Restricting Internet Access for WoG

A few days ago, The Straits Times wrote that public servants’s computers will be cut off from Internet access.

Singapore public servants’ computers to have no Internet access from May next year

All computers used officially by public servants in Singapore will be cut off from the Internet from May next year, in an unprecedented move to tighten security.

A memo is going out to all government agencies, ministries and statutory boards here about the Internet blockade a year from now, The Straits Times has learnt.

This news generated a huge buzz, with many interesting memes from SGAG to ridicule the policy. IDA came out to clarify about facts and myths here. And even PM Lee talked about the necessity of this measure.

I am extremely concerned with the announcement of the policy. First of all, the title from above is extremely misleading. There will be no Internet from the public servants’s work terminal. This does not mean that the public service will have zero access to the Internet. There is no doubt that it has generated inconvenience, but every ministry, stat board and agency affected will be looking for possible solution to minimize the impact from this new measure. Some possible solutions  includes allowing Internet surfing through personal devices using the WiFi services provided by the agency, or issuing an extra device just for Internet surfing. So yes, there will be inconvenience, but public servants will still have access to the Internet.

Secondly, mitigation measures to minimize the impact of this new policy should be considered in parallel with the planning of this policy. It seems to me that this policy was rushed to roll out and not given enough thought and debate. Deriving a solution to minimize the impact should be included in the policy, or at worst as strong recommendations, and not left as a problem for individual agency to solve. This policy, which clearly showed that things are not thought through thoroughly, shows the inadequacy of IDA’s planning. Pretty disappointing if you ask me.

Thirdly, the underlying rationale for this move was not conveyed well. The media highlighted the move was inevitable with security in mind. They did not emphasize the real motivation behind the decision to cut off Internet from work terminals. I have mentioned before that the human factor is the weakest link in most security systems. The underlying reason behind this move, I believe, is the lack of cybersecurity awareness in public servants. Public servants who has access to the Internet fall for phishing emails, click baits, unintentionally downloading malware into their work terminals. In worse cases, sending classified information to their personal emails to complete at home. As long as their work terminals, which contains classified information, is connected to the Internet, it provides an access point for attackers. On top of that, the Government Enterprise Network links the public service together. This is why attacking through a single terminal in an agency may give the attacker access to other agencies. Thus, IDA decided to cut the Internet from everyone. This is also the reason why teachers, who fortunately do not use the Government Enterprise Network, are spared from this policy.

Cyber threats are to be taken very seriously, and no effort should be spared in ensuring the security of our systems. However, this does not mean that the efficiency of day to day operations should be compromised. Security experts often have to design security measures while ensuring systems are still able to operate efficiently. For example, if WhatsApp implements a security measure but each message takes 3 minutes to be sent out, I’m sure there will be no more users in a month. At first glance, it seems that this policy will greatly impede the efficiency of the public service. It remains to be seen how they propose to reduce the impact of this.

Increase Awareness on Cybersecurity?

Sometime back I had a meaningful discussion with a few people on the importance on cybersecurity. We all have a common consensus that everyone needs to embrace the importance of cybersecurity. This means that security will not be seen as a burden to the everyday tasks. The question though, is how do we achieve it?

This is a question that has been asked for a long time. Many companies approach it by educating their staff through mandatory courses/programmes. However, this does not guarantee that what is taught will be learnt and remembered. It also does not change how others are viewing security. In fact, we can still often read about companies falling victim to cyber attacks due to high ranking employees falling into the social engineering traps, e.g phishing emails. Therefore, this method is not effective.

Perhaps the best way to do it is to learn it the hard way. As humans, it is difficult to learn from the mistakes of others but we will often remember the painful experiences that we encounter. Yet, the company can’t possibly hire a white hat attacker to attack everyone, can they?

Indeed, this is an extremely difficult problem to tackle and I believe the high ranking personnel in every company will be looking for a feasible and effective solution. So does anyone have any ideas?

Importance of Security in Smart Nation Singapore

The idea of a smart nation is exciting. For example, drivers will have access to real time traffic conditions so they know which roads to avoid (same goes for parking spaces); an elderly who live alone can have their sensors in their homes linked with a caregiver’s mobile device so that the caregiver can be notified if the elderly needed assistance. For these scenarios to become a reality, information must be easily available to those that require them. However, these information must not be made available to malicious attackers. The consequences will be disastrous if attackers get their hands on these information.

To understand the scale of the severity, we should first understand what the information contains. It includes, but is not limited to, the CCTV footage from every CCTV camera (; positions of every local registered car; our past records like medical records, educational records. With these information, it is possible to reconstruct anyone’s personal profile, which includes their history, daily routine and even habits and hobbies. On a smaller scale, the availability of these information makes it extremely easy for a malicious attacker to use social engineering to attack whoever it wants to. On a larger scale, it provides terrorists with information on the best places to conduct an attack with the largest impact, but with the largest probability of success.

Therefore, the security of these information is of paramount importance! Minister of Foreign Affairs Dr Vivian Balakrishnan, also the Minister in charge of SmartNation Singapore, has acknowledged this as well. Easier said than done! Many organizations have fell to the hands of malicious attackers in the past. There is nothing to suggest that Singapore will be invulnerable. On the contrary, the integrated aspect of the Smart Nation makes us even more vulnerable as there are more channels of attack than before. What then will Singapore do to ensure that the information will be kept secure? In the past, security and efficiency always has to reach a compromised position. However, in my opinion, a project of this scale should place security as its undisputed number one priority. We can do without some features, but we cannot accept our information falling into the wrong hands.

 

The Importance of Proper Backup

It’s been a while since the last update as I was very tied up this week. This post I’ll like to share about ransomware and the importance of having a proper backup. Ransomware, as the name suggests, involves criminal activity that holds something dear to you as hostage for ransom. In this case, what they are holding hostage is your access to your data.

You can read about how it works here. In short, an attacker gains access to your data, encrypts it and demands a fee for the decryption key. Usually, this fee increases after a certain number of days and may be threatened to be destroyed after another stated time. This is where the victim has to analyze the cost of the damages. If they have a unaffected back-up, preferably stored in a separately stand-alone terminal, they can do the backup and lose the amount of data depending on the frequency of the back-up. In the worst case scenario, none of the data is recoverable and the victim has to face the tough choice of either paying the ransom, or risk losing all his data, whichever has a lower cost. While attackers usually attack organizations in hopes of larger returns (the value of lost data is much higher than personal data), do not be naive and assume that our personal PC will never be compromised. Do your backups frequently and have them stored in a separate network.

Hail WhatsApp End-to-End Encryption

WhatsApp is now end-to-end encrypted. I spoke about the benefits of end-to-end encryption in a previous post. Now, all personal messages, group messages, calls, videos, photos sent are all end-to-end encrypted. That means even WhatsApp can’t comply with FBI’s wishes even they request to view your messages. HEHE.

You can read about the technical description here

“What have you tried?”

I think this reflects the best attitude for learning and growth. I firmly believe that the best way to learn is to try first. Even if you fail, you develop understanding of it and when the solution is given to you, you are able to understand why it works (or why your solution doesn’t). Although I’m not a saint, and I’ll admit that I am guilty of being lazy at times but I don’t think I had demanded for solutions without showing evidence of trying. Such virtues should be taught, and emphasized in schools. I think schools are very guilty of feeding solution without the students first trying. When I was tutoring, I had students who just looked to me for answers. I really hated it. I don’t mind wrong answers, but I hate “I don’t know” replied in 5 seconds.

Apple v.s FBI, the conclusion?

A good read on Washington’s Times here from Bruce Schneier.

A summary of all the excellent points he mentioned:

  1. What FBI is doing is not the norm of vulnerability research. They are deliberately degrading the security of iPhone by keeping the vulnerability secret. I mentioned in a previous post, keeping a vulnerability secret doesn’t mean the vulnerability can only be exploited by you. More importantly, it means the vulnerability exists and anyone can exploit it once they’ve discovered it.
  2. A vulnerability affects every device, not just one. So there’s no such thing as “Let’s compromise this single device only.”
  3. The notion of Security v.s Surveillance. In my opinion, it is really difficult to side any one of this. Surveillance requires tapping on weaknesses to listen to traffic. Security is ensuring that no one is able to eavesdrop. At first glance, it may seem that they are mutually exclusive. I don’t think it’s the case. If you are able to do surveillance on your adversary simply because he is not doing things right, then it doesn’t compromise security in general. However, if he is doing everything right and you are able to do surveillance due to some weakness that you, and only you cracked, then it compromises security because everyone else will be using the same method without realising that there exists a way to break it.