Q: So the hackers have hacked some important websites in Singapore, would there be sensitive information that they can steal and pass into the wrong hands?
 |
| Do you really understand what the hackers have done? |
A: No. Most websites are there to publish information on the organization for the public and what a hacker does is that they take control of a website so they can upload a statement onto that website so that the people wishing to surf onto the organization's s website will see instead the statement that the hackers have put on that website instead. The main intention is to upload information and draw attention to their cause, not download information. A classic example is when Anonymous hacked ST's website following that misleading article on ST. People wishing to surf to ST's website to read the news will see their statement instead. It is not the same as gaining access to highly classified information stored in some servers - it's a lot harder to gain access to something like that.
So for most of the websites that were hacked, these are just public faces of the government bodies (or organisations like the Straits Times or Seletar Airport, not all websites hacked were specifically government bodies) - the information on these websites are there for the public to see, there is nothing secretive or sensitive about this information on those websites. The fact is this is information is already in the public domain, so there's nothing to steal.
 |
| Many hacked websites went offline. |
There are other kinds of websites that do contain sensitive information and which don't normally cater for the public - these would be for registered users only and you will need a user name and password to access such a website. So for example, the Ministry of Defence might have a defence procurement website where they deal with third parties and something like that would contain sensitive information that the public do not have access to. An analogy for that would be Facebook - you need to log into Facebook and be friends with someone before you can access their profile. Facebook does a very good job in making sure that lines are clearly drawn between public information that anyone can access (eg. the Lady Gaga public fan page which anyone can follow on Facebook) and private information that only certain people can access - it's all in the security settings.
So for things like online banking, the level of security is really high to protect your details from hackers - but depending on the nature of the website, the level of security varies and so some websites are easier to hack than others. But really, it is really hard for the hackers to gain access to any kind of sensitive information so ordinary Singaporeans have nothing to worry about on a personal level. It's just that any money the government spends on repairing and boosting their security systems after this will ultimately be the tax payers' money and this is money that can be spent elsewhere: health, education, the environment etc.
 |
| Do you understand how internet security works? |
Q: How do they do it? How do hackers gain control of a website?
A: It's actually easier than you think - let me explain using an analogy. Imagine you are a thief trying to break into a hotel room, now you have several options to try to do this. You could try to pick the pocket of the tourist staying in that room or con the tourist to give the key card to you. You could also try to gain access to the room by getting the key card off the chambermaid whilst she is cleaning the room. You can simply walk up to the front desk and convince the manager there you have lost your room key. Or you could try to pick the lock on the door of the hotel room or do the spiderman thing and climb through the window.
Now the most difficult method to gain access to that hotel room would probably be trying to pick the lock or climb through the window - the security systems are set up in the way to prevent people from breaking in like that. However, if you have forgotten your password for a website, there's usually an option for you to click, like "Have you forgotten your username/password"? Most hackers gain access to websites by bluffing a webmaster that they have the right to access a website and getting the webmaster to issue them a new username and password - this is the equivalent of the thief convincing the manager at the hotel front desk that he has simply lost your hotel room key and getting another one issued. It's not rocket science, it just takes a convincing conman to pull something like that off.
 |
| There are many ways to gain access to a website. |
Hackers also send phishing emails to people who are in organisations to try to gain their username and password - they would write a convincingly official sounding email, claiming to be some new security contractor who needs to review all the username and passwords as part of a security review. Most people can spot an email like that if they are alert, but you'll be amazed how many people gladly give their usernames and passwords away like that because they are too trusting. This would be the equivalent of the thief putting on a nice suit and walking up to the tourist relaxing by the pool and saying, "Hello, my name is John. I am the duty manager today - we have had an IT problem and none of our key cards are currently working as we have had to reset the system. Can you give me your room key card so as I may issue you a new one please? What room are you in? Sorry for the inconvenience, I will be back in a few minutes."
Remember, even the best security systems are maintained by human beings and human beings make mistakes - that's what the hackers are counting on: the element of human error that stems from gullible person who can be conned to compromise their security system, this allows them to access a system without actually having to bypass an elaborate security system. So you don't just need a good hacker, you need a good conman to pull this off.
 |
| Even the best security systems are run by humans who make mistakes. |
Q: What do you have to say about conspiracy theories, like the one about "it is an insider's job, this couldn't have been done without someone on the inside".
A: Highly unlikely. Hackers can pull this off without any help from the inside. They know what they're doing.
Q: What can organizations do to protect themselves from hackers?
A: They need to raise the level of security - think about your internet banking. You usually have some kind of electronic security device which connects you to their system, so this security device generates a new code each time you want to log onto the system. So not only would the hackers need to gain access to the security device, they will also need to know the username and password, so that's three pieces of information they need before they can access the system. Maybe they can somehow get hold of the username and password but without actually physically having the security device in their hands, it makes it very hard for them to get around the security firewall.
Q: So an organisation's website has been hacked, what happens next?
A: It's fairly straight forward really, the webmaster has to log back in and undo any changes made to the website and usually the changes are fairly minor and little damage is done. The website is usually back up and running within an hour - the Seletar Airport website which was hacked was only down for about 30 minutes or so. It is unlikely that the hacker can cause that much damage during the time they have gained access to the website, it really depends on the amount of admin privileges they manage to get their hands on - whether they can reset the passwords of other users or if it is limited to altering the content on the website.
 |
| Some hackers can cause more damage than others. |
Q: What other forms can a cyber attack take?
A: It can take the form of a denial of service attack (otherwise known DoS attack - the acronym - or distributed denial of service, DDoS attack). This is when the hackers flood a website with so many requests that ordinary people who are seeking to visit the website for information cannot access it. The website is there, it hasn't been hacked, it hasn't been compromised - it is just that people cannot access it. When a website is under a DOS attack, you will get an error message like "this website isn't available" when you try to access it.
Let me give you a simple analogy. Imagine if you have a shop in the high street that you're trying to disrupt, you don't want their customers to be able to walk into the shop, select an item and make a purchase. So you simply send in thousands of fake shoppers to walk into the shop and occupy it to the point where no one else can actually even set foot into the shop. A genuine shopper who is trying to get into the shop will see that it is impossible to enter the shop and go somewhere else. The Wikipedia page on DoS attacks explains this in great technical detail.
 |
| Imagine if a flash mob of 10,000 people descended on this shop and wouldn't leave... |
In order to understand how DoS attacks work, I have to talk about Malware - that's software with bad intentions. These are usually disguised as anything but Malware, so someone trying to download a free game, music or video may accidentally download Malware. Again, I could go into a lot more technical detail but I would refer you to the Wikipedia page on Malware for that. Once you get something like a Trojan Horse in your computer, it is a 'bot' and someone else is in control of it, but you have no control over it. A network of these over millions of computers forms a 'botnet' - it is a network of robots, most of the time they do nothing at all. They are all over the place and they can be activated to launch a DoS. There is a finite number of connections that a website can make at any one time, so the bots will all go to a page, start loading it really slowly and effectively flood it with requests to the point where the server is overwhelmed. It's quite stunning really, when you think about how they pull this off.
Q: How does a website recover from a DoS attack?
A: Well, it is fairly complicated and Wikipedia has a detailed explanation here.
Q: So the hackers can do all this without taking control of a website, without gaining a single password.
Q: How much preparation has gone into this current cyber attack?
A: A lot. Oh there would have been a huge amount of preparation. They have probably been setting everything up for years, gaining passwords, testing the security systems of the websites they wished to hack to see if they can get in and out without being caught. It is not the kind of thing you can just do without any preparation - you see, the myth that these hackers want to perpetuate is that they can override the world's most sophisticated and expensive security systems, but what they've done in fact is spent years collecting usernames and passwords to gain access into these systems. Yes there are a small number of highly skilled programmers who may actually be able to override such complex security systems, but it is a lot harder than you think. It is usually a mixture of mostly low-tech cons plus a relatively smaller amount of high tech IT wizardry.
A: Unlikely. You see, Anonymous are a world wide group of hacktivists, they are on every continent so it is not like it is somebody in Singapore doing it from his flat in Yishun. They help each other cover their tracks, so whilst a lot of the planning has to be done locally in Singapore since it requires a great degree of local knowledge to make the hack successful - the actual hacks itself are usually done from halfway around the world, from anonymous locations like internet cafes or somewhere like a shopping mall where free public wifi. This means that the IP address would be impossible to match to a certain individual so the police would find it very hard to single out an individual to arrest.
Cross-border cooperation on cyber crimes is usually poorly coordinated to say the least, so for example if a hack was done by someone in Uruguay - do the Singapore police know who to approach in Uruguay and would the Uruguayan police comply with a request to investigate a crime that does not affect them locally in Uruguay? Would the Singapore police have to translate the legal paperwork into Spanish before the Uruguayans would look at it? Would the Uruguayan police care about a crime happening halfway around the world, which doesn't affect them at all locally?
A: That's a hard question to answer as most hackers are never caught - you wouldn't be playing at this level if you were not able to cover your tracks well enough. We don't know who they are, all we know is that they are very good at what they're doing, they're very intelligent and are IT experts. They are also people who are not afraid to break the law - what they are doing is criminal. The law in the UK states that you can be sent to jail for up to 10 years for a DoS attack. It's quite brazen what they are doing, they know they are breaking the law.
I also know that there are some IT experts who are short of cash and would gladly work for people who do not have the technical expertise to launch such a well coordinated cyber attack on this scale. It is a form of organized crime and there is money to be made. If you have no ethics and are not afraid to break the law, there are people who will pay you for your IT skills. Some hackers do what they do solely for political reasons and would never try to make any kind of monetary profit from their activities whilst others will work for anyone if the price is right.
 |
| What motivates these hackers? |
Q: So you're saying the hack was not done by Singaporeans?
A: No. The people behind the hack... the brains behind it would almost definitely have to be Singaporeans given the amount of local knowledge needed for this. The people who have the motivation to attack the Singaporean government would almost certainly be local - it's just too easy to look the other way and ignore the shortcomings of another country's government. However, they would have enlisted the help of others in the Anonymous global network to launch this cyber attack and so maybe, in the future, if some hacktivists want to launch a hack in South America, they may enlist the help of Singaporean hackers who would nip over the border into Johor Bahru, find a coffee shop with free wifi and then launch a hack onto a South American government website from there. Hacktivists do often co-operate and help each other like that because they feel strongly that such actions are making a positive impact in the world and they are making the world a better place. Also, I daresay many of these guys find this hacking very fun - they get a great sense of thrill and adventure in hacking. Maybe they have boring mundane jobs to pay the bills and this hacking is something totally exciting compared to their everyday routine. Those guys are Anonymous know what they are doing. They are a formidable force to be reckoned with, I would not want to mess with them or offend them.
Q: So what do you think will happen over the next few days?
A: More websites will be hacked, they will be restored, the hackers will then target other websites and it will go on and on. The Singapore government has money to throw at hiring IT experts to come and sort out the mess and they will see it as just a problem that money can solve. And it'll all be over in due course.
 |
| Some Singaporeans don't quite know how to react to this episode. |
Q: Do you think it will have any kind of long term impact on Singapore?
A: You know Singapore a lot better than me, but I doubt it. Hacks have happened to other countries before and it's just part and parcel of being a part of the internet age.
Q: Are cyber attacks like this common?
A: No, actually. If you knew how much hard work went into preparing a hack like that, then you'll realize just how difficult it is to launch an attack like that. It's like looking at something as magnificent as the Taj Mahal and thinking, "oh that's nice, isn't that so pretty. I wonder why didn't they build a few more of these around India?"
 |
| Do you know why the Taj Mahal is unique? |
Q: Will we see more cyber attacks like that in the future?
A: Yes we will. It is a game of cat and mouse. Each time they hack, the targets will respond and increase their security and the hackers become more inventive and cleverer in their methods. This is the future you know, people will protest online rather than take to the streets organizing mass protests and throwing stones at riot police. So much of our lives are on the internet these days so it is an obvious target for attack.
Q: Thanks for much for answering my questions!
A: You're welcome.
If you have any more questions for my IT expert Rob, please leave a comment below, thanks for reading.
No comments:
Post a Comment