‘More byte needed in data protection’

PETALING JAYA: In the wake of yet another data leak, experts are calling for regulatory bodies to take punitive action against organisations that expose users’ personal data, making them vulnerable to scammers.

“In most countries, regulatory bodies define, manage, influence and control how data should or shouldn’t be used by any company or individual,” said enterprise information management vendor ASG Technologies general manager for Asia Pacific Praveen Kumar.

“Unless there is a commercial deterrent defined by regulatory bodies, the business case to invest in data governance, protection and management is not easily justifiable.”

Praveen added that as a result, most companies valued data and treated it as an asset to be merely monetised.

The urgent wake-up call comes after a government microsite exposed users’ bank account details, just two days after a study claimed that Malaysia ranks as the fifth-worst country in terms of protecting the personal data of its citizens.

Yesterday, the Domestic Trade and Consumer Affairs Ministry suspended the Petrol Subsidy Programme microsite for a few hours to fix a flaw that was first revealed by a technology news portal.

The microsite, which went live on Oct 15, could potentially have exposed the details of 2.9 million people that the ministry had identified as belonging to the B40 group that qualify for fuel subsidies.

Lowyat.net had reported that once a person’s MyKad number is entered onto the site, it would reveal the name of the user’s bank, along with the last four digits of the account number.

However, when Lowyat.net looked at the underlying code – or source code, which can be easily viewed from any web browser – the full account number was visible.

“Once we got the news, we decided to put the website on hold because we don’t want to risk anything. We don’t want users to be sceptical about our system,” said the ministry’s head of corporate communications, Yunus Tasim.

The security breach in the petrol subsidy microsite was fixed a few hours later.

Fong Choong Fook, director at cybersecurity company LGMS, said the security flaw was probably caused by the ministry rushing to launch the microsite.

“The bigger concern now is if someone could have used the website as a tool to steal information, just imagine what that can a person do with the details.

“Impersonating an authority figure such as a bank or police officer is a tactic often used by Macau scammers. The more information they have about a user, the more convincing they can be,” he said.

Fong added that the website developer should have encrypted the information.

“This is why I’m not surprised that Malaysia was ranked as one of the worst in personal data protection.

“Both private and public sectors are not fully aware of their responsibility to protect data,” he said.

A study by British tech website Comparitech on privacy and surveillance in 47 countries placed Malaysia as the fifth-worst country in terms of protecting the personal data of its citizens.

The worst was China followed by Russia, India and Thailand.

Fong said that there were not enough prosecutions to bring irresponsible organisations to justice.

“We hardly hear of any party being penalised when it comes to data leak or data loss. So overall, the entire ecosystem is poorly coordinated,” he said.

The report gave Malaysia a score of 2.64 out of five points based on several criteria, including privacy enforcement, data sharing, visual surveillance, identity cards and biometrics, and government access to data.

It further notes that currently only the Personal Data Protection Act 2010 (PDPA) protects the personal data of a person in the country.

“Also, our PDPA doesn’t apply to government agencies, so there is no way they can be held accountable if there is any data loss on their part,” said Fong.

He added that Malaysia should take a page out of the European Union’s General Data Protection Regulation (GDPR) to improve data privacy.

“The five best-performing countries in protecting the privacy of its citizens are European. The GDPR has made very clear the consequences of non-compliance, and the penalty is really heavy,” he said.

Meanwhile, Praveen said the risks of not managing personal data carefully have greater consequences for the consumer and end-user than the enterprise using the information.

“As regulatory environments enact more stringent penalties, there would be a marked difference in how data is stored and analysed by most organisations,” he said.

Last year, the Malaysian Communications and Multimedia Commission (MCMC) terminated the contract of Nuemera (M) Sdn Bhd, which was linked to a massive data leak involving 46.2 million telco accounts in 2017.

Numera was contracted in 2014 by the MCMC to manage its Public Cellular Blocking Service (PCBS) to stop stolen phones from making calls, messaging or connecting to the Internet.

Earlier this month, Communications and Multimedia Minister Gobind Singh Deo told The Star that his ministry was looking at the GDPR as part of its move to amend PDPA.

“The GDPR has many provisions which are very important and helpful but we have to consider requirements that are unique to us.

“So, we’re going to look at the GDPR, the different recommendations that have been put forward by stakeholders, and come up with our own model to see what’s suitable for us to present here,” he had said.

Gobind added that amendments and improvement to the current Act would hopefully be presented to Parliament by the middle of next year.

In the meantime, Fong said there were many measures users could take to minimise the consequences of a data breach.

“Change your password every now and then, choose a strong password, and you should not use the same password across different websites.

“These are some of the common practices individuals can adopt to protect themselves just in case there’s a data leak,” he said.

Praveen also reminded individuals to be responsible for the data they share, and to be aware of the kind of personal information they reveal to companies and through websites.

“Individuals should also avoid providing personal information to unknown sources.

“It is also important for people to clear the cache and history of their web browsers so that personal data does not get stored unknowingly.

“When using a connected device, people need to be careful about which WiFi networks they are connecting to and avoid phishing emails,” he said.

Phishing is the practice of fooling users into giving away confidential or sensitive data.

In a separate study conducted by US tech giant Microsoft Corp and IDC Asia/Pacific in June titled “Understanding Consumer Trust in Digital Services in Asia Pacific”, 41% of consumers in Malaysia said they feel that the government should take the lead in building trust, followed by technology companies and communities.

The study showed that only 24% of consumers in Malaysia believed their personal data would be treated in a trustworthy manner by organisations offering digital services.

In a statement that accompanied the study, CyberSecurity Malaysia chief executive officer Datuk Dr Amirudin Abdul Wahab said: “As our digital economy continues to grow manifold, it has also opened various risks. Data privacy remains a key concern, with both consumers and businesses being at risk of a data breach.”

 

Full article from TheStar:
(https://www.thestar.com.my/news/nation/2019/10/18/more-byte-needed-in-data-protection)

Source: https://lgms.global/more-byte-needed-in-data-protection-2/

 

ACE Holdings Berhad is a partner of LGMS Global, forming ACE Accelerator Network Sdn Bhd to advocate and support cyber security entrepreneurship, while also nurturing skilled cyber security professionals to meet the growing demand in this space. 
​​​​​​​

ABOUT ACE HOLDINGS BERHAD

ACE Holdings Berhad is an investment holdings company and the ultimate parent to the entities in the ACE Group of Companies. Since 1992, ACE Holdings has built a reputation for pioneering innovative business models, opening up new markets and categories, and pursuing mutually beneficial collaborations with renowned multinational corporations. This is made possible by its vastly talented and experienced team, who are dedicated towards evaluating and carrying out investment strategies founded on five market sustainability pillars – high-growth enterprises, high-yielding capital market instruments, well-defined strategies, sophisticated financial modelling tools, and market innovations.

Ministry suspends Petrol Subsidy Programme microsite which exposed users’ bank account details

Update: The Ministry says the security flaw has been fixed and the Petrol Subsidy Programme microsite is now back online.

The Domestic Trade and Consumer Affairs Ministry (KPDNHEP) has suspended the newly-launched Petrol Subsidy Programme microsite after a tech portal reported that it exposed users’ bank account details.

The Ministry’s head of corporate communication, Yunus Tasim, said the ministry is aware and investigating the issue.

“Once we got the news, we decided to put the website on hold because we don’t want to risk anything. We don’t want users to be sceptical about our system,” he said.


He added that once the issue is rectified, the ministry will restore the system.

Lowyat had reported that once a person’s MyKad number is entered in the portal, it will reveal the last four digits of the user’s bank account number.

However, when it looked into the source code, the full account number was visible.

Yunus said the ministry will be in touch with Lowyat for more information.

“We would like to thank all the users for their patience and feedback given to us,” he said.

Cybersecurity company LGMS director Fong Choong Fook said the security flaw is mostly likely due to the ministry rushing to launch the microsite.

The Petrol Subsidy Programme microsite, which went live on Oct 15, is for users to find out if they are eligible for petrol subsidy, as announced in Budget 2020.

“The bigger concern now is if someone can use the website as a tool to phish out information, just imagine what that person can do with the details,” Fong said.

“They could impersonate a bank officer and call a victim for extortion. A lot of exploitation can be done here.”

Dr Aswami Fadillah Mohd Ariffin, president of Protem Digital Forensics Research Society (DFRS), said web-based development should go through security auditing at the staging level before production to avoid any security issues when the site goes online.

He said that the website developer must ensure secure coding and infrastructure design are followed before giving the go ahead for the launch.

Once the ministry rectifies the issue and rechecks again, it can give users access to the website, he added.

Fong said the issue can be rectified with a “quick fix on the coding side”.

 

Full article from TheStar:
(https://www.thestar.com.my/tech/tech-news/2019/10/17/kpdnhep-suspends-petrol-subsidy-programme-microsite-which-exposed-users-bank-account-details#40WxojjWKRRdZChj.99)

Source: https://lgms.global/ministry-suspends-petrol-subsidy-programme-microsite-which-exposed-users-bank-account-details/

 

ACE Holdings Berhad is a partner of LGMS Global, forming ACE Accelerator Network Sdn Bhd to advocate and support cyber security entrepreneurship, while also nurturing skilled cyber security professionals to meet the growing demand in this space. 

ABOUT ACE HOLDINGS BERHAD

ACE Holdings Berhad is an investment holdings company and the ultimate parent to the entities in the ACE Group of Companies. Since 1992, ACE Holdings has built a reputation for pioneering innovative business models, opening up new markets and categories, and pursuing mutually beneficial collaborations with renowned multinational corporations. This is made possible by its vastly talented and experienced team, who are dedicated towards evaluating and carrying out investment strategies founded on five market sustainability pillars – high-growth enterprises, high-yielding capital market instruments, well-defined strategies, sophisticated financial modelling tools, and market innovations.

Almost 200% increase in data breach attacks since 2018

There are 178 cases of data breach to date, almost a 200% jump than the recorded 63 attacks last year, according to data from Malaysia Computer Emergency Response Team of CyberSecurity Malaysia.

In 2017, only 19 cases were reported and Malaysia has seen the incidents continue to persist due to increasingly advanced hackers.

However, a cybersecurity expert believes that the figure is alleged to be much higher as there were many unreported incidents as well.

“A lot of scams, online frauds and attacks are already automated. Software and malware have taken tasks of hackers compared to before, when a person is needed to do the manual work,” Fong Choong Fook told The Malaysian Reserve in a recent interview.

Technological advancement, the rise of social media and growing online users also contributed to the worsening statistics.

“We have learned from cyber-security forensics that hackers stealthily deploy tools. They would not immediately encrypt files and hold the victim to ransom. The new trend is hackers deploy software to collect information about the company and learn about the businesses including the suppliers, customers and communication.

“They gather intelligence, perform data analytics and search for keywords, while the victim may not be aware that hackers are already inside the system.

“The next way of attack is they pretend to be a supplier, for instance, and take advantage of the acquired information,” added Fong, who is also the CEO of an IT firm.

Malaysia was ranked fifth-worst in privacy protection among 47 countries studied by Comparitech.com, a UK-based technology research firm.

Malaysia scored 2.6 out of 5, which denotes some safeguards but weakened protections.

The score sent Malaysia to be among Thailand (2.6), India (2.4), Russia (2.1) and China (1.8) at the bottom.

Comparitech.com said the introduction of the Personal Data Protection Act (PDPA) 2010 did make some improvements to Malaysia’s data privacy, but the laws need updating as technology advances.

According to Fong, the PDPA awareness is still low among Malaysians, while the execution is not as strict as the European Union General Data Protection Regulation (GDPR).

“The GDPR has a clear indicator of the penalty. Yes, we have the PDPA, but the awareness is poor. Private organisations can easily get away when a data leak occurs. We have not seen any significant prosecutions under the PDPA,” he said.

The GDPR requires any companies including foreign firms with an office and/or serve the European region to lodge a report of any data breach within 72 hours.

Organisations face the risk of a fine up to 4% of global revenue in the event of a data breach.

Bar Council’s information technology and cyber laws committee deputy chairman Foong Cheng Leong had previously told TMR that there is a need for data breach notification law.

“Data subjects have the right to know that their information has been compromised and take steps to secure the data,” Foong said in a previous report.

In a recent Parliament session, Prime Minister Tun Dr Mahathir Mohamad said a total of 127 websites were attacked in August 2019 following the backlash on Indonesia’s motorcycle ride-hailing firm Gojek.

Dr Mahathir said, of the total, 24 websites are government-run and the remaining 103 were of private agencies. Last month, Malindo Airways Sdn Bhd suffered data breach, less than a month since the incident happened at Astro Malaysia Holdings Bhd in August.

Passengers’ passport details, home addresses and phone numbers were at risk due to a leak in the carrier’s cloudbased environment.

Meanwhile, Astro suffered a second data breach 14 months after reporting a data breach that affected 60,000 of its customer details.

The satellite television (TV) operator said unauthorised access to customers’ MyKad data including name, identity card (IC) number, date of birth, gender, race and address were discovered.

In June last year, Astro said up to 60,000 Astro Internet Protocol TV customers’ details, which were specifically provisioned by Maxis Broadband Sdn Bhd, were leaked.

Malaysia was rocked with the largest data breach incidents reported in October 2017, where 46 million personal records including IC numbers, addresses and mobile numbers were leaked.

Meanwhile, a survey by Chubb of Small and Medium Enterprises (SMEs) revealed that 84% of SMEs in Malaysia were affected by cyber incidents in the past year.

 

Full article from TheMalaysianReserve:
(https://themalaysianreserve.com/2019/10/17/almost-200-increase-in-data-breach-attacks-since-2018/)

Source: https://lgms.global/almost-200-increase-in-data-breach-attacks-since-2018/

 

ACE Holdings Berhad is a partner of LGMS Global, forming ACE Accelerator Network Sdn Bhd to advocate and support cyber security entrepreneurship, while also nurturing skilled cyber security professionals to meet the growing demand in this space. 

ABOUT ACE HOLDINGS BERHAD

ACE Holdings Berhad is an investment holdings company and the ultimate parent to the entities in the ACE Group of Companies. Since 1992, ACE Holdings has built a reputation for pioneering innovative business models, opening up new markets and categories, and pursuing mutually beneficial collaborations with renowned multinational corporations. This is made possible by its vastly talented and experienced team, who are dedicated towards evaluating and carrying out investment strategies founded on five market sustainability pillars – high-growth enterprises, high-yielding capital market instruments, well-defined strategies, sophisticated financial modelling tools, and market innovations.

Imagine Fake Video With Defence Minister Declaring War! Analysts Warn Deepfakes Could Create Chaos

While politicians, who are most impacted by the deepfake threat alongside celebrities, are trying to come up with legal means to prevent wrongdoers from using the technology, experts warn that the battle against such materials won’t be easy. At the same time, technologies for detecting the fakes seem to be lagging behind the ones that create them.

Investment and research are more directed at developing deepfake-generating tools than deepfake detection, EU tech policy analyst at the Centre for Data Innovation Eline Chivot warns. According to her, the result is a mismatch and a lack of tools needed to tackle the problem efficiently, with the technologies progressing fast and becoming more available to a broader range of actors.

She points out that human review is not a sufficient solution to stop deepfakes from spreading.

“Debunking disinformation is increasingly difficult, and deepfakes cannot be detected by other algorithms easily yet. As they get better, it becomes harder to tell if something is real or not. You can do some statistical analysis, but it takes time, for instance, it may take 24 hours before one realises that video was a fake one, and in the meantime, the video could have gone viral”, she says.

She notes that creating legislation to regulate the use of deepfakes, in general, could be misguided, pointing out that it requires a greater understanding by policymakers. She insists that policies aiming to attract more investments should be prioritised, as these could help develop new technologies.

“Partnerships should be developed with industry including social media companies, e.g., with university researchers, innovators, scientists, startups, etc. to build better manipulation detection and ensure these systems are integrated into online platforms”, she says.

 

Tech Platforms’ Assistance Needed

Her stance is echoed by tech entrepreneur Fernando Bruccoleri, who suggests that even though people will ultimately be responsible for determining what is real and what is not, tech platforms should make it easy for them. He points to the deepfake concept, saying that we will have a problem discerning the truth, as neither the genuine nor fake videos would be eligible to serve as evidence. He also agrees that we will need time to accept the legal changes needed to respond to deepfake challenges.

“I think it will not be as simple as it seems to be able to pass and legislate in the short term. Surely any platform will design tools to detect if a video is fake or not, as a counterpart”, he says.

 

No Legal Tool Against Creating Deepfakes

At the same time, the CEO of the video verification company Amber, Shamir Allibhai, whose firm specialises in detecting fakes, insists that regulating the creation of deepfakes is an impossible task. He says that it would be easier to tackle the distribution of such materials the same way that tools against so-called revenge-porn do.

“I think that if you wanted to, you can tackle it where you could legislatively say the social media networks should not allow deepfakes on their platforms. Potentially, I think there’s a number of statutes that already talk about content and social networks’ ability to have editorial oversight over them, but that might be one way to do this”, he says.

Although he points out that deepfakes could be used for good purposes, like creating movies with deceased film stars, he admits that the technology can be exploited to foment political turmoil. He notes that fake videos, as well as fake news, can be used to actually pull society “further and further apart”, saying that more content of this kind is coming.

“I think that’s real success of this fake content, and I think we are going to see significantly more of it in the run-up to the US presidential elections in 2020. I mean, the challenge is where free speech ends and where regulating this content begins; I think it’s a very sensitive and difficult line”, he warns.

 

International Chaos Possible

CEO of the cyber-security firm LGMS Fong Choong Fook goes further, warning that deepfakes of politicians, whose images can easily be faked as there is a lot of footage of them on the Internet, could lead to international chaos.

“Imagine there is a fake video widely spread over the Internet, where a defence minister is declaring war with another country. This could lead to international chaos”, he says, noting that another impact would be “the compromise of non-repudiation”.

At the same time, he warns that while in order to detect deepfake videos we still have to rely on our eyes, this natural tool is unable to identify any noticeable flaws in a well-trained deepfake video.

“Therefore, it is very difficult for a human fighting a machine in this situation. What if only a machine could defeat a machine?” the tech entrepreneur concludes.

He predicts that programming a machine to detect such videos is challenging, as deepfake tech uses a deep learning algorithm that is more sophisticated than machine learning.

“In deep learning, the user just needs to provide input data and does not need to provide guides to the machine. The machine will have the ability to learn, predict and assess the accuracy of the output. Therefore, the amount of input data required in deep learning could be ten or even a hundred times larger than machine learning”, he explains.

 

Full article from Sputnik:
(https://sputniknews.com/science/201910131077041106-deepfakes-could-create-chaos/)

Source: https://lgms.global/imagine-fake-video-with-defence-minister-declaring-war-analysts-warn-deepfakes-could-create-chaos/

 

ACE Holdings Berhad is a partner of LGMS Global, forming ACE Accelerator Network Sdn Bhd to advocate and support cyber security entrepreneurship, while also nurturing skilled cyber security professionals to meet the growing demand in this space. 
​​​​​​​

ABOUT ACE HOLDINGS BERHAD

ACE Holdings Berhad is an investment holdings company and the ultimate parent to the entities in the ACE Group of Companies. Since 1992, ACE Holdings has built a reputation for pioneering innovative business models, opening up new markets and categories, and pursuing mutually beneficial collaborations with renowned multinational corporations. This is made possible by its vastly talented and experienced team, who are dedicated towards evaluating and carrying out investment strategies founded on five market sustainability pillars – high-growth enterprises, high-yielding capital market instruments, well-defined strategies, sophisticated financial modelling tools, and market innovations.

Experts call for tougher law on data breach as Malindo Air becomes latest victim

LEGAL and cyber-security experts are calling for data breach mandatory disclosure regulation to be introduced in Malaysia in light of increasing data breach cases in the last few years.

“There should be data breach notification law. Data subjects have the right to know that their information has been compromised and take steps to secure the data,” Bar Council’s information technology and cyber laws committee deputy chairman Foong Cheng Leong told The Malaysian Reserve (TMR) yesterday.

Foong said the Personal Data Protection Commissioner had introduced a consultative paper to propose the mandatory disclosure but the progress has been muted so far.

Currently, any parties suffered a data leak in Malaysia are not obliged to notify the authorities or the victims.

In Europe, under the general data protection regulation, any companies including foreign firms with an office and/or serve the European region are required to lodge a report of any data breach within 72 hours. Organisations face the risk of a fine up to 4% of global revenue in the event of a data breach.

Malindo Airways Sdn Bhd has become the latest victim of data breach, less than a month from the last reported case by Astro Malaysia Holdings Bhd. Passengers’ passport details, home addresses and phone numbers were believed to have been compromised due to a leak in the carrier’s cloud-based environment.

The local unit of Indonesian low-cost carrier PT Lion Mentari Airlines (Lion Air) said in-house teams together with external data service providers Amazon Web Services and GoQuo, an e-commerce partner, were investigating the matter.

“Malindo Air has put adequate measures to ensure the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry Data Security Standard,” the company said in a statement yesterday.

The latest incident saw four files, where each two belong to Malindo Air and Thai Lion Air, were dumped online by “Spectre”, a dark website operator that publishes download links of leaked data and stolen databases.

There were also references to Batik Air, another Lion Air unit that is based in Jakarta, Indonesia.

Meanwhile, cybersecurity expert Fong Choong Fook (picture) said a mandatory disclosure on data security breach would instil greater responsibility in local organisations.

“The government should look seriously into having the regulatory body to mandate the disclosure. Once you have the mandatory disclosure on security incidents, organisations would take higher responsibilities,” Fong told TMR.

Fong said not many companies, even if found guilty of data mismanagement, have yet been prosecuted in Malaysia.

He added that companies should run technical risk assessment, penetration testing and data encryption as proactive measures to prevent data leak. Security experts broadly said data breaches should be treated as natural disasters — one cannot control or predict it — but early preventive steps are needed.

Meanwhile, CyberSecurity Malaysia, the national cyber-security specialist, declined to comment about the Malindo Air case or the mandatory disclosure issues.

Last month, Astro suffered a second data breach 14 months after reporting a data breach that affected 60,000 of its customer details.

The satellite television (TV) operator said unauthorised access to customers’ MyKad data including name, identity card (IC) number, date of birth, gender, race and address were discovered.

In June last year, Astro said up to 60,000 Astro Internet Protocol TV customers’ details, which were specifically provisioned by Maxis Broadband Sdn Bhd were leaked.

Malaysia was rocked with the lar-gest data breach incident reported in October 2017, where 46 million personal records including IC numbers, addresses and mobile numbers were leaked.

 

Full article from The Malaysia Reserve:
(https://themalaysianreserve.com/2019/09/19/experts-call-for-tougher-law-on-data-breach-as-malindo-air-becomes-latest-victim/)

Source: https://lgms.global/experts-call-for-tougher-law-on-data-breach-as-malindo-air-becomes-latest-victim/

 

ACE Holdings Berhad is a partner of LGMS Global, forming ACE Accelerator Network Sdn Bhd to advocate and support cyber security entrepreneurship, while also nurturing skilled cyber security professionals to meet the growing demand in this space. 
​​​​​​​

ABOUT ACE HOLDINGS BERHAD

ACE Holdings Berhad is an investment holdings company and the ultimate parent to the entities in the ACE Group of Companies. Since 1992, ACE Holdings has built a reputation for pioneering innovative business models, opening up new markets and categories, and pursuing mutually beneficial collaborations with renowned multinational corporations. This is made possible by its vastly talented and experienced team, who are dedicated towards evaluating and carrying out investment strategies founded on five market sustainability pillars – high-growth enterprises, high-yielding capital market instruments, well-defined strategies, sophisticated financial modelling tools, and market innovations.

The good, the bad, the ID: Tech experts weigh in on Putrajaya’s new national digital identity

KUALA LUMPUR, Aug 29 — Putrajaya’s plan to implement a National Digital Identity (ID) is a good idea to make digital transactions seamless, but several tech observers are questioning its security and viability.

Speaking to Malay Mail, they raised concerns as to whether government infrastructure is ready and robust enough to protect the entire nation’s personal data, and whether there is a need for a separate system from the existing national identity card MyKad.

“Do we have sufficient expertise and infrastructure at this moment to support the national digital ID initiative? When our identity goes digital, the amount of effort and trust we need to protect digitised IDs will also increase,” asked Fong Choong Fook, the director of cybersecurity company LGMS.

While agreeing that the initiative is a good move, especially with the country moving towards a digital economy and Industry Revolution 4.0, Fong warned that a digital ID is more vulnerable to identity theft.

“Imagine if a MyKad is cloned. The process of exploitation may not be simple, but the impact of any abuse is high. Particularly when there is still a large proportion of Malaysian consumers who are not information technology-savvy,” he said.

Apart from identity theft and online scams, Fong also warned of data privacy issues — with everyone liable to be in “deep trouble” should the infrastructure for storing the data not be maintained securely.

“For example, if the government is accepting digital ID logins, whether the government and private sector have the capability to maintain the security protection is a big concern,” he said.

“If third-party hackers or foreign nationals get hold of our digital IDs, they can mess with our identities, or use it against our government,” he added.

Most recently in 2017, 46.2 million mobile phone numbers from Malaysian telecommunication companies and mobile virtual network operators were compromised and leaked online, with the offender believed to have been trying to sell the data for a quick profit.

“Even our telcos could not protect our personal information. Can we hope that our government can do better?” Fong asked.

 

Is the MyKad not enough?

Earlier this week, the Communications and Multimedia Ministry announced that the Cabinet has approved the implementation of the ID initiative, with studies expected to be completed by 2020.

This would be the second time Malaysia is proposing such a system, after the poorly-received and controversial 1Malaysia email project in 2011 that was supposed to form the basis of a national digital ID.

The 1Malaysia email project was a government initiative to provide a unique and official email account and ID for Malaysians and would allow them to receive statements, bills and notices from the government.

Cybersecurity expert and technology blogger Keith Rozario explained that the national digital ID is meant for online transactions, while the MyKad is meant for transactions which require you to be physically present.

“You can’t use your MyKad to perform an online transaction, at least not without a hardware card reader,” he said.

“Your identity throughout government systems is quite decentralised. In theory, your registered name and address at the Employees Provident Fund can differ from the income tax department, which in turn can be different from any local or state government system you use.

“Think of it like logging on to a service using your Facebook ID — the concept is similar,” he added.

Shawn Tan, a chartered engineer specialising in programming, explained that the MyKad has always had the ability to be used as an electronic identity, even since its inception.

MyKad was introduced in 2001 by the National Registration Department as a replacement for the previous National Registration Identity Card.

“However, the cost of purchasing card readers, renewing public key infrastructure certificates every few years, and the fact that the certificates can only be purchased from selected authorities, as stipulated under the Digital Signatures Act 1997, make it inconvenient for most people to use,” said Tan.

In addition, only select people could have benefited from it like government employees, said Tan, who was formerly involved in government jobs and designed a universal authentication platform system which uses the MyKad as one of its authentication methods.

He admitted that any system that would pass on the costs to the end-users and the authenticating parties will likely be met with resistance.

“The system will also need to be designed in the open as any confidential or proprietary system will be met with distrust from the public,” he added.

 

The way forward

On a brighter side, Fong highlighted that should the system be successfully implemented with ideal security measures in place, the country would be ahead of many others.

“As far as I know, Estonia is one of the earlier adopters of national digital ID. They can even vote online using their digitised ID.

“Singapore will be launching theirs in 2020,” he said, adding that Thailand is also in the midst of rolling out a national digital ID.

In comparison, India is currently facing structural flaws after implementing its national digital ID in 2009 — personal data associated with the Indian national digital ID or Aadhaar ID, was reportedly being sold in alternative markets for as little as 500 Indian Rupees (RM29.35).

Last year, Human Resources Minister M. Kulasegaran said Putrajaya is keen to update MyKad with something similar to India’s Aadhar model that uses unique random 12-digit numbers.

To remedy this, Tan suggested that the data is protected in a way that would prevent the government from having unfettered access to citizens’ personal data.

“These things are achievable. For example, by ensuring that the keys are held by end-users, and not stored with the government,” he said, pointing out that it will be unnecessary to hold all the information in a central database.

Tan said it is possible to have an identity be distributed across multiple databases, each holding a small subset of information, and the user is allowed to choose which identity to use when registering on a third-party site.

“Every government ministry could run its own identity provider server, that is self-managed, holding only data that it needs, and we can choose to identify ourselves to a bank with data from the Finance Ministry identity, or identify ourselves to a hospital with our Health Ministry identity,” he said.

Tan even went as far as saying that a well-designed system can even improve personal privacy, with respect to the third-parties relying on the system.

“A website which requires registration does not even need to know who we are, to be able to authenticate us.

“However, this was one of the difficulties we faced when trying to roll-out our system previously as many software developers found it hard to integrate into existing systems that needed personal information to be collected, for example, email addresses,” he added.

As for Fong, he called for the government to increase awareness of IT-related crimes, such as online scams.

“We still have many online scamming issues, happening almost on a daily basis. This is a clear indication of inadequate awareness.

“If the digital ID is implemented, I think there is a lot more awareness and education the government needs to do in order to benefit from digital ID efficiencies,” he added.


Full article from Yahoo News:
(https://sg.news.yahoo.com/good-bad-id-tech-experts-225831273.html)

Source: https://lgms.global/the-good-the-bad-the-id-tech-experts-weigh-in-on-putrajayas-new-national-digital-identity/

 

ACE Holdings Berhad is a partner of LGMS Global, forming ACE Accelerator Network Sdn Bhd to advocate and support cyber security entrepreneurship, while also nurturing skilled cyber security professionals to meet the growing demand in this space. 
​​​​​​​

ABOUT ACE HOLDINGS BERHAD

ACE Holdings Berhad is an investment holdings company and the ultimate parent to the entities in the ACE Group of Companies. Since 1992, ACE Holdings has built a reputation for pioneering innovative business models, opening up new markets and categories, and pursuing mutually beneficial collaborations with renowned multinational corporations. This is made possible by its vastly talented and experienced team, who are dedicated towards evaluating and carrying out investment strategies founded on five market sustainability pillars – high-growth enterprises, high-yielding capital market instruments, well-defined strategies, sophisticated financial modelling tools, and market innovations. ​​​​​​​

Astro hit by 2nd data breach in 14-month period

FOURTEEN months after reporting a data breach which compromised 60,000 of its customer details, Astro Malaysia Holdings Bhd said it suffered another incident yesterday.

The satellite television (TV) operator said on its website that it discovered unauthorised access to customers’ MyKad data including name, identity card (IC) number, date of birth, gender, race and address.

Astro said less than 0.2% of its customers are affected and the company is in the process of informing them.

“Please be assured that no financial data of our customers have been disclosed. We addressed this incident immediately and stopped the unauthorised access,” it said in a notice published on its website yesterday.

In June last year, Astro said up to 60,000 Astro IPTV (Internet Protocol TV) customers’ details, which were specifically provisioned by Maxis Broadband Sdn Bhd were leaked.

Details such as names, installation addresses, IC numbers, mobile numbers, equipment and portal ID numbers, as well as information on the subscribed packages were compromised. The customers’ data were sold online at RM4,500 for 10,000 records or 45 sen a record.

According to the latest financial results statement, Astro said the group entertains and engages with 5.7 million households and 23 million individuals.

On the latest case, Astro said the firm has informed the police, Malaysian Communications and Multimedia Commission (MCMC) and the Department of Personal Data Protection (JPDP).

Astro said it is working closely with the authorities to address this issue.

“We are not able to comment on the incident to facilitate ongoing police investigations. We take the protection of our customers’ personal information seriously and have taken steps to enhance and further strengthen our security,” the group added.

When contacted, MCMC confirmed that Astro had informed the regulatory body.

Cybersecurity expert Fong Choong Fook when contacted said the latest case is “hardly surprising” as perpetrators behind data breach cases in Malaysia are still not being charged for the offence.

“More surprising is, so far, that no one gets prosecuted since the last telcommunications data leak. It was bigger than this case,” Fong told The Malaysian Reserve.

Malaysia was rocked with the largest data breach incident in October 2017, where it was reported that 46 million personal records including IC numbers, addresses and mobile numbers were leaked.

In December 2018, customers of CIMB Bank Bhd complained that their accounts were hacked in relation to transactions via the bank’s online portal CIMB Clicks.

The country’s second-largest bank has denied any security breach over the alleged incident.

 

Full article from The Malaysian Reserve:
(https://themalaysianreserve.com/2019/08/23/astro-hit-by-2nd-data-breach-in-14-month-period/)

Source: https://lgms.global/astro-hit-by-2nd-data-breach-in-14-month-period/

 

ACE Holdings Berhad is a partner of LGMS Global, forming ACE Accelerator Network Sdn Bhd to advocate and support cyber security entrepreneurship, while also nurturing skilled cyber security professionals to meet the growing demand in this space. 
​​​​​​​

ABOUT ACE HOLDINGS BERHAD

ACE Holdings Berhad is an investment holdings company and the ultimate parent to the entities in the ACE Group of Companies. Since 1992, ACE Holdings has built a reputation for pioneering innovative business models, opening up new markets and categories, and pursuing mutually beneficial collaborations with renowned multinational corporations. This is made possible by its vastly talented and experienced team, who are dedicated towards evaluating and carrying out investment strategies founded on five market sustainability pillars – high-growth enterprises, high-yielding capital market instruments, well-defined strategies, sophisticated financial modelling tools, and market innovations.

Safeguards needed to prevent glitches, say experts

PETALING JAYA: Airports are part of the critical national infrastructure and procedures must be in place to prevent system disruptions, says Cybersecurity Malaysia’s responsive services division senior vice-president Dr Aswami Fadillah Mohd Ariffin.

“When you deploy any system, you need to understand the risk, then manage it accordingly by having a policy combined with technical safeguards, ” he said, adding an internal investigation was needed to figure out the cause of the problem.

He said the glitch could be due to a number of reasons, from the system configuration not being up to date to pre-existing cybervulnerabilities or upgrading errors.

He warned that even if the disruption was not due to a cyberattack, it put the system in a vulnerable situation which could open it up to an attack.

“It’s hard to say. If there’s a ransomware message on the screen, then it’s easier to tell. If it’s just downtime, there could be many factors, ” he added.

Fong, however, noted that such disruptions could also happen without system updates.

“There are a lot of possibilities: poor maintenance, hardware failure, error in patching, software glitches, negligence in operation or, worse, cyberattacks, ” he said.

There are of course fail-safe methods that the airports could use, but that would result in a drop in efficiency, he said.

Fong added that prevention and proactive drills were crucial when large organisations update their systems.

“Information system disruptions are not just statistics; they become business cases and will cost us financially.”

 

Full article from TheStarOnline:
(https://www.thestar.com.my/news/nation/2019/08/23/safeguards-needed-to-prevent-glitches-say-experts)

Source: https://lgms.global/safeguards-needed-to-prevent-glitches-say-experts/

 

ACE Holdings Berhad is a partner of LGMS Global, forming ACE Accelerator Network Sdn Bhd to advocate and support cyber security entrepreneurship, while also nurturing skilled cyber security professionals to meet the growing demand in this space. 

ABOUT ACE HOLDINGS BERHAD

ACE Holdings Berhad is an investment holdings company and the ultimate parent to the entities in the ACE Group of Companies. Since 1992, ACE Holdings has built a reputation for pioneering innovative business models, opening up new markets and categories, and pursuing mutually beneficial collaborations with renowned multinational corporations. This is made possible by its vastly talented and experienced team, who are dedicated towards evaluating and carrying out investment strategies founded on five market sustainability pillars – high-growth enterprises, high-yielding capital market instruments, well-defined strategies, sophisticated financial modelling tools, and market innovations.

Unimy Boosts Student Prospects Through 6 Mous to Enhance Industry Partnerships

UNIMY management with its 6 new industry partners. (4th from left) UNIMY vice chancellor Prof Dr Mokhtar Abdullah, (6th from left), founder and member of board of governors, Dr Abu Hassan and (7th from left) founder of Eclimo, Dennis Chuah.

University Malaysia of Computer Science and Engineering (UNIMY), an ICT-focused digital technology university, on Sat, Aug 16, announced partnerships with several tech-based companies to provide their students with more relevant industrial experience in their courses.

Memorandums of Collaboration (MOC) were signed between the university and six companies, which include electric-vehicle maker Eclimo Sdn Bhd – known for creating Malaysia’s first two-wheeled electric vehicle – as well as LE Global Services Sdn Bhd (LGMS), a cyber-security company with a focus on penetration testing.

LGMS in particular will be providing IT security training and certification programmes for the students.

“We are very excited to team up with these two innovative and fast-rising technology startups in Malaysia,” says UNIMY vice chancellor Prof Dr Mokhtar Abdullah.

“As you know, the technology world is increasingly dominated by new players with ideas that disrupt industries. Our students will benefit from the collaborations that will provide them an advantage in securing internships and jobs.”

It should be noted that UNIMY students, according to Mokhtar, already enjoy 100% employment so far. Besides greater internship opportunities, Mokhtar also highlights the new opportunities for workshops and bootcamps.

The other four companies that UNIMY will be collaborating similarly aim to provide students with real life lab experience. In return, the companies will be able to tap into a pool of talent for their own projects.

These companies include Teamwork AllGain, which specialises in automotive and TVET education development; IT solutions provider Knowledge Link Sdn Bhd; IoT company Time Brain Sdn Bhd; and fintech company Invinity Group.

 

Mutual benefits

Of UNIMY’s new partners, Eclimo appears to be the most fascinating as the electric vehicle company seems a little out of place when compared to UNIMY’s six core focus areas which relate to cloud computing, AI and big data, IoT, coding, business technology and IT security.

Its founder Dennis Chuah tells Digital News Asia that the collaboration is in two areas. Firstly, UNIMY students will be the first to experience Eclimo’s electric scooter system as part of the company’s RideNOW pilot project, which aims to place their first batch of vehicles in Cyberjaya for leasing. The company has brought in seven vehicles for UNIMY, with plans for more.

The second aspect in collaboration involves data analytics. Eclimo’s vehicles have GPS tracking, which feeds data back to Eclimo. “With this, we are able to collect data on the vehicles – where they stop, how they are used, etcetera,” Chuah says. These datasets serve as exposure and knowledge for students as part of their studies – in return, Eclimo is able to make sense of the data and use it to improve their vehicles.

“We’re collecting data every second – what are we going to do with the data? By collaborating with UNIMY’s students, we are able to compile and analyse it – and subsequently improve our vehicles and benefit our customers. With UNIMY’s background [in data analytics], I believe we can better expand our IoT development.”

This essentially provides students with real-world datasets to analyse, especially in the area of electric vehicles. “With many countries focusing on electric vehicles, I believe that this knowledge they the students gain, will help them access and unlock opportunities with many companies globally.”

Add Eclimo to that list as well as it hopes to engage with students when they complete their studies, as possible future employees.

 

Boosting students through training

For LGMS, the collaboration comes in the form of the company introducing international, world-class processes – courses that are more commonly used by professionals in the IT security industry – to students.

LGMS chief operating officer Gilbert Chu highlights the hands-on experiences, certification and training programmes. “We have been working with a lot of educational institutions for the past few years and the feedback among students is that they expect a lot more hands-on and technical experience in university.

“That is why we are working with a few international [IT security] training providers. We got their blessings to use their courses and adopt it to suit local student levels.”

Chu says that LGMS is certainly open to industrial training opportunities with UNIMY students (in a form of internships), and adds that there are successful instances of interns that transition into permanent staff.

Invinity, which provides AI-enabled solutions to the financial industry, is setting up an incubation centre as well as working closely with the university in the development of some of their projects. The company’s executive director Jeremy Mah says that they are also looking at working with the university as industry partners, and is certainly open to on-board graduating students as full-time employees.

He believes that the UNIMY partnership is a good initiative. “I would say that one thing lacking in education is industry exposure. No doubt you can provide academics, but when you go into the corporate world and working environment, things are different altogether.”

Through this programme, UNIMY hopes to start making a dent in the still too large gap in the numbers of students who have industry experience.

 

Full article from DigitalNewsAsia:
(https://www.digitalnewsasia.com/digital-economy/UNIMY-boosts-student-prospects-through-6-MOUs-to-enhance-industry-partnerships)

Source: https://lgms.global/unimy-boosts-student-prospects-through-6-mous-to-enhance-industry-partnerships/

 

ACE Holdings Berhad is a partner of LGMS Global, forming ACE Accelerator Network Sdn Bhd to advocate and support cyber security entrepreneurship, while also nurturing skilled cyber security professionals to meet the growing demand in this space. 
​​​​​​​

ABOUT ACE HOLDINGS BERHAD

ACE Holdings Berhad is an investment holdings company and the ultimate parent to the entities in the ACE Group of Companies. Since 1992, ACE Holdings has built a reputation for pioneering innovative business models, opening up new markets and categories, and pursuing mutually beneficial collaborations with renowned multinational corporations. This is made possible by its vastly talented and experienced team, who are dedicated towards evaluating and carrying out investment strategies founded on five market sustainability pillars – high-growth enterprises, high-yielding capital market instruments, well-defined strategies, sophisticated financial modelling tools, and market innovations.

Facebook Secretly Transcribing Users’ Voice Conversations is “Illegal” – Pundits

Facebook has admitted that it hired human contractors to listen to audio conversations its users had on Facebook Messenger without their prior consent. Bloomberg made the revelations on Tuesday after speaking to some of the third-party contractors that transcribed the voice conversation.

The social networking site explained that it used the records of only those users who chose the option to decrypt audio files in the messenger, and thus checked how well the neural network works. But as experts point out, the problem is that Facebook doesn’t mention audio recordings in the data-use policy and users didn’t provide their consent to the company to transcribe their communications and share them with third-party firms.

“This is not a correct behaviour, the overall procedural lack of transparency for the end-users. Regarding the purpose of the transcription announced by Facebook, I believe it could be realistic”, Pierluigi Paganini, Chief Technology Officer at CSE Cybsec Enterprise, explained.

As far as why Facebook decided to do this without user permission, the tech expert believes it may have to do with the fact that the Silicon Valley giant was secretly testing new features and attempted to keep its technology secret.

“This kind of technology could be also abused for surveillance purposes, [its] likely Facebook avoided revealing it to avoid being in a new media storm”, he noted. He added that besides supposedly testing neural networks, like the company claimed, the purpose could be to train AI “to transcribe every conversation and then perform any kind of analysis on the overall conversations recorded over the time”.

Fong Choong Fook, the CEO of Malaysia-based LGMS, a cyber-security firm, echoed these views:

“It is plausible that end user audio messages were transcribed to train Artificial Intelligence systems. Inevitably, when training AI systems, large among of data input is typically required”.

Fook believes that Facebook might have ‘sanitised’ the user data first prior to feeding it into AI training systems, explaining that this process is aimed at anonymising the names and any potential private information in the data, but it’s not clear how much data remains.

“Unfortunately, to whatever extent Facebook sanitization works, it remains something unknown to its users and authorities. This could be the very factor that may lead to potentially wild speculations, given the tainted history of how Facebook has handled personal user data in recent years”, the cyber security firm CEO said.

Back in March 2018, Facebook let the personal data of around 87 million of its users be harvested by a data analysis firm – Cambridge Analytica – without their permission through a special app. The information was allegedly used to help target political advertising. In July this year the US Federal Trade Commission issued Facebook a $5 billion penalty over the data breach scandal.

But Munzir Ahmad, a New Delhi tech journalist and Founder of Sky Televentures, has said that Facebook is not the only big tech firm that plays “dirty tricks” on its users to make money. However, when the companies get caught, they tend to come up with “lame excuses” as to why they did it:

“Not only Facebook but the mighty Apple, who always criticised Facebook for data breach, was also listening to user’s conversation via Siri. If these companies are so true, then why did they stop listening to voice conversation recordings after expose? If they are true and their purpose is genuine, then they should not have stopped it. I mean, if you are not thief then there’s no reason to be scared. Right? Look at the Apple, Facebook, Google and Amazon, they all seemed scared when this particular news came. This proves they are not doing these things for users benefits at all”, the journalist stressed, also calling these activities illegal.

 

Full article from Sputniknews:
(https://sputniknews.com/analysis/201908171076569241-facebook-secretly-transcribing-users-voice-conversations-is-illegal---pundits/)

Source: https://lgms.global/facebook-secretly-transcribing-users-voice-conversations-is-illegal-pundits/

 

ACE Holdings Berhad is a partner of LGMS Global, forming ACE Accelerator Network Sdn Bhd to advocate and support cyber security entrepreneurship, while also nurturing skilled cyber security professionals to meet the growing demand in this space. 
​​​​​​​

ABOUT ACE HOLDINGS BERHAD

ACE Holdings Berhad is an investment holdings company and the ultimate parent to the entities in the ACE Group of Companies. Since 1992, ACE Holdings has built a reputation for pioneering innovative business models, opening up new markets and categories, and pursuing mutually beneficial collaborations with renowned multinational corporations. This is made possible by its vastly talented and experienced team, who are dedicated towards evaluating and carrying out investment strategies founded on five market sustainability pillars – high-growth enterprises, high-yielding capital market instruments, well-defined strategies, sophisticated financial modelling tools, and market innovations.