I cannot help but start sharing my two cents on the recent incidents involving the purported attacks on the PMO and Istana websites. I had wanted to give our government the benefit of doubt. But now I’m wondering if they are completely clueless, or perhaps they are putting on a very elaborate show to impress the layman, but unfortunately, casting serious doubts on their technical capabilities.
The PMO and Istana websites were not hacked. They were subjected to cross-site scripting (XSS) attacks. But they were not broken into. There was no unauthorised access. No information was illegally accessed (i.e. stolen), modified or removed.
There are classes of XSS attacks which results in data being deposited into a website that causes unintended output to other unsuspecting users. But this is not the case with the PMO or Istana websites. A user who ordinarily browses to the PMO or Istana website will not see the “defaced” web content.
In fact, the only users who will be affected are those who followed dubious web links generated by the purported attackers. This is not unlike dumb users who click on suspicious web links distributed in phishing or malware emails.
So, while initial news reports were headlined “hacked”, the second wave of articles correctly referred to the incident as one that is an XSS attack. But, strangely enough, subsequently all the news started referring to it as “hacked” again.
Yes, “hacked” is more sensational. News people like to sensationalise their articles. But, the police is investigating? What is there to investigate unless a crime has been committed or reported as having been committed?
Oh wait a minute, they actually found some suspects, and have hauled them up for questioning? Oh gosh, they apparently also have an admission of guilt from a Mr Moo!
I’m lost. What, exactly, has been hacked?
If Mr Moo could be guilty of hacking because he clicked on a link, I think our law enforcement should find themselves pretty tied up chasing all the other folks who clicked on phishing and other malware links. In fact, there must be guilty fellas amongst the law enforcement folks themselves too, so they would have to go catch themselves.
XSS is a vulnerability. I must admit, when the concept of XSS first surfaced, I was reluctant to consider that as a vulnerability. A site that is vulnerable to XSS attack does not in itself get hacked. A related, but not the same, attack is Cross-Site Request Forgery (CSRF) is more clearly understood as malicious. XSS attacks affects the web visitors, not the website. But subsequently, the view is that a website ought to take care of its visitors, so if a website causes its visitors to be mislead, misdirected, or mis-whatever, then that is bad, even though the site itself is not hacked.
There are clearly XSS vulnerabilities that need to be fixed. That’s not the same as saying that a website has been compromised.
So let’s get this straight. Unless the government has some other information that they are not sharing publicly, the PMO and the Istana websites were not hacked.
I have exactly the same thoughts as you. You cannot classify this type of XSS as heck. He did not even went into the server to obtain anything. So if I have a PHP page that takes in HTML in the query params and someone just put in some content and that is considered hacking?
XSS vulnerabilities potentially allow the attacker full access to the tricked user’s cookies, since any script loaded into the page runs within the same domain. in a previous corporate life, this implied potential user credential compromise, and was considered a major security issue. potentially they could have used this hole to poke further into the network, crafting specific XSRF attacks against internal users that would then run with full access into other protected systems within the same domain. what they did is akin to finding a crack in the wall and shouting “look, here’s a hole *take selfie*” instead of probing deeper.
Colin Leong yeap, that is why i say this type of XSS is not qualified as hacking. There are no reports on whether the HTML code he injected contain any malicious code or just some defacing HTML. If there is no malicious code means he did not break into the system, he merely manipulated the rendering of HTML in the browser page. I wonder will the punishment be the same
As what Terence said below, it is more of a politics issue rather than the actual technical discussion.
I don’t think they will get them under the computer misuse act… more than likely it would be under something along the lines of Fraud or Vandalism or something similar. I don’t think either that either of the parties called up (the XSS ones) are in trouble unless they are the original guy that originated that link. But srsly, what do i know 🙂
ZS, I see this as politics unfolding, not technical correctness. Or theatrics, if you prefer. The govt realizes that the general public will not understand the subtleties of XSS attacks. It doesn’t matter. What matters is the govt showing it will not tolerate anything even resembling a cyber attack on its web sites. Lets arrest and charge some people first. Invoke the Computer Misuse Act, which is probably broad enough to cover XSS attacks. Even if it doesn’t, by the time the court acquits the men, the public will have lost interest, or have forgotten, or simply can’t be bothered about the details. Nevertheless, the perception of a no-nonsense govt is already propagated. Foreign govts will no doubt laud ours for the swift arrests and prosecution. Most of the public will also have faith in our govt’s ability to fight cyber crime. Only a few techies really understand the subtleties. But the point here is this: this is possibly the first high profile cyber attack against the govt, and the govt is not wasting this opportunity to make the guy a whipping boy.
That’s pretty much how I feel about the whole saga being a big wayang show. I think the real Anonymous aren’t actually involved, and they also think that too. Otherwise their antics would spur more impactful attacks. I’m not sure if overall these will work out better for the government. First, the techies already know this is all very dumb. The slightly less techie, but still quite clever folks, will learn from the techies that this hack is all nonsense. The remaining, likely, have always been “conned” by the government anyway. So there is the middle group who will swing over from “wah our government so clever” to “omg they are do dumb”, which admittedly might not be that big a group. Alright, maybe they have worked out that politically this still makes good sense for them. To techies… this is so embarrassing.
In Singapore, clicking on a link to effect an XSS that impacts only oneself is sufficient to be considered as hacking. Other news across the world, catching the hackers is a lot more impressive.
http://www.reuters.com/article/2013/11/15/us-crime-hacking-hammond-idUSBRE9AE0X520131115
Colin Leong yeap, that is why i say this type of XSS is not qualified as hacking. There are no reports on whether the HTML code he injected contain any malicious code or just some defacing HTML. If there is no malicious code means he did not break into the system, he merely manipulated the rendering of HTML in the browser page. I wonder will the punishment be the same
As what Terence said below, it is more of a politics issue rather than the actual technical discussion.
“What matters is the govt showing it will not tolerate anything even resembling a cyber attack on its web sites.” doesn’t make sense. Sure, it shows the general public it will not tolerate. But it doesn’t show would be hackers that they’re competent either.