• IP addresses are NOT logged in this forum so there's no point asking. Please note that this forum is full of homophobes, racists, lunatics, schizophrenics & absolute nut jobs with a smattering of geniuses, Chinese chauvinists, Moderate Muslims and last but not least a couple of "know-it-alls" constantly sprouting their dubious wisdom. If you believe that content generated by unsavory characters might cause you offense PLEASE LEAVE NOW! Sammyboy Admin and Staff are not responsible for your hurt feelings should you choose to read any of the content here.

    The OTHER forum is HERE so please stop asking.

Serious SingHealth Data Breach National Hero! Deserve Order of Temasek Medal?

JohnTan

JohnTan

Alfrescian (InfP)
Generous Asset
image1_1_1.jpeg


SINGAPORE – He noticed unusual database activity on July 4 that did not make sense to him.

Instead of letting it go after the query stopped running, an assistant lead analyst at the Integrated Health Information Systems (IHiS) – the Ministry of Health's IT arm – decided to probe further.


Mr Chai Sze Chun was the first IHiS staff member who tried to ascertain if there was malicious intent behind the query, or request for information.

His sleuthing helped the authorities in uncovering the massive data breach at public healthcare cluster SingHealth, as more details emerged from the second day of public hearings by the Committee of Inquiry (COI) looking into Singapore's worst cyber attack to date.


And in the aftermath, Mr Chai produced a log of queries, one of which showed the hacker making a direct query for data using the identity card number of Prime Minister Lee Hsien Loong. The hacker made a direct query on two others, but they were not Very Important Persons, Mr Chai said in his evidence to the COI.

Other queries related to demographic data of patients and the medication that was dispensed.

Between June 27 and July 4, sophisticated hackers stole the personal data of 1.5 million SingHealth patients and the outpatient medication data of 160,000 of them, including PM Lee.

Mr Chai's job was mainly to support end-users who had trouble accessing the system either directly or via bridging systems like Citrix servers.

"Mr Chai was an IHiS officer whose actual job was not cybersecurity management but ensuring operational efficiency. Nevertheless, when faced with unusual circumstances, he was alert and he showed initiative when investigating into the security incident," said Solicitor-General Kwek Mean Luck, who is leading evidence in the inquiry.

Around lunchtime on July 4, Mr Chai received text alerts and went on to check if there were persistent performance issues with the Sunrise Clinical Manager database server.

He noticed a query that had been running for a while. When he saw later that it was no longer running, he investigated and tried to find the user-ID of the person logging in to the Citrix server from a workstation.

Efforts to trace the user were futile, and he asked a colleague for the logs of users who had logged in to the Citrix server. He found no record of the particular workstation having logged in that day.

Four possible reasons occurred to Mr Chai, two of which meant an account had been potentially misused.

He informed other colleagues including Ms Katherine Tan, the Sunrise Clinical Manager database administrator, via emails and continued seeking answers on the unusual query.

Ms Tan informed him of similar queries she had observed, and they were unsure who was running the queries and decided to terminate the processes to see if any user or colleague impacted would call them.

They did not receive any calls.

Ms Tan testified last Friday that she went home on July 4 and developed a script to stop more unusual activity, completing the task at about midnight.

Before he went home that day, Mr Chai tried contacting others to try to ascertain the exact location of a workstation in question, and also set up a Whatsapp chat group for "quicker communication with (his) colleagues on this matter".

The next day, he decided to determine the earliest date on which the queries had been run on the database, involving the combination of the particular account and programmes (which were redacted in documents made available to the media). He found the queries had begun on June 27 and "there had been many such queries" until July 4.

He informed his colleagues. Mr Chai said that after reporting his findings, he understood that the Security Management Department was investigating the incident.

About five days later on July 10, IHiS set up a "war room" to trawl the patient database, to look for all failed log-in attempts.

Mr Chai was one of three IHiS staff members who testified to the four-member COI on Monday. The others were his supervisor Steven Kuah, assistant director of the Production Enhancement Team, and Mr Chan Chee Choong, manager of the SingHealth Active Directories, who is in charge of password policy settings.

Like other IHiS employees who testified last Friday, Mr Kuah and Mr Chai said they were not aware of the formal security incident reporting framework at the organisation.

Both said they do not remember receiving training on this framework.

Before July 4, Mr Chai said he was not aware of any specific requirements as to whom and how to report an IT security incident, or that specific timelines existed for the reporting of such incidents.

The public hearings are set to continue on Tuesday and Wednesday (Sept 25 and 26).

https://www.todayonline.com/singapo...ff-helped-authorities-hackers-used-pm-lees-ic
 
JohnTan

JohnTan

Alfrescian (InfP)
Generous Asset
SINGAPORE: A server that was exploited in the SingHealth cyberattack had not been updated since May 2017, it emerged on Thursday (Sep 27), the fifth day of public hearings held by the Committee of Inquiry looking into the attack.

Mr Tan Aik Chin, a senior manager for cancer service registry and development with the National Cancer Centre (NCC), took the witness stand on Thursday. NCC is part of the SingHealth cluster.

In his statement, he said that as the server was not connected to the Internet, it was not possible to perform automatic Windows updates. Instead, he would have to perform the update manually.

He only discovered in July this year that the server had been infected with a virus when he received an email from a colleague. He added upon questioning that he did not know what the virus was, or the extent of it.

The cyberattack, which was Singapore’s most serious breach of public data to date, saw a total of 1.5 million patient records accessed and the outpatient dispensed medicine records of 160,000 individuals taken. Database administrators from the Integrated Health Information Systems (IHiS) - the central IT agency for the healthcare sector - discovered the breach on Jul 4 and acted immediately to stop it.

In his statement, Mr Tan revealed that as he had inherited the server from someone else, he did not check if it had antivirus software installed, but assumed it was the case. When questioned by COI chairman Richard Magnus, he clarified that the server did in fact have an older version of an antivirus software installed.


NO OFFICIAL ASSIGNMENT OF SERVER

Mr Tan testified that his main role was to oversee a business continuation plan programme and his understanding of IT security was “very basic”. He added that he was not proficient in managing the security aspects of servers.

However, he was also required to manage a group of servers, and progressively took over more of them as his colleagues left NCC.

Mr Tan said that sometime after October 2014, two of his colleagues shared responsibility for the exploited server - Mr Sim Yong Siang from IHiS’ Site Apps Team (SAT) and Ms Koh Pin Hiang from NCC. However, Mr Tan had been given the password for the server’s local administrator account, in case his help was needed.

When Ms Koh left NCC in 2015 and Mr Sim died later that year, Mr Tan said it left him as the only one who held the password to the server’s local administrator account. Sometime in 2016, Mr Tan took over management of the server.

While Mr Tan said that users would look for him if they had problems involving the server, he stressed that the server was never officially assigned to him, either by NCC or IHiS.

Mr Tan added that an IHiS staff member, Mr Zheng Haoran, was named in a server maintenance list as the system administrator for the server. But Mr Tan said that Mr Zheng had never logged in.

WHOSE ROLE IS IT, ANYWAY?

The issue of who was responsible for the exploited server was further explored in the testimony of Ms Serena Yong, the director for infrastructure services at IHiS and the second witness for the day.

In her statement, some parts of which were redacted as they contained sensitive details, she said: “After July 10, when IHiS began to piece together the events that occurred in June and July 2018, I was informed that the (redacted) server did not have (redacted) anti-virus installed.

“To my knowledge, this was because the server was not in practice being managed by anyone in IHiS. It was managed by NCC by themselves. I was told that the server was managed by Tan Aik Chin, who is a SingHealth employee.”

When questioned by lawyer Stanley Lai, who represents SingHealth, Ms Yong conceded that IHiS had responsibility over the server as Mr Zheng, an IHiS staff, was listed as the assistant manager of the exploited server.

COI chairman Magnus also asked Ms Yong if she was aware of the reporting time for security incidents to be escalated, which she replied in the affirmative.

READ: COI on SingHealth cyberattacks: IHiS officer hesitated before reporting suspected breach
“I’m asking you this because you’re the highest ranking witness that has appeared in the COI so far,” Mr Magnus said.

“There has been some evidence during the COI hearing that people who are involved in looking at the security incidents of this matter, people from Security Management Department, for example, will only escalate if there is verification of the security incident.”

In response, Ms Yong said that because many incidents happen day-to-day on the ground, there could be a possibility that the team needed to confirm the incident first before escalating it.

The hearings - some of which are held behind closed doors in the interest of national security - are expected to continue on Friday and next week.


Read more at https://www.channelnewsasia.com/new...attack-exploited-server-had-not-been-10764472
 
Tony Tan

Tony Tan

Alfrescian
Loyal
NOTHING AT ALL.

DON'T BE MISLED BY NEWS SMOKE.

SingHELL use CRAPPY MICROSHIT server.

They are so crappy they are merely struggling to cope with uses. Everyday troubles. This sucker is to PESIFY users teach them not to OVRRLOAD and CRASH the MicroSHIT.

Hackers caused it to NEARLY CRASHED.

These suckers wonder who were the STUPID USERS not complyingvwith their INSTRUCTIONS. They wanted to catch these STUPID USERS and LAUNCH COMPLAINS.

Failed to catch any STUPID USER Except LHL!

Hacker used LHL ID to hack.
 
JohnTan

JohnTan

Alfrescian (InfP)
Generous Asset
If the fucking chink could communicate better in English instead of his usual gobbledy-gook accent, this hacking incident wouldn't have happened. Jail that Zhao gook!

hzsinghealth0928.jpg


An employee of SingHealth's IT vendor had found an alleged flaw in its electronic medical records (EMR) system in 2014 that could allow anyone access to the critical data stored within.

He then offered this information - which he claimed "could lead to a serious medical leak or even a national security threat" - to a rival software vendor, the Committee of Inquiry (COI) into Singapore's biggest data breach heard yesterday.

Mr Zhao Hainan, a former systems analyst at Integrated Health Information Systems (IHiS), wrote an e-mail on Sept 17, 2014, to flag an alleged "loophole" in the EMR system supplied by Allscripts Healthcare Solutions. He sent it to Allscripts' rival, Epic Systems.


This supposed coding flaw could allow hackers to "gain admin control of the whole database easily", he wrote. Even medical students, nurses and pharmacists could have such access, Mr Zhao alleged.

Yesterday, the COI scrutinised the actions Mr Zhao took, his dismissal on the same day that then IHiS chief executive officer Chong Yoke Sin found out about the e-mail, and why his superiors did not take action on the supposed "loophole" found.

IHiS is an agency formed in 2008 to manage the IT systems of all public healthcare institutions here.

Solicitor-General Kwek Mean Luck said on Friday last week that the failure to plug the alleged security hole could have contributed to June's cyber attack on SingHealth.

Hackers gained access to SingHealth's EMR system and transferred information from June 27 to July 4. The breach compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

But during yesterday's hearing, IHiS staff revealed they did not think much about the "loophole". Therefore, they did not investigate if it was indeed true. Instead, they focused on disciplining Mr Zhao.

Dr Chong, who left IHiS in 2016 and is now StarHub's chief of enterprise business group, said she had considered Mr Zhao's action to be "primarily a disciplinary issue, and not an IT security issue", and that she had an impression that his motive for disclosing the discovery to Epic was for personal gain.


COI on SingHealth cyber attack: Alarm bells did not ring for key cyber-security employee despite suspicious activity.

She also did not know the details of the alleged loophole. Neither did she ask her staff for it to be verified. She also assumed that the problem would be rendered "irrelevant" as IHiS had just upgraded the EMR system architecture. She received the "loophole" e-mail from Allscripts, which had got it from Epic Systems, on Sept 18, 2014.

In the e-mail, Allscripts Asia Pacific chief executive David Chambers wrote that what Mr Zhao flagged was "very serious" and must be taken as "genuine", as the latter had worked for Allscripts in its development laboratory. On the same day, Dr Chong forwarded the e-mail to Mr Clarence Kua, who works for IHiS and is assigned to SingHealth as its deputy director (chief information officer's office).

Yesterday, COI chairman Richard Magnus and deputy senior state counsel Sarah Shi took turns to ask why Mr Kua did not take the initiative to check what the alleged security flaw was. Mr Kua repeatedly replied that he did only what he was asked to by Dr Chong. "My focus was to double-check the private e-mail address of Mr Zhao to verify that he was the person who had sent the e-mail to Epic," he said.

Mr Zhao's accounts with IHiS and SingHealth were terminated on Sept 18, 2014 - the day Dr Chong received the "loophole" e-mail. Mr Zhao was dismissed and escorted out of the office on the same day.

Yesterday, IHiS' lawyer, Senior Counsel Philip Jeyaretnam, said Mr Zhao - who testified during a private hearing on Thursday - had confessed he was "angry" with IHiS and Allscripts over not being allowed to do coding. He said that as a result, Mr Zhao would not have shared details of the flaw with IHiS to help the organisation.

Dr Chong supported the character assessment, saying Mr Zhao had "a history of poor work performance", citing information received at that time from human resources.

But Mr Zhao's supervisor, Ms Angela Chen, testified yesterday that he had a good relationship with his colleagues, and was a "very good worker" and "technically strong".

Dr Chong, who was involved in the formation of IHiS as its first chief executive officer, said she was involved in evaluating the EMR system from its supplier Allscripts. She did so along with cluster leaders as well as SingHealth's then deputy chief executive, Professor Ivy Ng, now its group chief executive.

Dr Chong said the EMR system - which was adopted around the time she became chief executive in April 2008 - was chosen because of its functionality, and the main focus at that time was not on its security.

She cited other factors like resilience, though she added that a balance needed to be struck between functionality and security. The inquiry continues on Monday.

https://www.straitstimes.com/singapore/it-vendor-employee-found-alleged-flaw-in-system-in-2014
 
halsey02

halsey02

Alfrescian (Inf)
Asset
With all the ballyhooing!...WHO STOLE THE COOKIES FROM COOKIE JAR? Still, who was the hackers?, how much did they demand for the return of LHL information..."peanut goh"...they don't want ha ha ha...& the rest of the data.

Was money paid to the hackers? Who wants to know...how good the 'sentries' were, how well trained the were, how technical competent they were...the servers got hacked..period. Data was stolen.. period.

Who stole the cookies from the cookie jars...only the stupidporeans bother to read this, orchestrated music from an 'orchestra' that is playing the tunes from an 'composed' sheets...

Only the 70% hear a good tune....the rest, metronome is out of sync & are tone deaf...
 
You must log in or register to reply here.

Similar threads

duluxe
Recalling 2018 SingHealth's data including LHL's medical record got hacked by state sponsored hackers, the perpetrator could be CCP?
Replies
5
Views
641
duluxe
duluxe
JohnTan
Serious Sinkie Towkay Labelled As 'Traitor' Steps Down From Hongkie-Sinkie Huay Kwan!
Replies
0
Views
412
JohnTan
JohnTan
P
Sinkie Employer fires FT who borrowed from Loan Sharks without MOM's advice!
Replies
13
Views
605
worcer
W
gsbslut
Huge data leak dubbed the 'Mother of all Breaches' sees 26 BILLION records leaked from sites including Twitter, Linkedin, and Dropbox - here's how to
Replies
2
Views
650
eatshitndie
eatshitndie
Hightech88
Complaints made in US, S’pore against local firm that promised quick returns on crypto investments
Replies
6
Views
385
k1976
k1976
Top