealed identifier SUCI and the temporary identifier (5G:GUTI).

The diagram above shows the basic message exchange for the user registration and authentication. The initial stages require SUCI to be transmitted. However, if the temporary identity cannot be established then the permanent identity is requested. Somewhat like websites using cookies to keep you logged in instead of getting you to authenticate all the time. This process should happen bothways, users authenticating the network; and the network authenticating the user. AKA messages are UNPROTECTED; encryption happens only AFTER session key is agreed upon.

SUCI vs SUPI

In 5g networks, permanent identifiers are avoided from being sent using the operator’s public key which is stored in the USIM. The permanent SUPI is encrypted with this public key before transmission (aka SUCI). As the key is encrypted with the operator’s public key, only the operator is able to read the SUPI to reveal the subscriber’s identity. SUCI is regenerated before every usage to prevent linkage of SUCI (aka perfect forward secrecy), preventing the attacker from identifying if the SUCI refers to the same user (even if the user connects multiple times).

Since the SUCI varies, it gives the notion that different users are connecting to the network. SUPI concealment is an OPTIONAL feature, which needs to be configured by the operator.

SUCI Catcher attack

Discovery Phase

Using the AKA linkability, the attack focuses on the UE giving up its own identity. In order for this to work, the attacker must learn any of the SUCI used by the target UE previously. This is done by (1) sniffing the traffic for SUCI messages, with the full knowledge of the location of the UE or (2) using the IMSI, the attacker can perform the encryption (either EC25519 or secp256r1), with the assumption that the operator’s public key is known. Using either a downgrade/SS7/mobile app based attach the IMSI can be discovered.

Attack Phase

Completing the discovery phase, the attacker now has SUCI of the target UE. When an unknown UE connects to the catcher, attacker tries to find out if this unknown UE is identical to the subscriber

Using the obtained SUCI, the attacker makes a Registration Request (since the request requires no authentication to execute). This request will only be responded with the Authentication Request which is responded by the UE associated.

However, there may be 2 outcomes with the Authentication Request. First, whereby the unknown UE is actually the searched-for-UE authenticated successfully and responds with Authentication Response or Authentication Failure, with the reason Sync Failure (sequence number SQN needs to be synchronized). Secondly, if the searched-for-UE isn’t the one, UE sends Authentication Failure with the reason MAC Failure to the SUCI catcher. In order to handle the Sync failure, the attack prepends a reset stage which performs the successful AKA between the UE and then network BEFORE the actual probe. This also handles the resynchronization of the sync number to handle Sync Failure errors.

While the method highlights attack for one UE, it scales well when multiple UE are also searched for.

SUCI Catcher Countermeasures

There are mechanics which needs to be successful in order for the attack to be successful.

The SUCI catcher exploits pre-authentication traffic between the UE and the network .3GPP TR 33.809 discussed message to secure broadcast information. If the pre-authentication traffic is protected, SUCI-catchers will fail to work. This has yet to be standardized by 3GPP and at the moment has no mitigation for the current %G standards.

Linkability is also a factor promoting this attack. Mitigation of linkability of the authentication responses is optional. The 3GPP study TR33.846 proposes to hide the failure reason in the authentication reject. This is not a critical dependency to the attack as failure messages only help, but not deter the attack. Observation of the traffic between the UE and the network will confirm if a link is established.

A network-based detection and prevention (NDP) capability would be a supplementary control. The attack uses the network as an oracle to generate fresh authentication vector. The NDP could throttle the attack’s scalability effectively and requires little efforts for adoption. Operators can keep track of already used SUCI and use this to detect large scale SUCI Catchers. This detection will not work if the attacker generated SUCI from a known IMSI. A custom SUCI scheme can be deployed to detect attacker-originating requests, by guaranteeing freshness and the SUCI’s authenticity (i.e. using a counter and UE’s public/private keypair.

Some controls can be performed at the UE level. The UE can detect a SUCI-Catcher attack by detecting anomalous protocol behaviour. For example, multiple repeated authentication is a dead giveaway. The UE or the USIM can limit or delay responses, which degrades the attach scalability. If the number of responses is limited to small numbers, the attacker will have few attempts to correctly guess authentication token. Apps such as SnoopSnith that access to the baseband can be integrated with such functionality.

Conclusion

5G aims to eliminate the errors from the past generation networks. New functionality brings new vector of attacks, and surely this is the beginning of more and newer attacks. With researchers scrutinising these new stacks, standards need to catch up faster so that issues can be mitigated soonest possible.

Reference

  1. 5G SUCI Catchers: Still catching them all? https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2021/06/02/5G-SUCI-Catcher-WiSec21.pdf

Malaysia’s International Trade and Industries CIMS 3.0 – Case study

Background

We’re in this pandemic for over a year. Malaysian government has recently issued a decree for a “total lockdown”, which requires everyone to work from home. Only selected sectors that has been predefined, or which has approval from the ministry is allowed to operate.

MITI’s role

In order to obtain the approval, one has to fill in the details make the submission to MITI, through its CIMS portal. The portal was developed by MARII, an agency under MITI. In this case study, we look at the portal’s operational effectiveness and a view into governmental online services or its digitalization process.

The lockdown was announced to be effective 1 June 2021 till 14 June 2021 (ignoring the fact that Health Director General mentioning that it will take between 3-4 months for the lockdown’s effectiveness to bear fruit). From the onsite, doubts shrouded over the process of applying, with multiple ministries involved in the approval process. After much ado, it was decided that MITI’s CIMS3.0 will be the single point of application.

CIMS in production

The system was being used in the previous lockdown, however not much documentation about its effectiveness was made available. Hence, during this “supposedly final” lockdown as vaccination drive intensifies, it was imperative for me to document the effectiveness of this system.

The system seems to have been tiered based on current practices. The front-end is guessably using Varnish Cache server, to speed up the page delivery to the clients. This was discovered as there were constant Varnish errors that appeared throughout the usage of the system.

The backend seems to be via an nginx web server which would have acted as a proxy to the actual web application or web services. This was also evident from the error page seen from the errors displayed.

One interesting to note is that while the nginx system was in the backed, it displayed the version number 1.16.1. The current version for nginx is 1.17.0 while 1.16 branch is only maintained for fixes. The version of nginx used has been reported to be vulnerable to CVE-2021-23017 which results in RCE (remote code execution). Based on the CVE creation date, the vulnerability was known as far as January 2021.

It seems that MITI seems to have their ears on the wire. Based on the feedbacks provided, MITI quickly set up specific error pages to mask the underlying daemon messages. Good first move, but damage done, and information now made available.

Looking within the layers

While it’s only the system owners knowledge how the application is tiered, its fairly obvious that it follows the standard 3 tier architecture, with front load balancers in the form of Varnish, and backend with nginx. Architecture may be sound (based on assumptions), but where the system fails is at the capacity management. This isn’t just unique to MITI, but also other government agencies (for another would be the JKJAV/CITF web failure for the vaccine registration, and the occasional MySejahtera errors that appear).

Reviewing the errors that was constantly displayed, it can be concluded that CIMS was running out of capacity managing the sudden workload that was demanded of it. No actual numbers were published on the amount of traffic or number of requests received, but the errors indicate that the backend infrastructure was unreachable. At times, even the login page was not reachable, indicating that Varnish itself had run out of steam.

Strategy for service

We’re seen what has happened to the service, now let’s explore what can be done to improve the services.

Request tiering

The key issue is that everyone is using the service at the same time. All states, all industries, all at the same time. One way to prevent overuse is to tier the request based on a set parameter. For example state. So state A, B C makes request for a certain days, followed by D E F. Or divided by certain industries. This allows effective use of the resources without scaling up too much. However, this requires adequate time before the lockdown process comes into effect. Unfortunately, due to the circumstances in play, this cannot be done.

Elastic resources

Government agencies in Malaysia is managed centrally by MAMPU. Creation of a central compute pool (aka private cloud) will allow services to be deployed on this cloud. The govt cloud will allow any ministry to tap onto a larger poolset of resources, when it is anticipated that a certain services will grow beyond its average use. This cloud can be an on-prem or hosted in an existing cloud provider.

Service architecture

It is important that any govt digital services is built with scalability at heart. Making an app work is primary, but making it scale is paramount. Service metrics should be introduced to identify performance level, and scaling capabilities (e.g. triggering an ansible playbook to provision a new web server and assigning it to the default pool) should be made as primary functionality in tandem with usage functionality (to cover both scale up and scale down abilities). One sample resource that can be tapped is that Google published a free book called “Building Secure & Reliable Systems – Best Practices for Designing, Implementing and Maintaining Systems” published by O’Reilly Media.

Conclusion

This issue isn’t new, and isn’t going to go away. As a nation that is focusing on digitalization, service reliability will be critical in ensuring success of the implementation. Proper service architecture, engineering, implementation and operations management is critical in ensuring “always-available” service for its customers.

Reference

  1. https://www.thestar.com.my/news/nation/2021/05/30/covid-19-curve-can-be-flattened-in-three-to-four-months-if-all-follow-sop-says-health-dg
  2. https://www.cybersecurity-help.cz/vdb/SB2021052543
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017

5G Security Primer

The sum of the whole is greater than the individual parts put together.

This is the mantra when it comes to mobile security. As one does not lose sight of the forest against the trees, the network is as strong when it’s individually and collectively secured. In building the security standards, global organizations such as 3GPP, ETSI, IETF, and ISO have joined hands in getting the security standards done in the right way.

This brief article is going to investigate the key security enhancements into 5G.

In any system, the most important component is the authentication piece. The authentication framework in 5G will be flexible and robust, allowing different sets of credentials besides the SIM cards; enhancing subscriber privacy features by mitigating the IMSI catcher issue that’s been long plaguing the networks. Additional layer security for higher protocol is implemented on the new service interfaces as well as integrity protection of user data over the air interface to further strengthen confidentiality.

Inheritance from the former standards

While the earlier standards were never so focused on security, there were incremental improvements on the network requirements, starting from 3G. These functionalities were bought forward, in tandem with implementing new features specific to 5G. Hence, you will find features that are bought forward and implemented as part of 5G.

Sets of mechanism

The network access security mechanism is contained in the first set. The first set contains security features that provide users with security access to services through the User Equipment (UE/phone) and is protected against threats facing the air interface, between the US and the radio node (known as eNodeB on LTE and gNB on 5G)

The second set of mechanisms contains the network domain-related security mechanisms. This contains features that enable nodes to securely exchange network signaling data and user data between the network elements (i.e. radio nodes and core network nodes).

A simplified version of the security architecture of LTE and 5G, showing the grouping of network components/entities that need to be secured in the Home/Local and Visited/Foreign Network and all the links that must be secured.

New Authentication Framework

In the review of 3GPP networks, the access authentication, which holds the key central security procedure in all network generations. This is known as primary authentication in the 5G security standards. This procedure is typically performed during the initial registration, known as initial attach in the previous network generations, happens when a UE/device is turned on for the first time.

Once successfully authenticated, the session keys are established. This session key is used to protect the communications between the UE and the network. The authentication procedure has been designed to support EAP, a protocol standardized by IETF. EAP is used extensively, even in implementations of IEEE802.11 (aka WiFi).

The benefit of using this protocol is that it allows the use of different credentials and supplicants, extending beyond the traditional SIM approach. This includes digital certificate (X.509), preshared keys, and even a username/password pair. This provides flexibility for use cases beyond the typical mobile-based approach into a seamless, beyond industry and better proliferation into the IoT networking.

EAP also allows secondary authentication, where this function is performed for authorization during the set-up of user-plane connections. Use cases include establishing phone calls, surfing the web, and even delegating to third-party authorization for OTT services such as streaming, or social media validations. Extension of authentication from the network provider allows seamless user experience as well as providing secure credentials for supporting services.

Enhanced privacy

The previous generation of networks had many issues surrounding the privacy of subscribers. This includes attacks originating from fake base stations, popularly known as IMSI catchers or Stingray devices.

File picture of Stingray device

The new measures have made it impractical for fake base stations to identify and trace subscribers by using conventional methods such as passive eavesdropping or active probing of permanent and temporary identifiers (SUPI and GUTI in 5G).

Together with these improvements, 5G makes it much more difficult for attackers to correlate protocol messages and identify a single subscriber. This is due to a limited set of information is sent in cleartext even during the initial attach protocol message.  The rest, of course, is hidden. Another improvement is a general framework for detecting fake base stations, which is based on the radio state information reported by UE in the open, make it difficult for fake base stations to remain undetected.

 

Interconnect and Service based architecture security

A paradigm shift has been bought about by 5GT to the mobile networks, moving from the classical model of point-to-point interfaces between network functions into a Service-based Interface (SBI) model. In an SBA, different functionalities of a network entity are refactored into services exposed and offered on-demand to other network entities.

SBA has also pushed for greater protection at higher protocol layers (e.g. transport and application), in addition to the protection of the communications between core network elements at the IP layer (usually done through IPsec). Hence, the 5G core network function supports the latest and greatest security protocols such as TLS1.2 and TLS1.3 to protect communications at the transport layer and OAUTH 2.0 framework at the application layer to ensure that only authorized network functions are granted access to a service offered by another function. This sees the move away from traditional mobile-only protocols and methods, into a more standardized universal approach towards security.

3GPP SA3

The SGPP SA3 provides many improvements towards interconnect security(i.e. security between different operator networks) consist of 3 building blocks:

  1. A new network function called the security edge protection proxy (SEPP) was introduced in the 5G architecture. All signaling traffic across operator networks are expected to transit through these proxies.
  2. Authentication between SEPPs is required. This enables effective filtering of traffic coming from interconnect.
  3. A new application layer security solution on the N32 interface between the SEPPs was designed to provide protection of sensitive data attributes while still allowing mediation services through the interconnect.

The main component of the SBA security is authentication and transport protection between different network functions using TLS, authorization frameworks utilizing OAUTH2.0 coupled with improved interconnect security designed by 3GPP.

5G roaming scenario using the service-based architecture (simplified)

 

User plane integrity protection

Integrity protection of the UP (user plane) between the UE and the gNB was introduced as a new feature. The support t of integrity protection, like the encryption feature, is mandatory on both the devices and the gNB while the use is optional and under the control of the operator.

It is well understood that integrity protection is resource-demanding and that not all devices will be able to support it at the full data rate. Therefore, the 5G network allows the negotiation of the rates which are suitable for the feature. For example, if the device indicates 64kbps as the maximum data rate for integrity-protected traffic, then the network only turns on the integrity protection for the UP connections where data rates are not expected to go over the 64 kbps limit.

Summary

5G has been a huge step up, with 3GPP and all other bodies working together hand in hand to improve the security posture of this new generation network. Adoption of existing security protocol across standards body shows that the networks have been built with security considerations in mind, a good and right step forward.

Yet another Facebook leak… 533M records!

Almost everyone on this planet, including their dog, cat, pet parrot and all other being is listed on Facebook (but this also means other social media, not at the scale how penetrative Facebook is).

Started off as a college fling tracking site, Facebook quickly outgrew its pubescent phase and matured as a global social media giant. This, as willing John Q. Public happily providing their personal data (and scary at times). Facebook quickly became an advertisement darling and a platform for marketing, social outreach and often information warfare battlegrounds (as seen recently during the last US presidential election campaigns.

In 2019, there were 2 breaches that affected Facebook. One in March/April and the other in September. The most recent one affecting 533M records (supposedly), was slated to be due to the September incident. However, a more detailed view reveals that the vulnerability may be lingering since 2012!

The March/April breach (which Facebook claimed has addressed) seem to have been due to its own API abuse. The Graph/Marketing API was seen abused, also attributed to the Cambridge Analytica debacle as well. Facebook stepped in to disable its “supposedly” harmful API to prevent further abuse, but not without receiving backlash to the extent of what Cambridge Analytica had caused damage.

Lucian Constantie, a senior writer for IDG News Service wrote on ComputerWorld (8 October 2012) that an independent researcher Suriya Prakash found a vulnerability via Facebook’s Mobile site. Facebook allows users to associate their contact list with existing Facebook users account. Facebook, earlier, had requested users to submit their mobile number in order to enable SMS based 2FA to protect their accounts. Now that Facebook has contact information, it also provided users an option to search for other users by specifying their number. To make it easier, a setting was introduced. In facebook, a user can head on to “Privacy Setting” > “How You Connect” > “Who can look you up using email address or phone number you provided” with the default setting of “Everyone” (!)

This means that even if you set your phone number visibility to “Me only” on your profile page, anyone who knows your number will be able to look you up unless if that setting was changed accordingly. Most people, unaware of this would leave the setting default, falling prey to this type of attack.

Suriya Prakash claimed that he shared the information with Facebook Security team in August and after an initial response on 31 August, his emails seemed to have ended up in /dev/null. A facebook representative responded and said that the rate of a user being found is at a restricted rate.

This became the actual issue which caused the most recent data breach for Facebook. Facebook however claimed that there were no hacking, and that this was just another scraping method. Scraping, is means of obtaining information crawling through the site. However, from my assessment, I find it more closer to an IDOR (Insecure Direct Objet Reference).

In a typical IDOR attack, the attacker simply enumerates the object, by incrementing the ID number. e.g. http://website/id=1

The ID value is incremented, revealing all other objects until the enumeration is complete. In this case, the ID happens to be the mobile number. The attacker created a phone book with ALL possible phone numbers, uploading to Facebook and referencing it against Facebook’s own database. Based on the numbers enumerated, one of the victim of this attack is Mark Zuckerberg himself, later identified having Signal app running on his phone (surprise, surprise!).

 

Hacker vs. UniKL – TA perspective

Editor note: As part of responsible disclosure, the matter has been sent out to MOHE IT/Network Security and MyCERT with the reference number of MyCERT-202103221082. I recently got contact of the CEO of UNIKL and the article was forwarded to him for further action. 

In most breach stories, we often hear one side of the story. Since I reported the breach, UniKL has not yet reached out to me, nor any press release was seen regarding the matter. As observers, you only see the well drafted press release, often concealing the details of what happened. The extent of any incident is only determined when and if the attacker decides to publish the data. While I had no intentions of writing anything further on this matter, a close peer nudged me and said that I should write a second piece on this story. There wasn’t much to pursue, but fate has it, had other plans.

As the earlier article went live on Linkedin, the attacker, Marwaan (I think i spelt it right) came publicly, replying to the article thread and responded to the thread, claiming responsibility. This is a rare opportunity, providing all of a look into the attacker and the attack. Marwaan agreed to an interview. The full length of the interview will be published by SecurityLah podcast.

But first, if someone claims responsibility, I need to be certain about the claim. Trust, but verify. So i asked for some proof on unpublished information that would validate Marwaan’s claim. A screenshot was provided, attached as below.

That pretty much, to me, confirms that he is indeed the attacker, or at best, someone who has access to the data. Good enough for me. Let’s continue.

(No spoiler’s here, but listen to the full length interview, to be published in 2 parts starting Monday 29 March 2020. at SecurityLah)

I was curious about whether Marwaan had indeed contacted UniKL regarding this matter. I asked him proof of the issue, and he provided screenshots of emails sent to UniKL pertaining to this matter.

From this, it seems to corroborate Marwaan’s narrative that he reached out to UniKL regarding the system weaknesses.

Some key pointers I picked up throughout the interview. UniKL seemed to have taken the matter lightly, and not done an assessment and full incident response. Marwaan also confirmed that based on his knowledge, there is only an IT and Communications team, but clearly lack presence of a cyber security team. Marwaan went on to explain that they had taken the “google” approach of search and deploy controls without understanding what needs to be done, and at times blindly trusting information provided by Marwaan.

This doesn’t bode well for UniKL, which seem to have been seen not managing the situation and respond accordingly. I’m happy to be able to get details from UniKL to present a balanced view on what happened, from their perspective, with necessary proofs to back their claim up, just like what I did with Marwaan. So far, whatever that has been shown, seems to put UniKL in a negative light.

2 key issues i picked up from this incident for this article.

First, incident reporting. Do organizations have a way for general public to report cyber security incidents? When I googled “UniKL report cybersecurity incident”, I see links of UniKL and its cybersecurity programs, but not actually anything related or allowing general public to report cyber security incidents. A case of not practicing what they preach as they teach cyber security? This certainly erodes my confidence to even think of studying there, especially cyber security. Marwaan also explained that he was given the run around, with staffs not even knowing what to do when someone reports such issues.

Do your organization suffer from such problems? Only you know.

Secondly, organizations are ill-prepared to face such issues. Incident response and coordination needs severe improvement. In any instance, when such incidents happen, organizations will alert key stakeholders on the incident, prepare a holding statement to manage the press and issue a first stab at this matter. The approach of “lets-be-silent-and-this-will-go-away” usually ends up making the organization guilty of concealment, lowers trust on the ability of the management and creates opportunity for further speculation. At this point, I have written 2 articles and data of the students, staffs, bank details may be circulating somewhere, which opens up opportunity for future attacks to be even more deadly. Imagine if the bank account was cleared as the attacker has access to the machines logged into the bank portal?

What can happen from here?

It all depends on the authority. The spillage of the attack has been confirmed to even hit MOHE, which creates high severity of this matter. MyCERT has been involved (or notified, by myself and also the attacker), and will most likely issue a holding statement, if this matter blows up. The Personal Data Protection Commission is yet to be seen on this matter (I wonder if MyCERT will reach out and inform them and do a joint investigation). While MOHE falls under the category of CNII (Critical National Information Infrastructure), UniKL doesn’t. However, by nature of processing personal data, UniKL will come under PDPA requirements.

Malaysia lacks reporting requirements for breaches. FireEye made the Solarwinds hack announcement as part of SEC filing. It’s time Malaysia starts looking at something similar, or better. Until such regulations become mandatory, we will continue to see organizations sweeping such issues under the carpet, paving way for more deadly and catastrophic attacks to be possible. We as a country may have recently launched a strategy, but it remains a strategy until something firm is implemented and enforced. Logically, the world is facing a pandemic, and the focus is on the issue, but cyber threats don’t look at whether it’s pandemic, or not, will continue to persist.

I’m sitting by the sideline, with my box of [redacted] popcorn watching to see how this unfolds. One thing’s for sure, there are tonnes of wisdom to be learnt from this incident.

Reference:

  1. UniKL Hack – Dr. Suresh Ramasamy – https://www.linkedin.com/pulse/case-study-unikl-hacked-ramasamy-cissp-cism-gcti-gnfa-gcda-cipm/
  2. CNII – CyberSecurity Malaysia – https://cnii.cybersecurity.my/main/about.html

Singtel breach (2021) – case study

What happened Singtel?

Singtel, in a report, released a statement that they are currently investigating a data breach involving customer data. For those who aren’t familiar, Singtel is a Singapore based group of telecommunications companies around Asia, as well as a telco licensee in Singapore.

Singapore was notified by Accellion that the data breach occurred due to its file sharing system. The system was breached by unidentified threat actors (aka hackers). Singtel explains that it’s a standalone system and its used to share information within and with external parties.

Singtel explains that the use of Accellion FTA product was legitimate and had support running till April 2021. In mid-December 202, Accellion had issued a patch within 72 hours of the zero day notification. Accellion had noted attacks based on the reported zero days till end of January 2021.

What about Accellion?

Accellion, through its own website had a press release on the matter.

Interestingly, Accellion made a clear note that the product affected was a 20 year old “approaching end-of-life” product. Typical corporate sales techniques, Accellion uses this opportunity to urge its customers to migrate to its newer platforms. Interesting to note that Accellion makes it clear that the FTA platform is “legacy” and implies that, while the product is under support, organizations should either have migrated across to newer platforms or start doing so (preferring to “upgrade” to its own new version).

Analysis of the incident

Lets look at each part of this and the claims made by the respective organizations.

  1. The FTA system is a standalone system.

My assessment? True and False.

Lets look into the function of the FTA. Essentially its an FTP (file transfer protocol) server used for transferring files in and out of the organization. There seems to be some issues with this setup. Singtel further explains that the platform is used by both internal and external parties.

Did anyone notice a huge blinking red flag here? No? I’ll explain why.

In a typical telco setup, these FTP servers are crucial part of the equation. CDR (call data records) are often put into FTP servers before it gets passed to mediation and eventually billing and charging. Again, big red blinking light – CDR!!!

Why would file transfer be needed for external parties?

It’s used for many reasons, i’ll outline 2 as example. Firstly is bill payments. Some bill payments use REST API for immediate settlement, while others use bulk payment (aka batch) which uses file transfer via FTP. a bank may receive payments from respective customer and does update every night at 3am. Another scenario would an outsource arrangement involving a third party to perform corporate account provisioning, and then doing bulk activation based on the files provided.

Good hygiene practice, the file transfer platform should be completely separate and  isolated between internal and external parties.

Next, the question of whether the system is isolated or not. For me, an isolated system is a system that doesn’t have connectivity to any other systems, like a Windows 10 PC at home only connected to the internet. But a file transfer system? You can see that the system/network/security admins would have punched holes on the firewall in order for the system to be able to receive and transfer files. Yes, it is interconnected, but whether it can access the other interfaces (both ethernet and 3G specific) depends on what ports are open.

2. Usage of legacy platform.

This is where both parties seem to have differing views. Singtel seems to think that the product is supported (noting that EOL is around the corner), hence safe to use. Accellion however minces no words and blatantly put legacy tag to the platform.

Logical ensuring question – why didn’t Singtel migrate their platforms to a newer one? (This is the part where i throw theories into the equation, only Singtel would know the real reason)

Firstly, don’t fix what’s not broken. Remember it’s a 20 year old platform, and assuming that Singtel had used for half of it’s useful lifetime, that’s easily 10 years! The folks who provisioned and configured the platform may have moved on, or even retired! So, it works, it continue to work hence don’t touch!

A system migration can make or break a CIO/CTO’s career. We look back at statements made by Singtel. The FTA platform is used internal and external parties. This means firewall rulesets needs to be migrated. New service accounts need to be created. Permissions need to be mapped. Application ID’s need to be created. Batch jobs or cron jobs running in the server modified. God knows what else needs to be done! Now that’s just the internal parts. Minus the system, you’d have internal application owners screaming blood at you due to KPI missage!

The next big headache is coordinating initiatives with the external parties. I’ve had experience during migration where one of the external parties wanted to bill me for their migration! We, of course, declined politely and said that migrations are handled by individual organizations at their own cost (providing timelines to migrate across).

3. Why didn’t the patch work?

Singtel seem to indicate that the patch provided by Accellion didn’t work. Noting what Accellion mentioned, the patch was produced within 72 hours. One has to wonder if proper regression and quality checks were performed before patches were released. Reminds of Microsoft, who previously released a patch for a patch (in their credit, they’ve come a long way).

Conclusion

Tech debt is real, and in Singtel’s case just hit them with a huge interest. While one can argue its a zero-day issue, it is without a doubt that the legacy platform should have been managed out. Reminds me of the switch issue in MAHB? From a glance, seems like Singtel has lots of work ahead of them. They are moving in the right direction, I only hope they take a comprehensive look at their environment and not “scope down” into just the FTA.

Reference

  1. ZDNet: Singtel breach – https://www.zdnet.com/article/singtel-hit-by-third-party-vendors-security-breach-customer-data-may-be-leaked/
  2. Singtel Release: https://www.singtel.com/personal/support/about-accellion-security-incident
  3. Accellion Press Release: https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/
  4. MAHB Airport Case Study – https://www.drsuresh.net/2019/09/mahb-case-study-aug2019/
  5. Tech Debt – https://www.drsuresh.net/2019/08/cyber-tech-debt/