The day Malaysia painted a bull’s eye on itself

• Telco systems hacked just as major cyber-security event is about to kick off
• While this is happening, a minister issues what hackers would see as a challenge

THIS has certainly been a week for cyber-security awareness and #facepalm moments, with a telecommunications provider having been hacked just days before a major event on security was held in Kuala Lumpur, and a minister making a statement that essentially told hackers to bring it on.
 
On Nov 11, Malay-language technology blog Amanz.my reported that Celcom’s systems had been breached by a hacker group calling itself GaySec, which then posted details – parts of names, phone numbers and MyKad (the national identity card) numbers -- from some 3,000 customers from the company’s 2012 database.
 
Details are sketchy, although a source close to the company told Digital News Asia (DNA) that he believed core systems were unaffected, noting that what was posted by GaySec was “old data.”
 
Celcom finally released a statement on Nov 12, with its chief corporate and operations officer Suresh Sidhu saying, “Celcom takes our customers’ personal data very seriously and is conducting an investigation into the claim.
 
“We have thoroughly tested our systems for any possible compromises to historical data and as of now, have not found any breach. We are working closely with the relevant authorities and would like to assure our customers that we make every effort to protect their information in accordance with the law,” he added.
 
Malaysian Wireless, quoting an anonymous source in the Malaysian Communications and Multimedia Commission (MCMC), reported that the industry regulator was aware of the breach and was also investigating the claim.
 
Celcom is not GaySec’s first victims, with Amanz.my noting that over the last few years the group has claimed to have hacked into systems belonging to Telekom Malaysia and Maxis, as well as blogging advertising network Nuffnang.
 
On the same day Celcom issued its statement, the two-day Cyber Security Malaysia – Awards, Conference and Exhibition (CSM-ACE 2013) kicked off in Kuala Lumpur, where Malaysia’s Deputy Minister of Science, Technology and Innovation Dr Abu Bakar Mohamad Diah urged Malaysian companies to ensure their digital assets are protected and safeguarded against cyber-security risks such as data loss and cyber-criminal acts.
 
While acknowledging that “cyber-security is critical to Malaysia’s nation building and sovereignty,” he however did not seem to have urged public sector organisations to pay as much attention to the need for security and robust defences.
 
Actually, I am less concerned about the private sector, which is increasingly waking up to the fact that a soft security stance can affect business and the bottom-line, than the public sector, which seems to be taking a very lackadaisical view of the issue.
 
After all, the last two major ‘hacking incidents’ in the country led directly back to the Government: In the first, it was because the national domain registrar MYNIC Bhd had been breached; and the second was when one of its resellers had fallen victim to the same crime.
 
While both are private sector organisations, as I have noted before, MYNIC is an agency under the Ministry of Science, Technology and Innovation (MOSTI) and is regulated by the MCMC, also under the same ministry. Pussyfooting aside, these breaches were the Government’s responsibility.
 
It doesn’t help that government websites have been slipping in their ratings according to the Malaysia Government Portals and Websites Assessment (MGPWA) report.
 
I have already argued, to no avail, that it was high time that the Malaysian Government recognise that cyber-security is a national security issue, and that it was time for the various cyber-security-related government and quasi-government agencies to put their heads together and harden the nation’s cyber-defences.
 
Given that our southern neighbour Singapore has been subject to a spate of cyber-attacks, it behoves us to be extra vigilant and perhaps a bit more circumspect, so it was with a measure of alarm and bemusement that I read what Communications and Multimedia Minister Ahmad Shabery Cheek told Parliament.
 
According to a Bernama report published in independent news portal The Malaysian Insider, the minister said that Malaysia has the “expertise to protect cyberspace security to ensure the systems of the administration and other main institutions in the country are not intruded by foreign elements.”
 
In expressing his confidence in the MCMC and CyberSecurity Malaysia, he said that “under the present leadership of these agencies, we have been able to protect the security of cyberspace so far.”
 
I am not sure how seriously to take this report, since Bernama also reported that Ahmad Shabery had said he “was at the mainframe of MCMC,” where he witnessed intrusion attempts, and likened it to the “operations room of Star Wars,” the franchise noted for its cool, largely retro look to its technology, especially its computers.
 
The MCMC has a mainframe? Not according to our sources, so I wonder how much of what the minister actually said was lost in translation.
 
But surely the sense of it must have been there: The minister was confident of Malaysia’s expertise in fending off cyber-attacks and intrusions – despite the events of the last few years proving otherwise.
 
Still, I wish he had kept it to himself, because as anyone would tell you, the hacker community loves nothing more than a challenge. Boast that your systems are invulnerable, and you’re just encouraging them to bring you down a peg or two.
 
To the black (or even grey) hats out there, Malaysia has just painted a large bull’s eye on its ICT infrastructure.
 
Related Stories:
 
Week in Review: Trust, security and standards, or lack thereof
 
Cyber-war: Time for our agencies to step up
 
DNS hijacking: Government needs to step in
 
 
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.