Site icon Zit Seng's Blog

K Box Victim or to Blame

Screen Shot 2014-09-17 at 10.00.56 pm #1It’s easy to say that K Box is a victim in the matter of their membership database leak. No organisation wants such a thing to happen. But the question is, did K Box do their due diligence to secure their systems? Are they simply an innocent victim here? Or is this something they brought upon themselves?

Security breaches such as this are not a matter of if, but when. It’s not an excuse for organisations to not perform their due diligence. But unfortunately, even the large organisations with the best security teams may have to deal with such situations.

To me, it’s the aftermath and how the organisation handles the incident, response, and recovery that is telling. It’s also important that there is a culture of security ingrained within the organisation. K Box, unfortunately, seems to fail both.

Let’s talk about the incident management first. K Box declined comments for the whole day, and it wasn’t until well over 12 hours after the incident erupted that they made a statement. Chief Operating Officer Priscilla Ng referred to the hack as a deplorable act. Wow. Before they call the hack deplorable, how about first recognising the failure of their company to secure their members’ personal data?

Furthermore, it took well over 24 hours before K Box published a letter on its website to provide members with information on the incident. It’s really sad.

  1. The letter dated 17 September 2014 referred to the incident “this morning”. The incident actually happened the prior day.
  2. The leaked confidential information is a matter of fact that is easily verifiable, but the letter prefers to phrase it as “according to media reports”. Are they trying to cast some doubt on the facts of the matter?
  3. They refer to the act as deplorable. Sure it was, but how had it come about? Surely K Box cannot say they were blameless.
  4. They want you to believe how serious this matter is to them. Three times they affirm, “taking this data theft… very seriously”, “take your data privacy very seriously”, and “deal with this serious matter”. Good words. How about some action?

It’s the last part I want to talk about. Security breaches can happen to anyone, but it’s not an excuse. Every organisation must do their very best to ensure proper security controls are in place. Shall we see how much security truly matters to K Box?

With all the interest in their website, I too decided to browse www.kbox.com.sg. I noticed their website does not use HTTPS (or SSL) to encrypt communications. There are features on their website for members to login, which would require the transmission of passwords. There’s also a member sign-up function. They are asking users enter NRIC numbers. All of this information is being sent unencrypted. This is somewhat the same issue with the NDP website security matter a couple of months ago.

I contacted K Box with several questions, including this matter of the lack of security in their own part. They gave me a “no comments” reply. Okay. Perhaps some of my questions were relating to the security breach itself, and with the matter under police investigation, maybe they felt prudent not to comment. Never mind. I wrote again to highlight specifically:

One of my points below is really to apprise you of a security vulnerability with your website in transmitting passwords in clear. You have no comments?

To which I received confirmation:

Yes have no comments at the moment.

Oh wow.

Please, if you are thinking of giving any personal data to K Box, just don’t. If you’ve already shared some personal data with K Box, good luck.

Shocking. With words, K Box says they say data security is a very serious matter to them. But their actions clearly tell you they truly cannot be bothered.

For the better part of yesterday, their website was spewing server errors. Interesting server errors. Errors which tell you:

  1. The website source files are located in D:\webroot\kbox.com.sg\ of their server. If anyone does break into their server, they can save a few seconds of time hunting for the source files.
  2. They run Microsoft .NET Framework Version 2.0.50727.3623 with ASP .NET Version 2.0.5727.3618. Some of this information is already seen in the HTTP headers. This is a 2005 era kind of application platform. Too long in Internet speed.
  3. You get to see snippets of code.

A website in production should avoid spewing error pages like the above. Those pages give interesting bits of information to a potential attacker. Not having those pages will not thwart clever attackers, but there’s no point to make their life easier. Those error pages are also very unprofessional.

Different errors were spewed out for different pages yesterday. It seems like a programmer was working on the live site. No development, no staging server. The work was done on the live site, and the testing was done on the live site. This is usually not unexpected in a small IT shop. However, considering that K Box would be under intense spotlight now, they still consider it appropriate to do live development on a production website?

Their very clumsy legacy app also passes around like 5K of application state data between pages, through a hidden form field. Yes, yes, once upon a time that’s how people did things. It’s 2014 now, for goodness sake. Read my recent post on Lessons in Cookie Management.

As mentioned earlier, the K Box website is asking for credentials, NRIC numbers, and other personal data over an unencrypted communication channel due to the lack of use of HTTPS. Worse yet, in making reservations for booking, the transactions leading up to the actual payment site are also unencrypted. That doesn’t seem smart at all. It shows a total lack of respect for security.

Now, K Box says they are very serious about your data privacy. I wonder how so.

Tell me, if you are a K Box member, has anyone from the company contacted you to inform you about the exposure of your personal data? You do realise the information exposed is pretty much sufficient to answer phone verification questions that some companies may put to you to confirm your identity. You should be very worried.

Today, while composing this post, I notice their website (www.kbox.com.sg) is now replaced with a single big JPG picture announcing that their website is being “upgraded”. The letter, which was originally dated 17th September 2014 and posted on the said date, is now backdated to 16th September 2014. Hopefully their upgraded website can lend some credence to their claim to being serious about data privacy.

K Box has (presumably) been hacked, and that led to the leak of their membership database. In no way am I justifying that act. My beef is with how K Box handled the matter, and the seeming disinterest in actually caring about security.

Exit mobile version