As a security practitioner, we’ll say that such breaches are not a matter of “if”, but only about “when”. However secure, your system will be breached, if not now, then later. For MINDEF, that time has come now. Their network has been breached, and they’ve lost data. Now is the time they deal with the aftermath, and do some PR.
This is no small matter, since the data lost includes personal information such as NRIC numbers, telephone numbers and dates of birth. This is what MINDEF is allowing us to know. The question is, what else was lost, if this was all that was lost, and if there could be anything else lost that MINDEF does not know about.
After the storm I cooked up back in 2014, I’m not confident that MINDEF understands the point that the lack of evidence that something being stolen doesn’t preclude that anything was stolen.
Of course, MINDEF should have really smart people who understand that, but this is a matter of PR, playing around with words to achieve a desired meaning.
For example, this time MINDEF did say that “No passwords were lost”. Yes, no passwords were lost probably meant that no plaintext passwords were available to be stolen. But, were there password hashes available that might have been stolen?
I’m guessing something like that was in fact stolen, that’s why there is a need for affected persons to be “advised to change their passwords for other systems”!
If you think about it, if only NRIC numbers, telephone numbers and dates of birth was stolen, why would one need to change passwords? How does changing passwords help protect NRIC numbers, telephone numbers and dates of birth from being further abused?
MINDEF hasn’t shared much information for us to know what has happened. That leaves me with a lot of room for imagination. The stolen data was stored on a system for “account management, such as to track usage and surfing behaviour”. I wonder, could the system, from which the data was stolen, be the one itself used to track usage and surfing behaviour?
Now, this gets really interesting, because if you are tracking usage and surfing behaviour, then there’s a lot of juicy information in there. No, I’m not talking about checking out who might be surfing, erm, undesirable web content, but perhaps leak information about what MINDEF (or the SAF) might have been interested in!
If those juicy data was on the system that was breached, that would indeed be an extremely serious matter.
Don’t under-estimate the importance of metadata. For example, even if you don’t know the contents of an email, simply knowing who emails whom at what times is already important information. Even if you can’t listen to the phone conversations, simply knowing who calls whom at what time is also important information.
The attacker, so MINDEF says, did not come from any SAF camp. It probably didn’t come from anywhere online in Singapore. If it did, they would have nailed the fella. I suppose the attack came from somewhere highly inconvenient for MINDEF to pursue.
Yes, this sounds like a legit attack, not like the incidents involving the Istana and PMO websites which are, embarrassingly, still referred to as hacks.
Update (2017-03-01): In Straits Times today, an article on the MINDEF hack suggests that the advisory to change passwords is for those who use NRIC numbers, telephone numbers or birth date as their passwords. Ok, that was not so clear earlier. In the first place, no one should use any information about themselves as their passwords, particularly when such information isn’t very difficult to obtain to begin with.