Lessons to draw from the Anonymous attacks on the Singapore Government

According to security firm Trend Micro, the recently compromised Singapore Prime Minister Office (PMO)’s website remains to be intact, with visits unaffected. It went on to state that the attack was not a result of a hacking attack, but an exploitation of vulnerability within the website.

Recently, hackers threatened to hit out at Singapore’s infrastructure if the government did not reconsider its regulations of the licensing framework for news sites.

The Infocomm Development Authority of Singapore (IDA) said that government agencies were on heightened vigilance and there were no successful cyber-intrusions after taking several of them offline for maintenance. 

At a briefing to local media last Friday, the IDA said that traffic to many government sites was unusually high on November 5. That was the day that Anonymous and “The Messiah” had urged Singaporeans to hold a virtual protest. 

According to the IDA, this indicated distributed denial of service attacks were launched against the sites, and blamed a vulnerability in the Google search bar within the two breached sites that allowed hackers to compromise the websites.

Based on Trend Micro’s analysis, the PMO’s website incident was a result of a typical Cross Site Scripting (XSS) where the cybercriminal exploited the ‘search’ function on the website, and injected content from external sources. In this particular instance, the cybercriminal had redirected the URL to the criminal’s intended image.

IDA said the vulnerabilities in the Google search bars within the two affected sites have been patched. The same patch has also been applied to other government sites that contain the same search bar.

Vic Mankotia, Vice President, Solution Strategy, Asia Pacific & Japan, CA Technologies, said that any attack must be taken seriously and even more so if it was a deliberate, targeted attempt. “These attacks might have been politically driven to gain attention or an attempt sway public opinion on a matter or an entity,” he said, “The correlation between any attack and threats in other countries may be from the same source but there is no verification here.”

So why was the PMO’s website still vulnerable? 

According to Jeff Hurmuses, VP of Asia Pacific at Barracuda Networks, for organizations it is always a trade-off between comprehensiveness of security checks and speed of execution or speed to bring features or information to the market.

Sensitive web sites do a routine security audit which allows them to figure out the weaknesses that could potentially be exploited. During these audits many issues get reported and then organizations working with the audit team categorize the severity of the issues and handle them based on that.

Hurmuses said, “Since the hack did happen, we know that the maintenance wasn’t comprehensive – but IDA or the respective organization needs to do a post mortem analysis of the issue to figure out where the real weakness was and what could have been done better.”

According to him, the first step is to figure out if a security audit for sensitive web sites was carried out. Then the next step would be to figure out how comprehensive the audit was and what the results were and in the end what type of remediation steps were put in to handle the issues.

Mankotia said that hackers will exploit a vulnerability wherever it exists and typically websites that extract and display content from third party sources are more at risk as they have to take into consideration how to secure not only the main website but also how such content is being displayed from outside sources. “In short, we do not think there is much of a significance whether it’s the main or sub sites that’ve been attacked. It’s more of how easily and quickly one can break into the website,” he said.  

Manatosh Das, Security & Risk analyst at Forrester said that an upcoming report from the research firm, “Improving Security With Your Indian Software Service Provider” found that 99% of all applications tested in 2012 have one or more serious security vulnerabilities. “And with the median number of vulnerabilities per app at 13, it’s no wonder that application level attacks are a focus for hackers,” he added.

Allaying public concerns 

Hurmuses said that any investigation needed to be wholly transparent; from details of what the weakness was, how was it exploited, what the remedial steps were and what was being done to ensure that these types of attacks don’t happen again.

“If a responsible authority publishes the information in a way where it can become sort of a case study in cyber forensics – how did they figure out where the hacker penetrated them from – if there are some logs that they can share etc. all of this will not only help create a sense of confidence in people saying that the authorities are doing the right thing but it will also help other departments, organizations, businesses look at the case study and learn from what they should be doing,” he added. 

For non-government organizations, Hurmuses said that it is important to understand what happened, how it happened and what can be done to guard against that. “As we have mentioned above – the website was hacked – government authorities should not only learn from this but also ensure that as government they provide other departments, organizations and businesses in Singapore with information about what they found out so that every organization can take steps to secure themselves,” he said. 

Keeping enterprises protected

According to CA, website or Web Application Security needs to start from the stage where the website/web application is written and developed. Unfortunately, a lot of web developers leave security as an afterthought which is not good practice in real life. Additional security controls such as investing in an application firewall/IPS and strong access control will provide the organization with proactive capabilities to detect and mitigate intrusions and attacks.

The most critical part to this is to establish and follow a well-documented process of continuous monitoring for new vulnerabilities on web applications through well thought out vulnerability assessments and auditing, whether through vulnerability scanning tools or full-fledged penetration testing activities.  This will lead to identifying vulnerabilities and/or critical misconfigurations which must then be quickly patched and mitigated to remove them from being vectors of attack.

Users will need to be diligent in protecting their online identity and passwords, usually by following a proven set of recommendations such as using a strong and complex password, never divulging passwords to anyone and other best practices. Security is only as good as your weakest link and a user needs to not only practice common sense in guarding against social engineering attempts and phishing, one also needs to be always diligent on how his or her credentials are being utilized.

Mankotia says that as an added layer of protection, using a 2 factor token or one-time password in addition to the standard username/password combination. This helps to make it harder for a targeted attacker to extract the sensitive login credentials.

Das said that security solutions implemented in silos takes only a myopic view of the security problem. It is critical to have global visibility to detect many targeted attacks. “Security systems are only as good as the rules authored by their administrators.  If an administrator doesn’t have a detailed understanding of the security problem, they can’t begin to create rules to discover their attack activity; security admins with necessary skill sets are required to investigate all the major attacker networks on a daily basis and profile their evolving techniques,” Das said. 

He also felt that security practitioners should collaborate with their peers in the industry to have timely information about attacks and technologies used to defend these attacks, a point that Hurmuses agreed on, “Hackers are collaborating – why shouldn’t the organizations collaborate and share information amongst their security teams. Each team can learn from others and be better prepared.”

According to Hurmuses, there are multiple lessons for enterprises: 

1.       One size doesn’t fit all – the security required for the Prime Ministers website is much more than that required for some mom and pop business shop. It is all a question of ‘risk profile’ of the ‘asset’ to be protected. So companies should take an audit of their web assets and understand the risk profiles for each and build necessary security for each.

2.       Security is not only one time – Hackers and people trying to breach your network are not sitting idle. It is not that a hacker will try only once and then go away. That is why the security teams should always be alert and always try to improve their security

3.       Web applications are now all over the place. Every business has one. Hacking even when no sensitive data is stolen is bad for the organization’s reputation.

4.       Security technologies such as Web Application Firewalls are available in the market where the security is targeted towards securing web applications.

5.       Logging and forensics is extremely important to understand the reasons for a breach – because if we don’t understand the reasons for the weakness and learn from it – we are bound to commit the same mistake again.