An honorable member of the Coffee Shop Has Just Posted the Following:
The announcement that 1,200 SingPass were compromised and that quarter of them had their unauthorized password reset raised the question about cyber security. However, it seems from media reports that the blame is on end users. IDA should also take the responsiblity of the safety of our SingPass details.
A FireEye spokesperson suggested that the breach was probably from a malware in a user's device and that it allowed the perpetrator to access 1,200 SingPass. This raises a strong probability that the communication between device and database server may be not as strong as thought. Furthermore, it could highlight that the database server is not as strongly encrypted as a full section was accessed via a single malware.
Media reports noted that IDA was receiving complains over the weekend from SingPass users receiving unauthorized password reset letters and CrimsonLogic only raised the matter with IDA on Monday evening. This resulted in the "hastily" arranged press conference on Wednesday. Given that letters take a day to be delivered within Singapore, the unauthorized reset was probably done on Thursday and/or Friday. From this approximated timeline, it took a week from the unauthorized entry for IDA to hold a press conference.
If there were a spike in password reset, there should have been an alert to inform CrimsonLogic. It seems that either there is no such alerts or the level of requests to reset password on a daily basis is so hight, the spike turned into a false positive.
If the former is the reason, there should be concerns as spikes in unusual activities are not resulting in alerts to take prompt action. If it is the latter, IDA should reexamine how passwords are set.
The estimate period of time IDA took to alert the public is also of a concern. If this was a real hack and data compromise, lots of information would have fallen in the wrong hand.
The delay in implementing third factor authentication is also a concern. What made the situation worst was that reports highlight the delay as only one vendor bid for the tender. Surely, security of individual data should be critical to call for a new tender?
Hopefully, IDA can and will learn from this incident. While CrimsonLogic has assured that no data was compromised, there should be more security and encryption especially in how the data is communicated from end to end and how it is being stored.
http://socialpr.blogspot.sg/2014/06/...pass-safe.html
Click here to view the whole thread at www.sammyboy.com.
07-06-2014, 12:30 AM
IDA took one week to inform media of security breach
