I cannot help but start sharing my two cents on the recent incidents involving the purported attacks on the PMO and Istana websites. I had wanted to give our government the benefit of doubt. But now I’m wondering if they are completely clueless, or perhaps they are putting on a very elaborate show to impress the layman, but unfortunately, casting serious doubts on their technical capabilities.
The PMO and Istana websites were not hacked. They were subjected to cross-site scripting (XSS) attacks. But they were not broken into. There was no unauthorised access. No information was illegally accessed (i.e. stolen), modified or removed.
There are classes of XSS attacks which results in data being deposited into a website that causes unintended output to other unsuspecting users. But this is not the case with the PMO or Istana websites. A user who ordinarily browses to the PMO or Istana website will not see the “defaced” web content.
In fact, the only users who will be affected are those who followed dubious web links generated by the purported attackers. This is not unlike dumb users who click on suspicious web links distributed in phishing or malware emails.
So, while initial news reports were headlined “hacked”, the second wave of articles correctly referred to the incident as one that is an XSS attack. But, strangely enough, subsequently all the news started referring to it as “hacked” again.
Yes, “hacked” is more sensational. News people like to sensationalise their articles. But, the police is investigating? What is there to investigate unless a crime has been committed or reported as having been committed?
Oh wait a minute, they actually found some suspects, and have hauled them up for questioning? Oh gosh, they apparently also have an admission of guilt from a Mr Moo!
I’m lost. What, exactly, has been hacked?
If Mr Moo could be guilty of hacking because he clicked on a link, I think our law enforcement should find themselves pretty tied up chasing all the other folks who clicked on phishing and other malware links. In fact, there must be guilty fellas amongst the law enforcement folks themselves too, so they would have to go catch themselves.
XSS is a vulnerability. I must admit, when the concept of XSS first surfaced, I was reluctant to consider that as a vulnerability. A site that is vulnerable to XSS attack does not in itself get hacked. A related, but not the same, attack is Cross-Site Request Forgery (CSRF) is more clearly understood as malicious. XSS attacks affects the web visitors, not the website. But subsequently, the view is that a website ought to take care of its visitors, so if a website causes its visitors to be mislead, misdirected, or mis-whatever, then that is bad, even though the site itself is not hacked.
There are clearly XSS vulnerabilities that need to be fixed. That’s not the same as saying that a website has been compromised.
So let’s get this straight. Unless the government has some other information that they are not sharing publicly, the PMO and the Istana websites were not hacked.