On Anonymous declaring “War” on Singapore PAP government – Note from a regular IT dude

This post is contributed by a friend of mine, Wei Kiat, who is a regular IT dude. He has some interesting perspectives to share on the recent Anonymous and Messiah saga. If you found what was written here useful, do share this post to stop the fear-mongering:

1. Fear Mongering & the State of things

There had been a number of cyber attacks over the past few days by someone who calls himself “Messiah”. The attacks sparked panic island-wide, with people fearing about a “cyber” doomsday where everything would magically stop working and the whole island in chaos. I thought it would be prudent to set the records straight, to help layman understand what these attacks actually entail and to prevent the spread of needless panic and fear. Cases of blind-leading-blind when it comes to attacks and its implications are too rampant.

The usual disclaimer:

1) I’m not an IT security professional or a white or black hat hacker, merely a programmer, IT consultant & entrepreneur. If I have made any factual mistakes, please kindly feedback and I will rectify them.
2) The following are my theories. Many of my assumptions on the capabilities of Messiah I do not know as facts. I may be wrong. Please take it with a kilogram of salt.

Now, let’s consider Messiah’s technical capabilities.

2. Messiah’s Technical Capabilities

2.1 The Difference between “Web Systems” & “Internal Systems”

In other to understand what really went on behind cyber attacks over the past few days, for the sake of simplicity, let’s divide computer systems into two main categories, web systems and internal systems. By “web systems”, I refer to all the servers and systems behind an organization’s website. By “internal systems”, I refer to mission critical systems used by an organization for their day to day functions. For example, LTA’s website is on a “web system”, LTA’s traffic controller system is an “internal” system.

The attacks over the last few days all involved web systems, which are easier targets for attack because these systems are more public while generally having weaker security mechanisms. There is no sign that Messiah was able to gain access to any internal systems to date. Fear-mongers have been preaching and misleading people in thinking that as an example, if LTA’s website got hacked, our traffic lights will stop working. That is simply not the case, and Messiah has not yet demonstrated his ability to carry out ”infrastructure crippling” attacks. Sad to tell you, but ERP will still continue to work even if LTA’s website is down.

2.2 Understanding attacks on “Web Systems”

To help layman in understanding the nature of attacks on websites, let’s imagine that every time you type in a URL on your web browser, a tiny truck comes out of your computer (a web request), look up the destination on street directory (a DNS server), drives to the warehouse (website server) to pick something up (the actual website) and bring it back to you (website loads on your screen).

To attack a website, the attacker can either prevent your tiny truck from ever reaching the factory while leaving the factory untouched, or enter the factory to shut it down (a.k.a hack into the server.)

Attacks over the past few days can be categorized into two main types: defacement attacks (when the website got vandalized, such as Straits Times’ Blog) and service availability attacks (when the website becomes inaccessible for a period of time, such as the supposed hack on government websites).

2.2.1 Defacement Attacks

A very strange pattern emerged. It seemed as if only sites running open source CMS (content management systems) and/or or cheaply outsourced were defaced. For example, only the blog section of Straits Times was hacked, because out of the entire Straits Times site, only the blog section uses an open source CMS. Hacking into a CMS involves gaining access to either (1) the CMS admin dashboard or (2) the web server. The CMS admin dashboard is a simple system that allows non-IT personnel to update the content of a website. Hacking into the CMS admin dashboard does not mean the hacker has complete access the entire web server.

Gaining access to CMS admin dashboard is easy. For open source CMS solutions, exploits are always discovered and published, in order for security fixes to be written and distributed in a very short amount of time. However, most solution vendors in Singapore hand off CMS to their clients immediately after project conclusion, and seldom advice their clients to do constant upgrades, opening huge opportunities for attack. Many CMS admin dashboards also use the same default username, such as “admin”. In most cases, such accounts are shared among different staff, so to help everyone in remembering the password, plain english passwords are commonly used. It is then easy to use a simple dictionary attack to hack. Dictionary attack simply involves using a program to try different passwords at high speed. Given enough time (days, months, years, centuries), any account could be hacked this way.

From the very specific targets of attack (only open source CMS sections of a website were hacked i.e. Straits Times Blog, and only websites using open source CMS were hacked i.e. CHC website), I think it is safe to conclude that Messiah did not attempt or did not have the necessary skills to hack into an actual server.

2.2.2 Service Availability Attacks

How about supposedly bringing down a couple of government websites as well as Straits Times, Stomp and Hardwarezone (all owned by SPH) for a couple of minutes? For this post, let’s assume the government websites were down because of a cyber attack, not a “scheduled maintenance”.

Server hacks are hard to recover from if there’s damage done. Looking at how fast we recovered from those attacks, it is possible to speculate that the servers were never actually hacked. Using the tiny truck analogy from above, the attacker simply prevented your tiny truck from ever reaching the factory (so when you try to access a website, it could not load). Two common methods are known as DoS (denial of service) and DNS Spoofing or poisoning.

Denial of service attack is an attack that doesn’t require much skills. To prevent your tiny truck from reaching the factory (connecting to the web site), the attacker simply had to send millions of tiny trucks to the same factory at the same time so that the highway became so congested your truck couldn’t get through.

While I am not too familiar with DNS poisoning, DNS servers are like street directories. DNS poisoning attack messes up the directories, causing your tiny truck to lose its way and can never reach the factory.

Let me repeat, both DoS and DNS poisoning attacks do not involve actual hacking (e.g the factory in the analogy above was never compromised). There is no need to infiltrate any government or SPH servers to execute these attacks.

2.3 What does this say about Messiah?

In summary, Messiah was only able to breach certain web systems; he was not reported to have breached any internal systems. In cases where web systems were breached, Messiah was only able to do so via the CMS. He was never able to hack into the actual web server. For websites that does not use weak CMS, he simply did a service availability attack. This doesn’t sound like someone who is an extremely skilled hacker as proclaimed in the video.
Conversely, the skill-set required for the attacks we have seen so far are very different from those crazy hardcore attacks we have seen Anonymous do on news reports. I am speculating that Messiah may not even be from Anonymous.

3. What’s next?

I think Messiah will continue looking for easy exploits among high profile websites, and when he or they can’t hack, they will simply do a DoS or DNS poisoning attack to make a statement.

I trust the security capabilities of our government sites, and I still believe that unless there are different hackers who join today, our data on government servers and infrastructures will remain safe.

As an average Joe, I don’t think there’s much to fear about these attacks because:

1) As concluded above, Messiah doesn’t seem competent enough to actually compromise important servers
2) Once again, “web systems” and “internal sustems” are different. Hacking into LTA website does not equate hacking into LTA. Your traffic lights will still work. They are different things.
3) Assuming that even if he or they have the ability, there is no reason for Messiah to try to gain unauthorized data, or to abuse or leak them. The youtube video called for support from Singaporeans. There will be more haters than supporters if such things happened.
4) The attacks so far are more in line trying to “make a statement” than to retrieve or leak any sensitive data. This trend may continue.

Hope this post help provide some insights into the confusing world of cyber security, and to maybe help with allaying the fear and reducing confusion after all the blind-leading-blind articles that have been popping up lately.

That said, organizations and individuals should remember to always exercise prudence and preemptive diligence when it comes to security. Cyber attacks are very real and may strike you when you least expect it.

Advertisements

11 thoughts on “On Anonymous declaring “War” on Singapore PAP government – Note from a regular IT dude”

  1. Messiah is from Anonymous. Anyone can be from Anonymous if they choose to be. That is the fundamental nature of being Anonymous. There is not such thing as “Messiah may not be from Anonymous”. He may not have the support of expert hackers from other parts of Anonymous, but that doesn’t make him any less anonymous as long as he doesn’t get caught.

  2. Anyway, DDOS and DNS attacks are not “simple” attacks. If done right, requires a butt load of resources and planning to execute.

  3. Correction suggestion: ST actually uses Drupal for the bulk/main part of its website, which is also an open source CMS. I believe the blogs section was hacked as it is running on an old version of WordPress which is vulnerable to SQL injection.

  4. If you want an agnostic article written on this matter check out the one by PoachedMag.com.

    To make it clear, The Messiah are siding citizens. Trying to stop the government from passing a law that forces all media sites with 50,000 or more viewers to be pro-government (on the Internet, we already have that for our newspapers). The Messiah may not be doing the right thing, but they are in fact working towards a goal most good people would want. That is: Not just transparency of the government, but also the integrity of the articles written about the government from Singapore media sites.

    Keep spoiling and telling Singaporeans that they are in the safest hand, after all, only the most ignorant or careless people in Singapore(read: uninformed) will be hit the hardest if our government ever lacks the expected integrity of them.

    I personally feel, WikiLeaks will be in a better position of exploiting malicious activities better.

    http://poachedmag.com/2013/11/06/kowtow-anonymous/

  5. Totally agree with Wei Kiat’s assessment on the skill level of Messiah. With such skill set, I also doubt that he is a valuable member in the Anonymous if he is really one.

    I do not care how noble is his intention. As long as he is attacking the IT infrastructure of Singapore, he is against Singapore. I do not buy his explanation as in he targets Singapore Government and not Singapore. Load of BS.

    Support PM’s stance. Any hackers who want to try our systems, should be taken to task.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s