Latest news with #CyberSecurityAgency
CNA
4 days ago
- Business
- CNA
Private sector urged to move away from using NRIC numbers as means of authentication
The authorities have urged private sector organisations to move away from using NRIC numbers as a means of authentication. The Personal Data Protection Commission and Cyber Security Agency of Singapore are also working with regulated sectors — such as finance, healthcare and telecommunications — to provide sector-specific guidance in the coming months. Nicolas Ng reports.
Yahoo
4 days ago
- Business
- Yahoo
‘Unsafe and risky': Singapore orders end to IC number use as authentication in private sector
SINGAPORE, June 26 – Singapore's Ministry of Digital Development and Information (MDDI) has reportedly urged private sector entities to stop using National Registration Identity Card (NRIC) numbers as authentication tools or passwords due to security risks. In a formal advisory issued today, the Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA) advised organisations to cease using NRIC numbers to verify an individual's identity when granting access to personal services or information. 'While organisations may use NRIC numbers to identify who a person is over the phone or when using digital services, NRIC numbers should not be used to prove that a person is who he claims to be ... for the purposes of trying to gain access to services or information meant only for that person,' MDDI said as quoted by CNA. The ministry highlighted that some organisations still require individuals to use NRIC numbers, sometimes as passwords, to access personal documents such as insurance files. 'It is unsafe for organisations to use NRIC numbers in this manner because a person's NRIC number may be known to others, permitting anyone who knows his NRIC number to impersonate him and easily access his personal data or record,' the ministry said. MDDI called on organisations to stop using full or partial NRIC numbers for authentication, including setting them as default passwords or combining them with other easily obtainable data like birth dates. 'If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, security token or fingerprint identification,' it added. The government is working with key sectors such as finance, healthcare, and telecommunications to develop tailored guidelines on identity authentication practices. This comes as Singapore's Minister for Digital Development and Information Josephine Teo said in January that firms using NRIC numbers as authentication or default passwords must end the practice swiftly. The policy shift came after public backlash in December 2024 over a new Bizfile portal launched by the Accounting and Corporate Regulatory Authority (ACRA), which had exposed names and full NRIC numbers through its search function.
Malay Mail
5 days ago
- Business
- Malay Mail
‘Unsafe and risky': Singapore orders end to IC number use as authentication in private sector
SINGAPORE, June 26 – Singapore's Ministry of Digital Development and Information (MDDI) has reportedly urged private sector entities to stop using National Registration Identity Card (NRIC) numbers as authentication tools or passwords due to security risks. In a formal advisory issued today, the Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA) advised organisations to cease using NRIC numbers to verify an individual's identity when granting access to personal services or information. 'While organisations may use NRIC numbers to identify who a person is over the phone or when using digital services, NRIC numbers should not be used to prove that a person is who he claims to be ... for the purposes of trying to gain access to services or information meant only for that person,' MDDI said as quoted by CNA. The ministry highlighted that some organisations still require individuals to use NRIC numbers, sometimes as passwords, to access personal documents such as insurance files. 'It is unsafe for organisations to use NRIC numbers in this manner because a person's NRIC number may be known to others, permitting anyone who knows his NRIC number to impersonate him and easily access his personal data or record,' the ministry said. MDDI called on organisations to stop using full or partial NRIC numbers for authentication, including setting them as default passwords or combining them with other easily obtainable data like birth dates. 'If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, security token or fingerprint identification,' it added. The government is working with key sectors such as finance, healthcare, and telecommunications to develop tailored guidelines on identity authentication practices. This comes as Singapore's Minister for Digital Development and Information Josephine Teo said in January that firms using NRIC numbers as authentication or default passwords must end the practice swiftly. The policy shift came after public backlash in December 2024 over a new Bizfile portal launched by the Accounting and Corporate Regulatory Authority (ACRA), which had exposed names and full NRIC numbers through its search function.
CBC
15-06-2025
- Business
- CBC
Canada's cybersecurity head offers rare insight into Nova Scotia Power breach
The head of Canada's cyber-defence agency is offering some insight just weeks after a ransomware attack against Nova Scotia Power. The utility's computer systems were breached by ransomware hackers on March 19, but Nova Scotia Power did not discover it until April 25. The company disclosed the cybersecurity incident three days after that. About 280,000 customers — more than half of the utility's customers in the province — were informed by letter that their personal information may have been compromised in the attack. The data included names, addresses, phone numbers, birth dates, driver's licences, social insurance numbers and banking information. On Thursday, the Nova Scotia Energy Board granted approval to Nova Scotia Power to move forward with a $1.8-million project to improve cybersecurity. The attack and its aftermath have sparked many questions about the security of the company's IT systems. Rajiv Gupta, head of the Canadian Centre for Cyber Security, spoke to CBC News in a rare interview about how these types of incidents unfold and what people and organizations like Nova Scotia Power can do to protect themselves. This interview has been edited for length and clarity: Can you explain a bit about your agency and what it does? The Canadian Centre for Cyber Security is really Canada's cyber defence agency. So, we provide advice, guidance and services to critical infrastructure systems of importance to Canada. Work primarily with the federal government is where we had started, but have really grown into critical infrastructure. And our goal is to raise cyber resilience across Canada. We fall under CSE, which is the Communications Security Establishment, and CSE has a mandate for foreign intelligence, which goes back 80 years in terms of WWII. We report to the minister of national defence. What do you make of the recent attack against Nova Scotia Power, which did ultimately affect about 280,000 customers? We don't comment specifically on specific incidents, but as a cyber centre … any critical infrastructure providers that have incidents can report their incidents to the cyber centre. So last year we saw about 1,500 incidents. We see a lot of these, and that's what's really important and kind of sad to understand as well, that this is happening so often in terms of cyber-criminal organizations comprising critical infrastructure organizations in Canada. Their motivation is money. They would compromise the network. So basically getting their software inside the network, but then stealing all the sensitive information from the organization and … then going ahead and encrypting systems and locking people out of their system. So we used to call that double extortion. So that way the criminal organization could threaten to release sensitive information, unless a ransom was paid, or also basically not give back access to systems unless a ransom was paid. So that was what we're seeing and it was incredibly impactful to system operators within Canada. In this case, Nova Scotia Power did not pay the ransom that was asked of them. Is that common practice? What we always do is we provide advice and guidance to organizations and we say, "it's a business decision," because we're not the ones operating their business, and we don't know their exact context, say if it's a threat to life or something else. But we always say, 'Hey there's a lot of downside to paying the ransom.' First of all, you're funding these criminal organizations. So, the more ransom is paid, the more we're going to proliferate this sort of behaviour. At the same point in time, you're paying this ransom to criminals. What's that contract worth in the end anyway? Is there really any guarantee that they're either not going to share the confidential information, or they're actually going to give you the keys to decrypt your systems and get your access back? The proceeds of this can go to criminal or even terrorist type causes as well, so, worrisome in that sense. Are you able to say whether Nova Scotia Power had actually contacted your agency [following the breach]? The one thing that I will say is that they did reach out to us. We always recommend that organizations that are victimized reach out to the cyber centre. We've seen many of these in the past and we have advice and guidance to share. And not only can we help the organization in their recovery, and in terms of paying the ransom, ransom might help you unlock your systems, but there's still always recovery costs that are part of this as well, regardless of whether you work with the criminal organization or not. But in this case, they did reach out to us. And the other thing we always encourage is … we hope that they share information about the compromise as well. Because we can take that and share that with other critical infrastructure organizations in Canada. Did they share with you the extent of the breach? We wouldn't go into any details in that sense, but they did notify us of the breach. Is there any sense of who might have been the perpetrator in this attack from your perspective? Nova Scotia Power says it has a sense of who it is. I wouldn't comment on that. There's various groups and they often change shapes and forms as they get disrupted. Unfortunately it's an ever-evolving group of cyber criminals that are out there that seem to be performing these behaviours. And we have an assessment out in terms of a cyber criminal activity in Canada as well that kind of points to the groups that we've seen as active. About 140,000 [social insurance numbers] were included in the stolen data. How serious is this, when that type of personal information is accessed? I couldn't speak to the seriousness of that type of information, but what I will say is that this is exactly what cyber criminals go after. And depending on the type of information, it'll fetch a different price on the dark web. Organizations will collect personal information, whether it's SIN numbers, or credit card numbers, or health card numbers, other sorts of confidential information. Typically that information gets resold on the dark web for other criminals that are going to actually monetize that for other purposes. It's kind of a not very positive circle that exists on the dark web. The way this actually works in terms of what we call "cybercrime as a service" is that it's a whole ecosystem of criminal entities that actually work together. And because it's typically run out of operations that are beyond the legal borders — often in Russian speaking countries where law enforcement won't necessarily prosecute — it's very difficult to disrupt these organizations. And even when law enforcement is able to disrupt them, it's fairly easy for them to kind of reconstitute themselves. What are some of the risks when this personal information is shared on the deep web or dark web? Once that information is out there, that often just spurs the next cycle of fraud. Whether it's spear phishing emails that are using that information, whether it's leveraging information about an organization or their clients to actually further compromise them. That's why it's really important to take note for everyone to be mindful of the things they can do to protect themselves. Be extra vigilant of understanding what's being mailed to you and double checking those links and making sure it's coming from an authenticated source and whatnot. Being mindful of content, making sure you have strong authentication in terms of how you're actually accessing applications as well. What would be your advice to Nova Scotia Power? Really for all of these organizations, do your due diligence. Understand what your really critical elements are of your organization that would be your worst-case scenario. And then once you know what your worst-case scenario is, then you can defend that. Build the plan according to our ransomware playbook, have the backups in place, and have the strong measures in place. The utility [Nova Scotia Power] applied for funding about a month before the ransomware attack. They cited the Canadian Centre for Cyber Security's most recent threat assessment, pointing out that power grids are so interconnected that they can be really vulnerable to these types of attacks. What would be the warning signs of an attack like this? One of the things that we've been very mindful of … as the world gets more hostile, we're worried about impacts to critical infrastructure like electrical guide grids, pipelines, these sorts of things. A lot of them are controlled by systems that were never meant to be connected to the Internet. Nowadays, as people are looking to optimize efficiency, and connect to cloud services and connect sensors to networks, they're becoming more exposed to threat actors from around the world. Normally your electrical grid would only be threatened by people that are actually in the country and nearby, but as soon as you connect it to the Internet, you're pretty much opening a lot of this up to people from anywhere. We are not a regulator. The cyber centre itself provides advice, guidance and services, but we have no authority over any of these entities. We work voluntarily to provide the best practices.
CNA
11-06-2025
- CNA
Singapore authorities take down over 1,000 IP addresses linked to cybercrimes
SINGAPORE: Authorities in Singapore have taken down more than 1,000 internet protocol (IP) addresses based in the country and believed to have been linked to cybercrimes. Officers from the Cybercrime Command under the Criminal Investigation Department of the Singapore Police Force (SPF) worked with the Cyber Security Agency of Singapore (CSA) to take down the IP addresses here. This was part of a recent four-month operation across 26 countries led by the global police organisation Interpol and named Operation Secure, the police said in a news release on Wednesday (Jun 11). The operation against cybercriminal infrastructure was conducted from January to April this year. Law enforcement agencies from the 26 countries worked together to locate physical servers which it believed to be perpetuating malicious software (malware) known as "infostealers". The operation involved mapping physical networks and executing targeted takedowns. The global effort led to the taking down of more than 20,000 malicious IP addresses and domains, the police said in its news release. The malware is "designed to secretly infiltrate computer systems and steal sensitive information". The stolen data is then sent to a remote server controlled by the cybercriminals, said the police. It added that the "takedown of the malicious IP addresses and domains linked to the infostealers", ceases the cybercriminal's control over compromised systems and effectively disrupts cross-border criminal syndicates. The police said that its active participation in the operation reinforces the force's commitment to safeguarding Singaporeans from increasingly sophisticated cybercrime. The strong engagement with Interpol also reinforces SPF's goal to be a global partner in fighting cybercrime, it said. "Such collaborations are essential to keeping Singapore safe and secure from threat actors operating under the anonymity of the internet." 'Our strong collaboration with key local and international partners in Operation Secure was a key success factor in dismantling these cybercriminal networks. "We will continue to work with CSA and other like-minded partners to protect Singaporeans and businesses from threats in cyberspace; and will spare no effort to disrupt cyber criminals and their operations," said Cybercrime Command Commander, Assistant Commissioner of Police Paul Tay.
