Hackers uncover 35 bugs on Mindef’s public-facing systems

SINGAPORE — Hackers engaged by the Defence Ministry (Mindef) have uncovered 35 vulnerabilities on its public-facing systems, most of which were “low” to “medium” in severity.

No critical vulnerabilities were exposed, Mindef said on Wednesday (Feb 21), in an update on the results of the three-week programme which ended on Feb 4.

Nearly 100 vulnerability reports were submitted, but only 35 bugs uncovered by 17 hackers were deemed valid.

Two were of high severity, 10 were declared medium on the scale, and 23 were rated to be of low severity. The ministry responded to the reports quickly — within five hours on average — and all vulnerabilities have been mitigated.

The two high-severity bugs were discovered on the National Service (NS) Portal. If the bugs had not been remedied, there was the risk of malicious hackers exploiting the loophole to make the site appear defaced to certain users, Mindef’s defence cyber chief David Koh said at a press briefing. Hackers with ill intent could also have exploited data on the site, gaining access to the names of servicemen.

Both bugs were resolved on the same day they were reported.

“Bounties” or rewards totalling US$14,750 (about S$19,500) were paid to the hackers who brought the vulnerabilities to light. The bounties ranged between US$250 and US$2,000. The rewards are recommended by the United States-based global bug-bounty company HackerOne, which was engaged by Mindef to run the programme, based on the number of systems involved.

The bug-bounty initiative was previously estimated to cost the ministry around S$100,000. 

Asked about the disparity between the estimate and the amount paid, Mr Koh said that the estimate was based on past payment trends by companies. “We were conservative… and catered a larger amount. We are pleasantly surprised that we have only had to pay (about) S$20,000 in bounties.”

On the number of vulnerabilities uncovered, Mr Koh said that it was in a “comfortable” zone, with a sufficient number to suggest the tests were robust. 

“If it was too small… the success of the programme would be called into question because one could argue that not enough people took part, they weren’t good enough and your systems weren’t really tested robustly,” he said. “If the number was too big, then I think it calls into question our professionalism to begin with.”

The bugs were uncovered despite Mindef’s “best efforts” to put systems in place correctly and test them before they were operated, Mr Koh said. “To our knowledge, there’s no other existing process, including paying a company to test our systems, which would have allowed us to discover this number of previously unknown vulnerabilities so quickly, so effectively and at this cost,” he added. 

Still, it does not mean that Mindef’s systems are now completely secure, he said. “I don’t expect it to be 100 per cent; it’s not humanly possible… From (the end of the programme) till today, something new may have come up.”

Mr Koh, who is also chief executive of the Cyber Security Agency (CSA) of Singapore, said that Mindef is studying the outcomes of the programme before it decides its next steps. He declined to comment on how much time this evaluation would take, but said that Mindef was “leaning towards repeating the process”.

Taking part in the programme were 264 Singapore and foreign “white-hat” hackers — computer-security specialists whose role is to break into protected systems to test their security, before hackers with malicious intent strike.

About six in 10, or 164, hackers were from countries such as Canada, Pakistan, Russia and the United States. The rest were based in Singapore.

In December last year, Mindef announced that it was inviting hackers to test its public-facing systems to expose vulnerabilities — a first for a government agency here.

Eight of Mindef’s Internet-facing systems were part of the exercise, including the websites of the ministry and the Defence Science and Technology Agency, as well as the NS Portal.

The ministry engaged the US-based international bug-bounty company HackerOne to run the programme from Jan 15 to Feb 4.

HackerOne’s co-founder and chief technology officer Alex Rice said that Mindef was the first government agency in Asia, and among the first few in the world, to embrace this “forward-thinking approach to security”.

“The global representation of hackers in the Mindef Bug Bounty Challenge shows the overwhelming appetite from the hacker community to help governments operate more securely,” Mr Rice said in a statement.

Cyber attacks have come under the spotlight in Singapore in recent years, with sectors from defence to education being hit.

Mr Koh said that Mindef is a “very attractive, almost iconic target” for cyber attacks, and the nature of the threat constantly evolves. It has to be “equally innovative”, he said.

A bug-bounty programme allows the ministry to tap a wider pool of professionals than a commercial programme, at a fraction of the cost. A commercial cyber-security vulnerability-assessment programme can cost up to S$1 million, Mr Koh said previously.

Last February, Mindef was dealt its first cyber-security breach where the personal details of 850 national servicemen and staff members were stolen in the attack.

The CSA said in December it was in talks with some of the 11 critical information infrastructure (CII) sectors, which have expressed interest in exploring a similar programme for their public-facing systems. CII sectors include infocomm, land transport and water.

On this matter, Mr Koh said on Wednesday that Mindef is in the process of imparting the lessons learnt from its bug-bounty programme — including the resources required — with other government agencies, which continue to engage the various CII sectors. There are no firm plans to roll it out to the sectors yet, and Mindef has shared its experience with the CSA and the Government Technology Agency of Singapore so far, he added.