rss search

next page next page close

Understanding the attacks by Messiah – is there anything for us to fear?

Understanding the attacks by Messiah – is there anything for us to fear?

Update: In an email to Yahoo Singapore, “The Messiah” said “… we reached out to our comrades from other fractions who together with us performed DNS poisoning on the .gov.sg sites, taking them down for a period of time. But there must have also been some patching that was done as some of our favourite point of entries into their networks seemed to be fixed.” – Yahoo News

DNS poisoning? I was right.

1. Fear Mongering & the State of things

There had been a number of cyber attacks over the past few days by someone who calls himself “Messiah”. The attacks sparked panic island-wide, with people fearing about a “cyber” doomsday where everything would magically stop working and the whole island in chaos. I thought it would be prudent to set the records straight, to help layman understand what these attacks actually entail and to prevent the spread of needless panic and fear. Cases of blind-leading-blind when it comes to attacks and its implications are too rampant.

The usual disclaimer:

1) I’m not an IT security professional or a white or black hat hacker, merely a programmer, IT consultant & entrepreneur. If I have made any factual mistakes, please kindly feedback and I will rectify them. 

2) The following are my theories. Many of my assumptions on the capabilities of Messiah I do not know as facts. I may be wrong. Please take it with a kilogram of salt.

Now, let’s consider Messiah’s technical capabilities.

2. Messiah’s Technical Capabilities

2.1  The Difference between “Web Systems” & “Internal Systems”

In order to understand what really went on behind cyber attacks over the past few days, for the sake of simplicity, let’s divide computer systems into two main categories, web systems and internal systems. By “web systems”, I refer to all the servers and systems behind an organization’s website. By “internal systems”, I refer to mission critical systems used by an organization for their day to day functions. For example, LTA’s website is on a “web system”, LTA’s traffic controller system is an “internal” system.

The attacks over the last few days all involved web systems, which are easier targets for attack because these systems are more public while generally having weaker security mechanisms. There is no sign that Messiah was able to gain access to any internal systems to date. Fear-mongers have been preaching and  misleading people in thinking that as an example, if LTA’s website got hacked, our traffic lights will stop working.  That is simply not the case, and Messiah has not yet demonstrated his ability to carry out  “infrastructure crippling” attacks. Sad to tell you, but ERP will still continue to work even if LTA’s website is down.

2.2 Understanding attacks on “Web Systems”

To help layman in understanding the nature of attacks on websites, let’s imagine that every time you type in a URL on your web browser, a tiny truck comes out of your computer (a web request), look up the destination on street directory (a DNS server), drives to the warehouse (website server) to pick something up (the actual website) and bring it back to you (website loads on your screen).

To attack a website, the attacker can either prevent your tiny truck from ever reaching the factory while leaving the factory untouched, or enter the factory to shut it down (a.k.a hack into the server.)

Attacks over the past few days can be categorized into two main types: defacement attacks (when the website got vandalized, such as Straits Times’ Blog) and service availability attacks (when the website becomes inaccessible for a period of time, such as the supposed hack on government websites).

2.2.1 Defacement Attacks

A very strange pattern emerged. It seemed as if only sites running open source CMS (content management systems) and/or or cheaply outsourced were defaced. For example, only the blog section of Straits Times was hacked, because out of the entire Straits Times site, only the blog section uses an open source CMS. Hacking into a CMS involves gaining access to either (1) the CMS admin dashboard  or (2) the web server. The CMS admin dashboard is a simple system that allows non-IT personnel to update the content of a website. Hacking into the CMS admin dashboard does not mean the hacker has complete access the entire web server.

Gaining access to CMS admin dashboard is easy. For open source CMS solutions, exploits are always discovered and published, in order for security fixes to be written and distributed in a very short amount of time. However, most solution vendors in Singapore hand off CMS to their clients immediately after project conclusion, and seldom advice their clients to do constant upgrades, opening huge opportunities for attack.  Many CMS admin dashboards also use the same default username, such as “admin”. In most cases, such accounts are shared among different staff, so to help everyone in remembering the password, plain english passwords are commonly used. It is then easy to use a simple dictionary attack to hack. Dictionary attack simply involves using a program to try different passwords at high speed. Given enough time (days, months, years, centuries), any account could be hacked this way.

From the very specific targets of attack (only open source CMS sections of a website were hacked i.e. Straits Times Blog, and only websites using open source CMS were hacked i.e. CHC website), I think it is safe to conclude that Messiah did not attempt or did not have the necessary skills to hack into an actual server.

2.2.2 Service Availability Attacks

How about supposedly bringing down a couple of government websites as well as Straits Times, Stomp and Hardwarezone (all owned by SPH) for a couple of minutes? For this post, let’s assume the government websites were down because of a cyber attack, not a “scheduled maintenance”.

Server hacks are hard to recover from if there’s damage done. Looking at how fast we recovered from those attacks, it is possible to speculate that the servers were never actually hacked. Using the tiny truck analogy from above, the attacker simply prevented your tiny truck from ever reaching the factory (so when you try to access a website, it could not load). Two common methods are known as DoS (denial of service) and DNS Spoofing or poisoning.

Denial of service attack is an attack that doesn’t require much skills. To prevent your tiny truck from reaching the factory (connecting to the web site), the attacker simply had to send millions of tiny trucks to the same factory at the same time so that the highway became so congested your truck couldn’t get through.

While I am not too familiar with DNS poisoning, DNS servers are like street directories. DNS poisoning attack messes up the directories, causing your tiny truck to lose its way and can never reach the factory. DNS poisoning could also be used to point your truck to a different factory (web server). Variations of such attack could cause a user trying to visit “google.com” to end up at a totally different server.

Let me repeat, both DoS and DNS poisoning attacks do not involve actual hacking (e.g the factory in the analogy above was never compromised). There is no need to infiltrate any government or SPH servers to execute these attacks. DoS attacks requires massive resource and coordination but low amount of skills to execute. DNS poisoning attack requires little resource and coordination but requires higher level of skills.

2.3 What does this say about Messiah?

In summary, Messiah was only able to breach certain web systems; he was not reported to have breached any internal systems. In cases where web systems were breached, Messiah was only able to do so via the CMS. He was never able to hack into the actual web server. For websites that does not use weak CMS, he simply did a service availability attack. This doesn’t sound like someone who is an extremely skilled hacker as proclaimed in the video.

Conversely, the skill-set required for the attacks we have seen so far are very different from those crazy hardcore attacks we have seen Anonymous do on news reports. I am speculating that Messiah may not even be from Anonymous.

3. What’s next?

I think Messiah will continue looking for easy exploits among high profile websites, and when he or they can’t hack, they will simply do a DoS or DNS poisoning attack to make a statement.

I trust the security capabilities of our government sites, and I still believe that unless there are different hackers who join today, our data on government servers and infrastructures will remain safe.

As an average Joe, I don’t think there’s much to fear about these attacks because:
1) As concluded above, Messiah doesn’t seem competent enough to actually compromise important servers
2) Once again, “web systems” and “internal sustems” are different. Hacking into LTA website does not equate hacking into LTA. Your traffic lights will still work. They are different things.
3) Assuming that even if he or they have the ability, there is no reason for Messiah to try to gain unauthorized data, or to abuse or leak them. The youtube video called for support from Singaporeans. There will be more haters than supporters if such things happened.
4) The attacks so far are more in line trying to “make a statement” than to retrieve or leak any sensitive data. This trend may continue.

Hope this post help provide some insights into the confusing world of cyber security, and to maybe help with allaying the fear and reducing confusion after all the blind-leading-blind articles that have been popping up lately.

That said, organizations and individuals should remember to always exercise prudence and preemptive diligence when it comes to security. Cyber attacks are very real and may strike you when you least expect it.

next page next page close

Taxi Drivers and the meaning of life.

Taxi Drivers and the meaning of life.

I think if we are seeking the meaning of life, the best person to ask are taxi drivers. They are able to draw from their wisdom from their life as well as the combined wisdom and experiences of all their passengers.

Today, the first driver I encountered managed to put 3 daughters through uni and had a young son who married due to shotgun at 21. He talk about how the path to adulthood for each of his children and and about how they eventually found meaning in life. He now lives in the same flat as his second daughter, and treasures every dinner they have as a family. While driving, his wife called and they were arranging where to meet for lunch. He said, money couldn’t buy this warmth, this happiness. Money diverts your attention from that. We carried on chatting on his cab even after he stopped his meter and I paid him. When I alight, we shook hands.

The second driver lives in a humble 3-room flat in jurong west. He taught me about contentment  He gave me general advice on how some of his relatives build their careers. He also taught me that nothing makes him happier than returning home and being with his family.

Together they guided me with what I had been struggling with. As I turn 25 today and am about to graduate in 3 months, I couldn’t figure what my pursue should be. What kind of life should I lead?
Should I try to increase my personal wealth? Should I carefully plan my career progression across different industries? Should I risk it all and carry on with my startup and impose a financial strain on everyone around me? Should I just find work that pays decently, be contended with what I have, get married quickly and start a family?

I’ve always thought that we should do the best we can. Achieve. Accomplish something. Make an impact on this world. Revolutionalize the world even. But recently, I’ve been pondering: Would it really make me happy? Would I be happy putting in that amount of hard work for the sake of some accomplishment later? If I try to achieve, when would enough ever be enough?

The thing with most people with wealth, is that there’s never enough. Should I allow myself to degrade into such a person? Yes, with more money I can buy better things. But think about it, how much additional utility would I reallyderive if I buy a Prada wallet over a Braun Buffel one? I think that the opportunity cost of trying to earn enough to afford a luxurious lifestyle is too high. I think that I would be happier working with less stress and spending time outside work with my loved ones, or doing things I love, such as listening to music, playing R/C, etc.

I want to break free of this endless pursue. I think I have got the foundation of my academic creditation dialed right. I’ve opened up endless possibilities for myself for what remains of my brief time on Earth. Should I continue to defer my happiness by trying to constantly achieve more and more, or should i just live in the moment, live happily, live contended, and exit the world knowing that I’ve smiled for a huge duration of time?

To my peers, please know that I think slavery still exists in society. If money dictates your career choice, if it dictates what you are going to do from when you are 26 to 60, then you are a slave, and money is your master. This is the prime of your life. Don’t waste it working for money.

Without knowing it, I’ve spent 25 years of my life trying to achieve. From a young child with learning disabilities to a university graduate with all kinds of career door open.

Now, to not have stress in my mind. To enjoy every moment in my life. To enjoy what companionship with my parents and sibling and future wife has to offer.

That’s the best life.

next page next page close

Where are we heading?

Where are we heading?

Where are we heading?

Seriously. Where are we heading?

It wasn’t too long ago, when I remember the reason why I told myself to work hard. In studies. In what I believed in.

It wasn’t too long ago, when if you are a fresh graduate, you would probably live a good life. You will be able to afford to cheap car. You will be able to afford a 5 room HDB or even a condo without taking out loans that span double digit years.

My dad was the sole breadwinner. We could afford a modest 3-room flat and later on moved to a 4-room flat. Eventually he was able to afford a car. One that has a red colored license plate and is small and cute. A Hyundai Getz.

I really appreciate what my parents have done for me. They were not “educated”. Only my dad ever made it to secondary 4 and that was that. But they brought me up. They brought me here.

I want to repay them.

So. Aim to be a graduate. Afford a car. Sponsor parents for trips. Give them a good life. That was my dream.

That was 15 years ago.

I worked my way up. I wasn’t a bright student. I was a very slow learner who couldn’t even pick up what all the 26 letters in the alphabets are until Primary 1. Now I am in a University. I am pursuing a degree. I am graduating in less than 3 months.

Just now I met up with some of my peers for a gathering. We did some calculation.

In the 1970s, a graduate who was the sole breadwinner in the family was earning a starting pay of around S$1,000 monthly and three-, four- and five-room flats in Marine Parade, for example, were going for S$17,000, S$20,000 and S$35,000 respectively. (http://www.propertyguru.com.sg/blog/tag/prices-still-too-high-even-with-50-year-loan)

In 1980s, it was $80,000. In 1990s, it was $170,000. Then, it was $230,000 in 2007s. (http://en.wikipedia.org/wiki/Public_housing_in_Singapore#Pricing)

2008, 4-room flat was sold for a record of $495,000 (http://www.asiaone.com/Business/My%2BMoney/Property/Story/A1Story20081214-107602.html)

In 2009, the record was $653,000. (http://www.stproperty.sg/articles-property/singapore-property-news/record-653000-for-4-room-flat/a/5161)

What is the average graduate salary in 2011? $2678. (http://www.channelnewsasia.com/stories/singaporelocalnews/view/1216596/1/.html)

Look at where we are.

A premium 4-room HDB flat was equal to 20 months pay of a graduate in the 1970s. Now a graduate would have to work for 244 months to be able pay for a 4-room flat in Singapore in premium places. Without spending a single cents on anything else.

There is a number of reasons why this happened. I didn’t write this to point fingers. So many things have gone wrong. But lets’ look at what is the most real problem we are facing now.

When I have my children, I will have to tell them. I will have to tell them the exact SAME things my parents who only had secondary education said to me, many years ago.

“Look at us. We can survive, but barely. I hope you can work hard. Be somebody. Then you will have a good life in future, for yourself and for your children.”

And then they will have to say the same thing to their children.

Where are we heading?

 

 

next page next page close

My life in SMU so far…

My life in SMU so far…

My last ever semester as a student starts in a few days. Looking back, I think I have made full use of the opportunities provided to me as a student. I’ve done community service projects, organized by own events, served as teaching assistant for multiple modules, done an internship, went on an overseas exchange, served in student bodies, and even started my own company! While being involved with all these exciting stuff, I’ve also tried to put some effort into studies as and when I can. I’ve received so much help from valuable project teammates during my 3.5 years (so far) in Singapore Management University, and many of them became some of my most awesome friends. Teammates, you have my heartfelt thanks for helping me survive SMU so far.

so far

My two remaining goals now as a student are clear.

The first would probably not be too useful for my future, but I was thinking, since I am already so close… why not? I shall try my best to graduate with Summa Cum Laude, the highest level of academic distinction available. In this day and age where post-graduate academic qualifications are flooding the market, at least academic distinction follows the curve and would allow me to discover where I really stand and give me the confident I really need to face the working world. I really hope I do get it.

To many, my second goal is a direct contravention of the first. I want my first startup, Oompr! Pte Ltd, to have a successful exceed within 2 years. Trying to achieve this while still aiming for Summa Cum Laude is foolish, I know. Not many, if any, have done this before. The odds are not in my favor. But I shall go for it.

Carpe Diem.

next page next page close

#MOMChats Townhall Session

#MOMChats Townhall Session

Passion is all you need.

Having attended #MOMchats Townhall Session held on 11th October 2012 at Singapore Management University, one of the key topic that I found most memorable was the discussion on passion. In particular, the question posted by the audience was, “Can we survive on passion today?”

“Can we survive on passion today?” Minister Tan was filled with his conviction as he took on this question. He described his personal experience about how his passion had led him to where he is today. His passion for public service was deepened when he served National Service (NS), which was why he enjoyed his stint there tremendously. This propelled him to the public service sector and eventually becoming the current Acting Minister. Still, for most people, it is about finding the right balance between passion and survivability. Minister Tan gave the advice that, ultimately, we will have to decide what is most important to us, at different stages of our live. There are times when we have responsibilities we can’t fulfill should we just follow our passion. What really matters would be to find meaning in what we do.

I do not share Minister Tan’s passion for NS to such a large extent, and this placed in a slightly unique position of not being able to pursue my passion during the two years while I was in army. However, I agree with Minister Tan that it was simply a matter of knowing what is most important at different stages of our lives. While I may not be able to pursue my passion during the two years in army, what was most important to me during the time was character molding, and the two years in army certainly helped me be a more mature and resilient individual.

In order to answer the question on whether we can survive on passion today, I think we have to first define what “survive” really meant. Is “survival” defined as a) earning barely enough to put food the table but living each day with meaning or b) defined as commanding high pay so that one could live comfortably? I am inclined to go with the first definition.

I feel that as long as I am able to put food on the table, I am surviving. The beauty of thinking this way is that I don’t have to spend all my time thinking about what I should do to make more money. I would then be free to pursue my passion even if it could just barely put food on my table.

By pursuing my passion, every day will be meaningful, exciting and full of happiness.

At the end of life’s journey, I know for sure I will be smiling.

next page next page close

Protected: Willy Wonkas

Protected: Willy Wonkas

This content is password protected. To view it please enter your password below:

next page next page close

More points of suspicion regarding Alvin’s appeal into NUS

More points of suspicion regarding Alvin’s appeal into NUS

While Alvin finally bothered to rectify some of the misleading facts regarding his admission into NUS on his appeal site, many netizens began to raise suspicion over the “Hungry Hippo” final year project created by Alvin.

Firstly, he claimed that Microsoft Surface was “poorly documented” at that time. This might not be true as Microsoft seldom release any “poorly documented” SDK to developers.

Next, let’s look at a video of one of the first game that some Microsoft engineers threw together as part of a demonstration of the technology.
View the video

Finally, we look at the design of Alvin’s page, and the uncanny resemblance it has with this page, an appeal website by a 19 year old in Slovakia.

next page next page close

Untruths Behind Alvin’s Appeal Revealed

Untruths Behind Alvin’s Appeal Revealed

In my earlier article, I raised questions regarding a site created by one particular Alvin regarding his appeal to get into NUS. Looks like my suspicion is confirmed.

Although Alvin’s site is all about “helping Alvin get into NUS”, Alvin was ALREADY given a place in NUS even before he started the appeal site. This was reported in a Today’s article.

Mr Wang, who was… offered a course in Information Systems at NUS, is hoping to use this website as part of his official appeal… to pursue a degree in Computer Science

In other words, this is NOT about Alvin not being able to get into University, or NUS being lousy in their admission process. This is about a guy not being happy with the course he have gotten, and trying to garner the support of so many people deceptively.

Information Systems and Computer Science in NUS shares many same modules, and they even have the exact same programmes during freshman year.

Yet, Alvin seems adamant about the whole thing, saying that he does not intend to enrol in university should he fail in this appeal and that, “To me, it is not so much about… getting that paper qualification.” Huh? Then what is this about?

Are you one of those misled by his half-truths? Perhaps he is better suited working in a advertising agency.

Finally, let’s take a look at the weird resemblance with a campaign by a 19 year old designer from Slovakia

next page next page close

Help Alvin become a chipmunk

Help Alvin become a chipmunk

Recently a dude who goes by the name of Alvin created is own site to tell the whole world that he wanted to get into NUS, but couldn’t. Many people supported this by spending 2 seconds of their time to click a “like button”. I thought otherwise.

Before we get overly emotional and applaud him for his perceived courage and stuff, let’s think about this rationally and logically and decide whether this is indeed a cause for support.

  • He graduated 2 years ago, he had 3 years to apply for NUS computer science and also to explore alternatives. Did he do that?
  • Since he claims to be so passionate about IT, why did NUS reject him? Did he provide the reason? Did he ask NUS what the reason was? Did any of you who give away your “likes” freely think about what the reasons might be?
  • NUS is not the only school that offers a degree in computing or computer science in Singapore. So why NUS and NUS only?
  • Does he view NUS as the only way to pursue his interest? Is his passion really in IT? Or is he really just passionate about going into NUS? In other words, is NUS a mean to pursue his passion, or does he view it as an end?
  • If he love NUS so much, has he given some thoughts as to the position he’d place NUS in. If NUS relented and grant him a place, would this open the floodgates for others doing the same? If NUS did not grant him a place, what could the possible media backlash on NUS be?
  • If he loves NUS so much, why is he placing NUS in an impossible situation?
  • Does he think that the university admission process is there just for fun?
  • After coding in multiple languages from 13 years old, his Final Year Project was a hippo game on a touch screen device?
  • After so many years in IT, he didn’t know that white text on yellow background is one of more risky color combinations in UX/UI design?
  • If he were to apply for a job, and his employer reject him, would he create any website?
  • Don’t get me wrong, I am not against this if it can be proven that his passion in IT is genuine. Right now there are more questions than answers, and I am withholding my support for this until when support is deserved.

    I am hungry for your answers.

    next page next page close

    You make me smell.

    You make me smell.

    The problem with being me, is that I’m mildly dyslexic.

    And when my girlfriend dropped me a sweet SMS, I replied:

    Dear, your msg makes me smell.

    next page next page close

    The 3 types of Muggers

    The 3 types of Muggers

    I am not a mugger in all sense of the word, but I have lived among them for nearly 10 years. After observing muggers for 4 years in The Chinese High School (now known as Hwa Chong Institution), 2 years in Anderson Junior College (the No.1 mugger JC with NO results to show that fact) and 3 years in Singapore Management University, I realized there are actually only 3 distinct types of muggers. Let’s see.

    The Serious Muggers
    The Serious Muggers are the most rare breed that you can find. They can be found in huge abundance in The Chinese High School but I don’t really see them in Anderson Junior College. A small number of them can be found in Singapore Management University, but they are the exceptions rather than the norm. Serious Muggers are muggers who meant business. These people spend the bulk of their life studying. They look exactly the same and have the exact same posture whether or not it is 7am in the morning or 11pm at night and you would have sworn they are mannequins if not for the occasional rise and fall of their chest when they decide to input something other than knowledge into their body and output something other than grades.

    The Closet Muggers
    No, they don’t literally hide in closets, even though if they can find a closet large enough with sufficient lightings, they probably would. These muggers are seriously in need of psychological evaluation, as they often have issues with coming to terms with their own identity. Their favourite phrase to their peers is “Why mug? Don’t need mug lar…” Some may say that this is a smart application of game theory, but we may never know the truth. Some Closet Muggers are also Serious Muggers, and Serious Closet Muggers are the most scary muggers in existence because they give a whole new meaning to the words “zombie”, “no life”, and “bell curve”.

    The Social Muggers
    Social muggers love to mug in plain sight of their peers and in fact, prefers to mug with their peers, who are also Social Muggers. They are characterised by their loud chatters and abundance of food and beverages during mugging sessions and tend can be randomly encountered in places with lots of good books or cheap food, such as Libraries and McDonald’s. Sadly, like any other pests, they multiply and displaces the natives in any environment they go too. Avid library goers stop going to libraries because of the huge noise population that Social Muggers produced, and McDonald’s customers have to take out as there are no more seats in the restaurant. One may argue that Social Muggers aren’t really muggers at all – they spend more time eating and talking than studying. Social Muggers can never be confused with Closet Muggers, since the lack of good books and cheap food in closets make closets unlikely habitats for Social Muggers.

    So this is it, these are my 3 classifications of muggers. Can you think of any more?

    next page next page close

    O, Rose Tea

    O, Rose Tea

    O, my sweet sweet rose tea.
    Thy fragrance engulf thee,
    and makes me want to pee.

    next page

    Understanding the attacks by Messiah – is there anything for us to fear?

    Update: In an email to Yahoo Singapore, “The Messiah” said “… we reached out to...
    article post

    Taxi Drivers and the meaning of life.

    I think if we are seeking the meaning of life, the best person to ask are taxi drivers....
    article post

    Where are we heading?

    Where are we heading? Seriously. Where are we heading? It wasn’t too long ago, when I...
    article post

    My life in SMU so far…

    My last ever semester as a student starts in a few days. Looking back, I think I have...
    article post

    #MOMChats Townhall Session

    Passion is all you need. Having attended #MOMchats Townhall Session held on 11th October...
    article post

    Protected: Willy Wonkas

    Willy Wonkas Willy Wonkas Willy Wonkas Willy Wonkas Willy Wonkas Willy Wonkas Willy...
    article post

    More points of suspicion regarding Alvin’s appeal into NUS

    While Alvin finally bothered to rectify some of the misleading facts regarding his...
    article post

    Untruths Behind Alvin’s Appeal Revealed

    In my earlier article, I raised questions regarding a site created by one particular...
    article post

    Help Alvin become a chipmunk

    Recently a dude who goes by the name of Alvin created is own site to tell the whole world...
    article post

    You make me smell.

    The problem with being me, is that I’m mildly dyslexic. And when my girlfriend...
    article post

    The 3 types of Muggers

    I am not a mugger in all sense of the word, but I have lived among them for nearly 10...
    article post

    O, Rose Tea

    O, my sweet sweet rose tea. Thy fragrance engulf thee, and makes me want to pee.
    article post