Tag: Singapore | Page 2

VPN vulnerability linked to ransomware attack in Singapore

May 16, 2023/in Internet Security

A VPN vulnerability has been identified as the key behind a ransomware attack against the Law Society of Singapore.

The attack occurred on January 27, 2021 and endangered the personal data of over 16,000 members, using a bug in the VPN service to gain access credentials if left unpatched.

The investigation carried on by the Singapore’s Personal Data Protection Commission (PDPC) also found the Society guilty of using an easy-to-guess password as well as failing to conduct the periodic security reviews required by law. The organization has now 60 days to finalize an internal audit and fix any security gaps.

Breach of data protection obligations

Despite many members’ personal information including full names, residential addresses and date of birth were leaked, PDPC’s Deputy Commissioner Zee Kin Yeong concluded that: “There was no evidence of any exfiltration or misuse of the personal data of the members and the (Law Society) took prompt remedial actions in response to the incident,” Channel News Asia (opens in new tab) reported.

The company’s antivirus software detected the attack on the same day, in fact. It quickly removed the threat actor account used to inject the malware, while restoring the servers on previously data backups.

As the VPN provider Fortinet disclosed, developers informed their clients about the VPN’s vulnerability on May 24, 2019. However, there were no updates to fix the bug available before the incident took place.

For this reason, Mr Yeong absolved the Law Society from any responsibility on the matter.

Section 24 of Singapore Personal Data Protection Act covering organizations' obligation to protect personal data. — (Image credit: Singapore Statues Online)

The troubles for the organizations representing all Singapore’s lawyers aren’t end there, though.

The PDPC found, in fact, the Society to be in breach of Section 24 of the country’s Personal Data Protection Act for failing to fulfil some of its data protection obligations.

Specifically, it was guilty to use weak password— “Welcome2020lawsoc”— for the hacked account. Even worse, this was in use for more than 90 days when the law required this to be changed every three months as a minimum requirement. The Law Society was also found guilty of not carrying out a security review in the three years preceding the…

Source…

TikTok can be used on Singapore government-issued devices only on a ‘need-to’ basis

March 17, 2023/in Internet Security

SINGAPORE: TikTok is only allowed to be used by public officers on government-issued devices on a “need-to basis”, the Singapore government said on Thursday (Mar 16).

“Government-issued devices are meant for work and there are clear rules stipulating that only approved apps should be downloaded on such devices,” said a spokesperson for the Smart Nation and Digital Government Group (SNDGG).

“Currently, TikTok is only allowed for use by public officers on a need-to basis, such as for communications officers.”

The SNDGG, which comprises the Smart Nation and Digital Government Office and the Government Technology Agency, oversees the digital transformation of the government and the country’s key Smart Nation projects.

Government-issued devices have security configurations to safeguard data, while public officers are regularly reminded to only download approved apps, it added in a reply to CNA’s queries about the recent security and privacy concerns over TikTok.

Some Singapore politicians are using the app, including Deputy Prime Minister Lawrence Wong, Health Minister Ong Ye Kung and Speaker of Parliament Tan Chuan-Jin, who each have thousands of followers on the platform. CNA has contacted them about the security concerns regarding the platform.

SECURITY CONCERNS

The popular video app has come under increasing scrutiny, with the United States, Canada, Belgium and several EU bodies among those that have banned the app from government devices.

Britain announced on Thursday that it would ban TikTok on government phones with immediate effect.

TikTok is owned by Beijing-headquartered internet company ByteDance. The bans underscore mounting concerns that the app’s user data could end up in the hands of the Chinese government, undermining Western security interests.

The concerns raised are not new.

The app, with more than 1 billion users worldwide, was caught in the crosshairs in 2020 when then-US president Donald Trump dubbed it a national security threat and attempted to block new user downloads in the US. TikTok has denied that it is a threat to US national security.

Like many other social media apps, Tiktok collects significant amounts of user data, including…

Source…

Singapore Releases Blueprint to Combat Ransomware Attacks – Regulation Asia

December 17, 2022/in Internet Security

Singapore Releases Blueprint to Combat Ransomware Attacks Regulation Asia

Source…

Singapore extends cyber security labelling scheme to medical devices

October 20, 2022/in Computer Security

The Cyber Security Agency of Singapore (CSA) is extending the Cybersecurity Labelling Scheme (CLS) to medical devices used by hospitals in a bid to shore up the security of internet of things (IoT) devices used in healthcare settings.

Noting that devices are now increasingly connected to hospital and home networks, providing benefits such as real-time monitoring of health status, the CSA said the growing connectivity could increase security risks and compromise patients’ personal information, clinical data or treatment protocols, ultimately affecting patient health outcomes.

Under the CLS for medical devices (CLS MD), which was developed together with the Ministry of Health, Health Sciences Authority (HSA) and Integrated Health Information Systems, medical devices are rated based on four levels of cyber security provisions.

Each level corresponds to the level of testing and assessment that the product has undergone. For a start, all HSA-registered medical devices in Singapore are deemed to be compliant with CLS (MD) Level 1, as the registration requirements by the HSA have already incorporated the baseline cyber security requirements defined in Level 1.

For the higher levels in the scheme, a formal consultation with the medical device industry and associations will be held in the coming month to seek feedback on their proposed requirements, including the timeline for implementation. More details on the industry consultation and CLS (MD) registration will be announced later.

Through the new scheme, CSA hopes to incentivise manufacturers to adopt a security-by-design approach to develop more secure products for the medical device industry. The scheme will also enable consumers and healthcare providers to make informed decisions about the use of devices, as they can identify products according to their cyber security provisions.

The CLS was first launched in 2020 to provide different levels of cyber security ratings to help users make informed choices about the security features of the smart devices they purchase. As of October 2022, more than 200 products – ranging from routers to smart lighting to smart cameras – have been awarded the CLS label.

Separately, Singapore…

Source…

Tag Archive for: Singapore

SECURITY CONCERNS