Lim Kit Siang

Where is the accountability factor?

By Edwin Yapp
Jun 15, 2011 | The Malaysian Insider

JUNE 15 — I had been away on a break but being the news junkie I am, I had been following various interesting news even while on vacation.

One that certainly caught my eye was the item reported in The Malaysian Insider, as well as other online news sites, about how a recently set up government price check website had been hacked into, the act of which has resulted in the loss of over 2,000 registered users’ details.

The 1 Malaysia Pengguna Bijak’s (1MPB) website launched on June 7 allows the public to check and compare the prices of consumer products sold at 1,255 retail outlets nationwide by clicking on the portal (1pengguna.com).

The initial idea of setting up such a portal is a good one. The bid to make government services more accessible to the public should be encouraged.

But setting up such a website is not merely about making the information available in a database, registering a domain name, dolling up a web server and publicising it via advertisements, so that the public can start to use it.

Perhaps 10 years ago, doing so would be enough. But in today’s increasingly cyber-dependent and consequently, cyber-vulnerable world, it isn’t just enough.

The fact is that in today’s web-enabled world, anyone wanting to set up a web presence and offer services, especially one that would require that users surrender precious private and personal information, must not only have a secured server and service in place but must also ensure that security is at the core of its design.

Granted, we don’t know the exact details of the kind of security the vendors employed in the design of the 1MPB or indeed how the hacking incident took place.

IT community portal Lowyat.net, one of the first websites that reported this breach, did, however, note on June 11 that there were “several vulnerabilities in the RM1.4 million 1MPB site that allowed hackers to pull signup details, usernames, email addresses and hashed passwords (encrypted).”

Lowyat.net founder and chief executive Vijandren Ramadass told The Malaysian Insider there was “a severe lack of security on the site” when it was launched and that he tried contacting the website administrator but received no response.

“Obviously, this is not an RM1.4 million job. Security and user privacy is a very important issue, especially on a site backed by the government,” he said.

Other security experts I spoke with concurred with Vijandren, noting the breach should not even have happened in the first place.

One of them, Dhiillon Kannabhiran, founder of security organisation Hack In The Box, noted that this breach shouldn’t have happened at all. “It’s an SQL Injection issue, a security vulnerability caused by poor input validation on the web application,” he explained.

“In short, the application was poorly written and it allowed an attacker to copy/steal information from the backend database via nothing more than a web browser, meaning no specialised tools were needed.”

Dhillon went on to say that proper input validation and having secure programming practices would have been sufficient in preventing this attack.

“The vulnerability would also most likely have been discovered had the application/portal undergone a proper vulnerability assessment prior to being launched. The main entry point into the database was via the web application itself.”

But what really got me riled up were two other stories that appeared following the incident.

In its Saturday report, the Star online quoted Domestic Trade, Co-operatives and Consumerism Ministry deputy secretary-general Mahani Tan Abdullah admitting to the breach of security but she downplayed the matter, saying that only the “the first layer” of the website’s security was penetrated.

Yesterday, in a bid to further defend its position and defuse the severity of last week’s breach, The Malaysian Insider reported that Tan said what hackers got was only “test data,” which ominously still contain the e-mail addresses of staff from the ministry.

She reiterated that no sensitive information was in jeopardy, arguing that the “hackers only went into the first layer where they could just read data which contained the names and the email addresses of the staff, which, by the way, is in the public domain.”

What seemed like innocuous and innocent comments are anything but. A breach in a public sector website’s security and the theft of information — regardless whether it was test information comprising internal staff e-mail address — no matter how seemingly harmless is still a breach and should not be downplayed as such.

And what makes it worse is that instead of acknowledging the weaknesses in how this web service has been introduced — one that is fraught with errors and vulnerabilities — a senior spokesperson tried to pass it off by saying the Ministry is “not unduly worried” about the whole episode.

In a manner reflecting a lot of the country’s politicians and bureaucrats, the habit of sweeping accountability under the carpet is just one of the many systemic problems Malaysia is facing.

Fact is, the breach did happen, and while not a legal expert, it wouldn’t be a stretch of any imagination that such breaches would have contravened several laws the country has enacted, namely the Computer Crimes Act 1997 and the Personal Data Protection Act 2010, to combat such crimes.

But even as the government claims to want to be more transparent and accountable, typical answers and actions like the one made only serve to act as an Achilles’ heel to its efforts to do so.

Plainly put, to dismiss and wave-off the information breach are not only irresponsible, careless but also wrong and should not, and must not be tolerated.

And what of the vendor — Sands Consulting Sdn Bhd — the firm the Star Online said was appointed to carry out the project? What has it said in regard to this matter? What is its justification for allowing this vulnerability to be exploited in the first place?

Unbeknownst to many, worse things could have happened, and will happen, if we do not demand higher accountability for our personal data protection.

One of which, as Dhillon noted, is that while 2,000 or so stolen accounts might not seem like a very large number, personal information leakages of any kind is a serious issue considering the data could be used for far more serious crimes.

This can’t be truer as renowned IT security multinationals such as Microsoft and Symantec, as well as local security agencies like Cybersecurity, have warned that the most insidious threats the cyber world faces today are the ones that use stolen information to perpetrate other cybercrimes.

The breach of information security in the 1MPB website serves to remind us that this is certainly no trivial matter and until and unless the government personnel responsible for setting up such websites and those they appoint to implement them are held accountable, our information, our very lives are at the mercy of those who are waiting to dupe and manipulate us.