The Singapore NRIC In Singapore, the NRIC is an individual identifier. Similar to the Social Security number in America, the NRIC identifies each individual uniquely. The Singapore Government has an online password system called SingPass (http://www.ecitizen.gov.sg/singpass/index.htm) that is used in a variety of online services for citizens. Examples include Singapore’s CPF system, and the Accounting and Corporate Regulatory Authority, which governs business operations in Singapore. The NRIC is also a common token used by banks, telcos, and various other service providers to authenticate their users over the phone. In this article, Cerberus Network looks at the NRIC and some of the potential for mischief and fraud associated with this identifier.
NRIC stands for National Registration Identity Card. The NRIC Number (UIN), or NRIC in short, consists of 9 digits. The first digit is S, T, F or G, following by 7 numeric digits, and an alphabet that serves as a check digit. Ngiam Shih Tung (http://www.ngiam.net/NRIC/) has a very concise and detailed writeup on the Singapore NRIC checksum algorithm. He has also actively questioned the National Library Board of Singapore on their policy of allowing users to check borrowing records simply with a surname and an NRIC. Chue Wai Lian also wrote an NRIC checker for DOS/Win32 and Java (http://web.singnet.com.sg/~wailian/nric.htm).
As the NRIC uniquely identifies a person, can its exposure lead to identity theft and fraud? This is an important question that Cerberus Network would like to answer. In addition, what is the most current status on the algorithm used to compute the NRIC checksum? Although there are no known public documents from the authorities, there are references from Ngiam Shih Tung and Mac-Net.com (http://www.mac-net.com/183580.page), that this algorithm could be available from the Ministry of Home Affairs/ICA department, for a fee of $200-400. However, links offered by both sources seem to have been outdated.
With hardly any official confirmation or denial of publicly floating NRIC algorithms, Cerberus Network has studied the NRIC check digit problem and we agree completely with Ngiam Shih Tung on his findings. We have also designed a free web service that can be used to decide NRIC check digits, implementing an algorithm based on Ngiam Shih Tung’s publication (http://www.ngiam.net/NRIC/). If you know how to consume a web service, the URL is http://www.cerberus-network.com/NRIC.asmx . The web service is provided as is. Cerberus Network provides no warranties, express or implied, and does not guarantee the accuracy of the results whatsoever. The web service is also provided for legal and legitimate, or research usage only.
In a typical context, the NRIC is usually used with a person's birthdate, and sometimes the maiden name or surname of his mother, to establish authentication. This is a common procedure in a bank, and also with telcos. For operations that require tighter security, banks typically ask questions like "How many accounts do you have with us?", "How many cards do you hold?" or "What is your credit limit?". However, with the NRIC always being one of the key questions asked, we need to pause and consider if it could one day become the favourite identify theft instrument of malicious parties.
Security
So exactly how safe is the NRIC? Could it become an instrument of identity theft or fraud? We will discuss this in the next installment.
Monday, June 11, 2007
Cerberus Network visits HITB 2005
We've returned from HITB 2005, Westin KL, Malaysia. It was a fruitful and informative trip, certainly well worth the 4 hour drive up from Singapore, and here are some of the highlights of the conference.
The Hack In the Box conference was held at Westin, KL. This year, some of the key highlights were the Open Hack contest, and various other live demonstrations by the speakers. Microsoft was the main sponsor for the event, and naturally, launched the event with a preview of Windows Vista. We really enjoyed the event and here are the best snippets.
A counter example of good physical security practice. This one was at the hotel we stayed at. In fact, the hotel wasn't the only culprit. We've seen this setup often enough. The power supply was in fact within reach of an outstretched arm. Certainly easy to disarm this camera.Windows Vista
Microsoft's new line of Operating System, which should replace the Windows XP line when it launches. During the keynote address, the date touted was mid 2006. We look eagerly forward to having our own copy next Christmas then. That makes a pretty interesting year ahead, with Visual Studio 2005 and SQL Server 2005 this Christmas season.
Vista is also supposed to incorparate many new security features, including the ability to surf in protected mode. In this mode, Internet Explorer will operate in a manner that will refuse to execute the usual security breach suspects - ActiveX and BHO. Anti-Phishing was also the call of the new OS, which connects to a Microsoft databased that identifies known phishing sites. Users who encounter suspicious sites can also choose to report them to Microsoft. According to the Microsoft representatives, Microsoft will have their human investigators in action to verify if the reported site is indeed malicious. Once verified malicious, the site will be added to the online database, thereby helping other users.With many other security oriented features and a wonderfully beautiful GUI, we were truly salivating all over our conference seats.
Social Engineering
The best hacks often occur before hackers even reach your computers. Social engineering encompasses a wide range of deceptive moves, including impersonating somebody else, and even seduction. This was probably one of the best talks in the entire conference and it really showed us how the best hackers probably don't even need a computer to get you.
Wireless Security
This is still problematic issue. In Singapore, we're collecting statistics and our current data shows that as much as 50% of home networks are running unsecured wireless components. We are in the midst of collating our data and will be publishing it soon. The speaker did give us a few ideas, as well as corroborate ideas we already had about how wireless networks could be abused. We'll bring you more on this shortly.Bluetooth viruses
F-Secure had a great demonstration of the current BT Virus technology. Although not many such viruses are known at the moment, there is certainly cause for concern at the potential explosion of such viruses. In a certain way, BT viruses are now in the days similar to the advent of the first widespread PC viruses such as (c) Brain. They could well become something more powerful and with better capability to spread. Thumbs up F-Secure!VoIP
Many telcos are going into VoIP big time. You telco might be one of them. However, current protocols for VoIP are still immature and not very highly geared on security aspects. This presents the potential problem that businesses which are currently using reliable PSTN networks, and new businesses, who decide to jump onto the VoIP bandwagon, may very well expose themselves to a variety of security problems, including eavesdropping, unauthorized phone calls at company expense, and identity theft.
All in all, it was a very remarkable and good conference and we look forward to being there next year.
Website outage
Website outage: Server crash. We're back online now.
The website was down for around 24 hours due to a failure on one of servers. System looks good now and we will be looking at better preventive measures.
Thank you for your patience and understanding.
The website was down for around 24 hours due to a failure on one of servers. System looks good now and we will be looking at better preventive measures.
Thank you for your patience and understanding.
PAV Full CD Updater 1.6.5 Released
A minor patched version of PAV Updater for the Full Custom CD has been released. No major change was made except adding of F-Prot Antivirus added into the archieve. A future version is planned for both Lite and Full CD to make use of the F-Prot DOS Scanning as an alternative during the CD bootup.
Cerberus Network visits Hack Off!
ISSA organized Hack Off!, a security event dedicated to the theme of Penetration Testing. Cerberus Network brings you some highlights and thoughts.
ISSA's Hack Off! event was held at the Singapore History Museum Auditorium. It was very well attended and the audience ranged from CIOs and representatives from various government bodies, to the middle management and the technical staff.
The talk was very well balanced, with the speaker, Pure Hacking CEO Robert MacAdam delivering content ranging from the importance of Penetration Testing to how to select a Penetration Testing company. This catered to the wide ranging audience that included CIOs down to technical department representatives. The introduction to how to select a penetration testing company for individual organizations was also a great eye-opener.
What we really liked in particular, was Rob's reply to a question from the audience, that roughly went like "So whats the best defence for our organization?" Rob's answer in one word - Education. Cerberus Network firmly believes that Education of users is the best way to create a safe computing environment for everyone.
It was a pity though that the much touted "Live Hack" demonstration was only a pre recorded video replay of a classic SQL attack on a badly misconfigured SQL server. It would have been a lot more interesting if the hack was indeed done live.
The material used during the talk can be directly downloaded by from this link http://www.issa.org.sg/papers/20050921_ISSA-HackOff.pdf. The ISSA website contains other relevant information about the talk, as well as information about the ISSA and the events they organize.
On an ending note, one very interesting event did happen at the seminar which set us thinking at Cerberus Network. The organizers asked for business cards to be used in the lucky draw, in which a free iPod Shuffle would be given away. The catch was - you had to write your NRIC (Singapore's equivalent of a Social Security Number) on the back of your card or you would be disqualified. With Singaporeans' NRIC being used in so many situations, would this represent a potential security loophole leading to identity theft and would Singaporeans bite the hook?
We'll tell you more about the NRIC in future updates. Till then.
ISSA's Hack Off! event was held at the Singapore History Museum Auditorium. It was very well attended and the audience ranged from CIOs and representatives from various government bodies, to the middle management and the technical staff.
The talk was very well balanced, with the speaker, Pure Hacking CEO Robert MacAdam delivering content ranging from the importance of Penetration Testing to how to select a Penetration Testing company. This catered to the wide ranging audience that included CIOs down to technical department representatives. The introduction to how to select a penetration testing company for individual organizations was also a great eye-opener.
What we really liked in particular, was Rob's reply to a question from the audience, that roughly went like "So whats the best defence for our organization?" Rob's answer in one word - Education. Cerberus Network firmly believes that Education of users is the best way to create a safe computing environment for everyone.
It was a pity though that the much touted "Live Hack" demonstration was only a pre recorded video replay of a classic SQL attack on a badly misconfigured SQL server. It would have been a lot more interesting if the hack was indeed done live.
The material used during the talk can be directly downloaded by from this link http://www.issa.org.sg/papers/20050921_ISSA-HackOff.pdf. The ISSA website contains other relevant information about the talk, as well as information about the ISSA and the events they organize.
On an ending note, one very interesting event did happen at the seminar which set us thinking at Cerberus Network. The organizers asked for business cards to be used in the lucky draw, in which a free iPod Shuffle would be given away. The catch was - you had to write your NRIC (Singapore's equivalent of a Social Security Number) on the back of your card or you would be disqualified. With Singaporeans' NRIC being used in so many situations, would this represent a potential security loophole leading to identity theft and would Singaporeans bite the hook?
We'll tell you more about the NRIC in future updates. Till then.
Welcome to Cerberus Network!
This is the new home of Cerberus Network!
We will be moving our old posts into this area and adding in more IT security contents shortly.
We will be moving our old posts into this area and adding in more IT security contents shortly.
Subscribe to:
Comments (Atom)