Hackers testing Mindef's cyber defences find 35 bugs

Two classified as 'high' severity uncovered in ministry's bug bounty programme, now fixed

The top hacker in the programme was a Singaporean cyber-security manager at Ernst & Young, who wanted to be known only as Darrel.
The top hacker in the programme was a Singaporean cyber-security manager at Ernst & Young, who wanted to be known only as Darrel.

Hackers invited to penetrate the Ministry of Defence's systems earlier this year have found 35 valid bugs, including two classified as "high" severity and which have since been fixed.

Of the 264 participating hackers, the top hacker was a Singaporean cyber-security manager at Ernst & Young who took home about one-third of the total bounty paid out.

The total payout for the programme, which took place from Jan 15 to Feb 4 this year, was US$14,750 (S$19,480).

If exploited, the high-severity bugs, found on the NS Portal, could have resulted in certain users being greeted with a defaced webpage, or the names of servicemen might have been compromised.

Of the other valid bugs found, the severity of 10 was considered "medium" and 23 was "low". None was classified as "critical".

All of them have been mitigated, though not all have been remedied. This means the flaws can no longer be exploited, but a proper fix will take a longer time as patches need to be developed and tested before they can be applied.

The results of the first Mindef Bug Bounty Programme were announced by the ministry's defence cyber chief David Koh yesterday.

On the number of bugs found, Mr Koh, who is also deputy secretary for special projects, said: "In my view, it is in the Goldilocks zone - not too big, not too small."

He added: "If it was too small, the success of the programme would be called into question, because one could argue that not enough people took part, they were not good enough, and the systems were not tested robustly.

"If the number was too big, it calls into question our professionalism to begin with."

The top hacker, a 30-year-old who wanted to be known only as Darrel, reported nine valid and unique vulnerabilities, receiving a total bounty of US$5,000.

He spent about two hours a day during the three weeks hunting for vulnerabilities and submitted a total of 16 reports.

Asked how secure Mindef's systems were, he said: "In general, they are quite secure.

"They could ward off amateur hackers who are just running scanners, automated scans or tools against the website. They have a pretty sensitive firewall that blocks off intrusive attempts aggressively."

Deputy chief executive (development) at the Cyber Security Agency of Singapore, Mr Teo Chin Hock, said in a statement there are many learning points from the ministry's programme, and that companies and organisations which are attractive targets for hackers should consider having a bug bounty programme.

United States-based bug bounty company HackerOne was engaged to manage the programme.

A total payout of US$14,750 was given to 17 hackers. Their rewards ranged from US$250 to US$2,000.

The first report was submitted 83 minutes after the programme's launch. The ministry responded in five hours on average to the hackers' reports.

Hackers based in Singapore totalled 100, while 164 were from HackerOne's network of about 175,000 international hackers, including 57 of the top 100 ranked hackers in HackerOne's network.

They tested eight of the ministry's Internet-facing systems, such as the Mindef website and LearNet 2 Portal, a learning resource portal for trainees.

The discovery of the bugs does not mean "we have 100 per cent security", said Mr Koh.

"Even if it was 100 per cent on the day the programme ended, something new may come up.

"It is just more secure than when we started."

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on February 22, 2018, with the headline Hackers testing Mindef's cyber defences find 35 bugs. Subscribe