Saturday, June 7, 2014

Cross-site scripting, hacking and unauthorised access to server: Not the same

I read the news about one man who was fined $8,000 for "hacking" into the Istana website.

The report read:
Delson Moo Hiang Kng, 43, pleaded guilty to a charge of unauthorised access to the server hosting the Istana website, after admitting to carrying out a cross-site scripting attack on the Google search function embedded in the site.
The report later referred to the incident as "hacking of the Istana website".

I am puzzled.

What I understand from the reports is that the man did cross-site scripting on a Google search widget that was placed (embedded) on the Istana website.

As a result of this, the appearance of the Google widget changed, and displayed contents from another source, i.e. another website.

Ok. Unauthorised access. Hacking. These are very serious things, especially when it concerns government services. The government has a responsibility to its people to ensure that the public services provided online are accurate and secure. And as members of public using these services or accessing the contents, I believe we should stand with the government against activities that obstruct and disrupt these processes that only the government can provide.

Back to the case. When I first saw the screengrab of the defacement, I initially thought that the man put in some html code in the google search bar, and it created an iframe that pointed to the contents of another website. But more importantly, while as a layperson I did not understand what this IS, I probably knew what this ISN'T - it didn't look like hacking or server access to me. I am not siding with the man, because what he did was really inconsiderate. The issue I have is with how different computer activities get simplified and conflated.

Did the code of the Google widget change? I don't think so. Cross-scripting based on a vulnerability inherent in the widget at that point in time, I believe, does not have any material impact on the codes of the Google widget that is already embedded on the website.

In doing cross-scripting, the function of the search widget (i.e. allowing members of public to perform searches) may perhaps be hindered by the third party content that is displayed. This can then be really inconvenient for any one who intends to use the function that is available on this particular page.

Did the man use the third-party widget to access the Istana website? I seriously doubt it. The widget is just a line of code pasted in the css/html code of that particular webpage. In my layperson understanding, anything that happens to it will have no critical impact on other lines of code on the same webpage.

Did the code of the Istana website change? I don't think so. This will require access into the content management system serving the Istana website. Such access is only granted to those who (i) have administrator privileges, (ii) are accessing through secure computers, and (iii) are accessing through the secure network.

Did the man commit an unauthorised access into the government server? The verdict and the report said yes. If an unauthorised access was committed, it would have been a serious crime, because this can result in content being changed and members of public being misled. If there was unauthorised access, there would have been a log of it. I am not sure if the log was presented as evidence, but then again the act of cross-site scripting has almost nothing to do with logging into a server.

Unauthorised access to the server and backend will also result in the man accessing sensitive databases, but in most cases, sensitive databases do not normally point to public-facing corporate websites (c.f. secure intranet login access), unless the corporate website contains web services (e-services) which require members of public to submit sensitive information.

The whole incident says nothing about cyber security, because I honestly feel there is no breach - just some superficial mish-mash of content from different sources that resulted in what appears to be defacement.

I liken this to vandalism of a letterbox at the HDB void deck. When paint is splashed on your letterbox, here are the following realities:

1. Inconvenience: Your letterbox looks awful now.
2. Proprietary: Wait, you don't own the letterbox. But sure, it is part of your "home", but you don't own it.
3. Security: The security of your HDB flat is not compromised, and no one has entered it.
4. Security / Modification: Because of the letterbox defacement, NO ONE got into your HDB flat, NO ONE went into your kitchen and NO ONE cooked you a pot of fish porridge.
5. Security / Modification: The contents and structure of your letterbox do not change, despite paint being splashed on it.
6. Inconvenience: The postman/postwoman will have difficulty finding your letterbox because of the defacement.

Was the man's reported actions even "hacking"? Hacking involves access and possibly modification as a result of access. I doubt there was material modification (modification of code) of the Google search widget. There was no material modification of the Istana website. The only "modification" was the inclusion of another third-party website content in the (also third-party) Google search widget. This was and is a vulnerability that Google has to deal with. In short, it still didn't constitute a modification in the technical sense. This means it is quite difficult to use Part II Para 5 of the Computer Misuse and Cybersecurity Act to explain the man's actions.

Even if he really did (which I doubt), I believe the man did not need to access the public server hosting the Istana website to commit the cross-scripting that he did because whatever is done at the server level (which hosts and serves content to the Istana website), does not have any material impact on the Google widget.

The responsibility of choosing third-party widgets used on any government website lies on the shoulders of the government, because the use of third-party widgets comes with the risk that there may be vulnerabilities that might affect the appearance or function of the widget.

Based on the report, I fear this may set a precedent which very simplistically conflates the activity of cross-site scripting into activities such as hacking and unauthorised accessed. It is puzzling as it is frightening. This means, it empowers the government to overestimate and misdiagnose a wider range of computer activities as criminal.

If there was a mischievous intent to inconvenience members of public using a government website and service, the man should be punished accordingly if found guilty. But somehow, he is found guilty of engaging in what I feel to be a dubiously described process that does not accurately depict the real action (i.e. cross-site scripting).

Perhaps, since there is inconvenience in the form of obstruction, Part II Para 7 of the Computer Misuse and Cybersecurity Act could extend to cover "computer-based services" and "infrastructure". This way, we might have a stronger case to bring against folks who exploit vulnerabilities in third-party widgets (not owned by government) embedded on government websites with the intent to inconvenience members of public who would want to use the website and its services. I mean, it's already unlawful to obstruct a civil servant from performing his/her duties, and this can be extended to cover the digital domain.

The Act has to be updated to adequately cover the key processes and impact of unauthorised access, unauthorised modification (include the immateriality of ownership, and expand on modification - material, content, function, etc.), and obstruction of computer-based services.

Perhaps the more well-informed persons in the Infocomm Development Authority and the Ministry of Communications and Information could explain, with regard to the case, the fundamental differences between (i) cross-site scripting (in the Delson Moo's case), (ii) hacking and (iii) unauthorised access to the server. Some sense has to be made out of it.

In govt speak, pls clarify, we need to sync up everyone. then get their buy-in. fyna pls. tks.

No comments: