Computer and Network Security, Malaysian Style

i-Hack '08 happened last weekend. I was scheduled to speak about the security scene in general, and on .gov.my in particular. However, work commitment took me to Dubai at the last minute. Talking about security.org.my, the highly controversial MoMGWB (which was pulled due to pressures from certain organization), and web vulnerability would have been interesting. Luckily, the nervous Mr. chf4gs_ agreed to replace me as a speaker. His talk was about the development of HeX.Now, I really regret being absent. From the look of it, this third installment of i-Hack was a great success.

Ayoi has detailed posts about the event here and here. geek00l has a lengthy post analyzing one of the i-Hack challenges. The challenge was to retrieve a password from a packet capture file. The password was then used to open a rar file.

Website: Orkestra RTM
URL: http://www.orkestrartm.org.my/

6 days after the advisories, a lot of Joomla! powered websites in Malaysia are still getting hacked, including .gov.my websites. *sigh*.

DISCLAIMER: All the information related to computer crimes (i.e. defacements) contained in security.org.my were either collected online from public sources or directly notified to us. Security.org.my is neither responsible for the reported computer crimes nor it is directly or indirectly involved in them.

UPDATE: 12:15 am (Dubai time, GMT+4), 19th July. The website is back to normal, however the defaced page is at http://www.ezam.my/tmp/. Thanks little bird for the info.

The website of Ezam Mohd Noor, former Youth Chief of Parti Keadilan Rakyat (PKR) (he has since defected to UMNO) was defaced yesterday. I was informed about it at around 9 something in the evening (Dubai time). Here's the screenshot that I took:





Today the website was back to normal. However it was hacked again (5:30 pm Dubai time). Here's a screenshot that I took:





The portal is running Joomla!, of course.

DISCLAIMER: All the information related to computer crimes (i.e. defacements) contained in security.org.my were either collected online from public sources or directly notified to us. Security.org.my is neither responsible for the reported computer crimes nor it is directly or indirectly involved in them.

Malaysiakini's Digital Library was defaced. Screenshots:









The site is running Joomla!

DISCLAIMER: All the information related to computer crimes (i.e. defacements) contained in security.org.my were either collected online from public sources or directly notified to us. Security.org.my is neither responsible for the reported computer crimes nor it is directly or indirectly involved in them.

Malaysia's cyberspace has been a busy playground for defacers this weekend. Here's a list of the .edu.my and .org.my websites that were defaced, according to defacement mirror Zone-H.

• MTZVentures Sdn. Bhd.. Zone-H mirror
• On The Move Eyewear. Zone-H mirror
• IKE Service Malaysia Sdn. Bhd.. Zone-H mirror
• D'reka Group of Companies. Zone-H mirror
• ISKCON - Your Ultimate Spiritual Portal. Zone-H mirror
• Bumita Sdn. Bhd.. Zone-H mirror
• Carlton International Academy. Zone-H mirror
• Jabatan Pelajaran Pulau Pinang. Zone-H mirror

The websites were defaced between 14th - 17th August. Most of them were defaced on the 14th, after the announcement of the Joomla! password remind vulnerability. As of today, some of these websites are fixed, and some are "under maintenance".

Up until now, in the space of 4 days, a total of 21 Joomla! powered websites (.gov.my, .org.my and .com.my - there were no mirrors of .net.my and it's pretty difficult to mine other Malaysian websites that do not end with .my) were defaced. Of these, 8 are .gov.my domains.

DISCLAIMER: All the information related to computer crimes (i.e. defacements) contained in security.org.my were either collected online from public sources or directly notified to us. Security.org.my is neither responsible for the reported computer crimes nor it is directly or indirectly involved in them.

The Subang Jaya Assembly of God website was hacked, and I believe it was due to the Joomla! password reset vulnerability as well. Source: Zone-H.

DISCLAIMER: All the information related to computer crimes (i.e. defacements) contained in security.org.my were either collected online from public sources or directly notified to us. Security.org.my is neither responsible for the reported computer crimes nor it is directly or indirectly involved in them.

These are the latest Joomla!-powered .gov.my websites that were defaced on the weekend, according to web defacement archive Zone-H.

Persidangan Ketua Pegawai Maklumat (CIO) Sektor Awam. Zone-H Mirror

Sarawak Stadium Official Web Portal. Zone-H Mirror.

DISCLAIMER: All the information related to computer crimes (i.e. defacements) contained in security.org.my were either collected online from public sources or directly notified to us. Security.org.my is neither responsible for the reported computer crimes nor it is directly or indirectly involved in them.

The UNDP websites got hacked as well, on August 13th according to Zone-H. Here's the two mirrors for both UN and UNDP.

Zone-H Mirror - www.un.org.my
Zone-H Mirror - www.undp.org.my

DISCLAIMER: All the information related to computer crimes (i.e. defacements) contained in security.org.my were either collected online from public sources or directly notified to us. Security.org.my is neither responsible for the reported computer crimes nor it is directly or indirectly involved in them.

Four dotgovdotmy websites were defaced on 14th August 2008, according to web defacement archive Zone-H. All of the websites run the popular open source CMS, Joomla!. Here are the defaced websites:

• Malaysian International IBS Exhibition. Zone-H mirror.
• Ministry of Foreign Affairs, Malaysia. The defaced website is the one regarding the dispute over Batu Puteh, Batu Tengah and Tubir Selatan between Malaysia and Singapore. Zone-H mirror
• Department of Forestry, Pahang. Zone-H mirror
• Asia Pacific Commission on Agricultural Statistics (APCAS). Zone-H mirror

MyCERT previously known as NISER apparently did not do a good job in issuing the advisory. If they did, how the hell did all the websites above got hacked? The simplest and most effective workaround prior to patching would be to enable htaccess on the web portal, and allowing access to administrator login page from trusted IP addresses. In fact, one of the best practice to secure administration website is only to allow access to it from trusted IP addresses. Apparently, this was not documented by MyCERT.

GCERT on the other hand provides a few solutions rather than just patching.

Nevertheless, the admins of the respective portals are to blame as well as they are slow to patch their systems. IMHO, all of this defacements could have been prevented if the government were to introduce something like G-Secure, a secure out-of-the-box LiveCD with secure web server and web application configurations.

How many exposed Joomla! administrator page are out there?

DISCLAIMER: All the information related to computer crimes (i.e. defacements) contained in security.org.my were either collected online from public sources or directly notified to us. Security.org.my is neither responsible for the reported computer crimes nor it is directly or indirectly involved in them.