 |
| Enough to make you see red |
Faces at Crimson Logic turned red when they first discovered that SingPass account holders found password reset notification letters in the mail even though they had made no such requests. Account holders whose personal data, such as contact information, employer details and remuneration records, were in the custody of Crimson Logic, the appointed operator of the SingPass single-factor authentication system for all government e-services in Singapore.
IDA investigated, and discovered 1,560 user profiles were illegally accessed. At least 419 fell for the ruse, and their passwords were reset. Affected SingPass users had their account profiles modified and linked to a small pool of Singapore-registered mobile numbers - IDA refused to tell how many. The mobile number can be used in a two-factor authentication procedure. When the victim changes his or her password, this number will serve to "verify" the request. This is obviously too technical for IDA, "We continue to explore the use of two-factor authentication for e-government transactions, particularly those involving sensitive data..." Nothing much has changed at IDA, ever since the very first chief executive famously said that although she knows zilch about technology, she can always hire someone who does.
The Managing Director for IDA, Ms Jacqueline Poh, is treating the incident as "a shot across the bow" and advised all individuals to "examine themselves" and take personal responsibility for their own cyber security, to borrow the phraseology used by one Arthur Fong about foreign intrusion. IDA has filed a police report, and since they are insisting that the SingPass system has not been compromised or breached, IDA must be saying the stolen addresses and IDs were looted from virtual personal premises. And not filched from the highly secured and firewalled database of the Crimson Logic operator. Go figure.
Posts
The first questions that comes to mind is "Is it a S$2 company like AIM ? Is it too cheapskate to install the proper firewalls? How much is the company paid for providing such substandard services until hackers can also hack into the accounts ? "
ReplyDeleteAgain so many questions, few or no answers ? Are we not getting an incompetent does of government ?
Does not matter which company, systems or what not.
ReplyDeleteBut it is certainly the fault of you... the citizen, you are the one:
Who chose opposition- its your fault
Who did not save for retirement- its your fault
Who cannot board the train- its your fault
Who cannot find a job- its your fault
Who read the 'wrong' news-its your fault
Who did not upgrade skills-its your fault
Who cannot afford medical care - its your fault
Time I took responsibility for all my faults and correct it...
And as one nicole said:
ReplyDeleteWhen you succeed, its the system that helped you, its meritocracy.
When you fail, its all your fault.
Singpass breach do not amount to anything, up to now because seems like no one is being defrauded, this sugguests that government is wasting tax payers money to connect everyone.
ReplyDeleteThey never make mistakes. Only the citizens do. Not even an apology. The arrogance and sneering at the hapless must be stopped once and for all.
ReplyDeleteActually there is no breach, it is just a poorly set up password reset system. Any company who takes photocopy your IC front and back just need to enter the data to reset your password. But the mailer would still go to the user's address, unless someone is able to intercept the mails sent by Crimson Logic.
ReplyDeleteIf I were to implement such a system, I would include CAPTCHA to slow down the attacked. I guess those at Crimson Logic are mainly cheap Ah Neh programmer from India. Pay peanuts get monkey.
I take back what I wrote above. It appears that an online bruteforce attack triggered the password reset on those 419 accounts with strong passwords. Another 1560 accounts were successfully hacked. A proper intrusion detection system would have minimised the damage. But users who use weak passwords are not faultless too.
Deleteever since the very first chief executive famously said that although she knows zilch about technology, she can always hire someone who does.//
ReplyDeleteDidn't the SMRT ms Saw say something along the same line too?
Come to think of it, will we hear PM Lee proclaim the same thing, that all along he had no clue how to run the country but his father assured him it will never be a problem because they can hire 77 stooges who does ?
DeleteDo you think this could be the main reason why the country is in such a mess ?
Or the former CEO of Singtel who boasted in his first press interview that he does not even have a television set at home and his children had to go to the grandparents' home to view TV shows.
DeleteThe old man did once said , even you put a dummy as the conductor of a great orchestra, you can still hear beautiful music.
DeleteEach of the 77 stooges also thinks that he/she can hire other lesser mortals to do their jobs and so on. The whole country is now practically run by FTs who will soon outsource their job to their compatriots too.
DeleteNo wonder everything is falling apart - MRT, storm drainage,...
I think PAP using too much bananas to pay for their monkeys...and when the monkeys litter the banana peels after leaving the building...PAPies slip on those...and as usual blame others except the monkeys they originally "hired"....
ReplyDeletehaizzzz
Who said we were hacked? It was you the sheeple who chose the unsafe reset option! You could have chosen the safe option and nothing would have happened. All your fault, you monkeys, even when we sppon feed you rubbish, you still eat! Not your fault whose fault? Certainly we the million dollar civil masters are never at fault, even if we are, we insist it is you who are at fault. If not, we sue you until we get the correct answer : its your fault! Now lets see who we should promote next to the next level of incompetence and award him/her a big GDP bonus.
ReplyDeleteThe way they reply is exactly like Teo Ho Pin. There is no breach, we use strong padlock and maintain a proper key access system. LOL
ReplyDeleteWonder if this has anything to do with the Heartbleed bug.
ReplyDeleteWithout transparency there can be no accountability. Blaming the victim is an age old ploy. Just look at the ultra religious societies of the sub-continent where victims, especially women, are severely punished (read stoning) for 'not toeing the line'.
ReplyDeletePAP Joke
ReplyDelete-----------
Q: Why did the chicken cross the road?
A: He had to reset his SingPass password.
Come on Sinkies.
ReplyDeletePlease do no expect anyone, even the best civil engineer to be able to stop ponding when god makes it happens.
Nor can a gangster chief remains to be one infinitely, for he will wither and die like any other mortals.
Accident, mishap and mistake are part and parcel of living.
IDA's Managing Director, Jacqueline Poh Mae-Jean, is another elite with the right connection. Her husband is Andrew Tan, CEO of Maritime & Port Authority Singapore. Both are top civil servants.
ReplyDeleteAndrew Tan used to be LKY's principal private secretary 10 years back.
Well, that's meritocracy for you! Here, it's properly defined as "affinity and strength of connection to The Minister and His Cronies, via any orifice"; in the real world, they've known it's a myth for years!
DeleteThis comment has been removed by the author.
ReplyDeleteWith 3.3 million registered users and an e-service platform linking practically all government departments and services, it is almost criminal not to have a 2FA.
ReplyDeleteAnd with the NRIC No. being used as User IDs - there is no need to guess the User ID. All the hacker needs to do is to guess the passwords, or use brute force to find the passwords.