Vigilantes testing security of i.T. systems

Call them cybersecurity vigilantes if you will, or “white hats” — as they are known in the hacking world.

Mr Wang Jing and Mr Zhao Hainan are part of a growing group of individuals who are taking it upon themselves to test the security of information systems in organisations and report security flaws.

Earlier this month, Mr Zhao, 26, a National University of Singapore computer science postgraduate student, managed to hack into M1’s pre-order site for the iPhone 6 and 6 Plus to access personal data, including phone and NRIC numbers, as well as home addresses of the telco’s customers. He then alerted the company.

M1, which temporarily suspended all pre-orders to carry out an investigation, said it appreciated the fact that Mr Zhao, who was not identified in previous media reports, had taken the time to inform the firm about the potential security flaw and would not be taking any action against him.

Speaking to TODAY, Mr Zhao, a Singapore permanent resident, said his interest in hacking began after he had taken a module on website security. He added that he makes sure he does not break any laws and would report any vulnerabilities he discovered to website owners.

“I want to make the Internet a safer place. So, over the years, I will try to hack (into) a website when I feel interested in (it) ... I also do it out of curiosity,” he said.

For Mr Wang, who is pursuing a PhD in mathematics at Nanyang Technological University’s School of Physical and Mathematical Sciences, testing websites for vulnerabilities is a hobby he started early this year.

After reading up on computer security, he tested some well-known social networking sites, as well as websites of banks here and other popular Singapore-based sites.

“I believe making the Web more secure is beneficial to users ... I am happy to do something that is useful,” said Mr Wang, who is in his 20s.

Apart from individuals, there are also groups of cybersecurity watchdogs, including the 400-member Singapore Security Meetup Group.

Led by Infotect Security managing director Wong Onn Chee, the informal group comprises cybersecurity experts. They do not do penetration testing of websites, as this could potentially run afoul of laws if it is unauthorised.

Mr Wong said the group members have informed organisations when they came across websites using technology or carrying out transactions that were highly suspected to be vulnerable.

Mr Anthony Lim, a member of the Application Security Advisory Board at ISC2, a not-for-profit association for information security professionals, cautioned against individuals performing “ethical hacking”.

“We don’t want anonymous ‘superhero-wannabe’ types ... running around loose in cyberspace trying to do good by quietly hacking into your system without your prior knowledge and approval ... even if they don’t cause any damage or steal any data,” he said. TAN WEIZHEN