Istana website hacker fined $8,000

SINGAPORE - A businessman who was fined $8,000 yesterday for hacking into the Istana website is the first to be convicted of carrying out a cyber attack on a government website here.

Delson Moo Hiang Kng, 43, who runs an IT consultancy firm, admitted to one of three charges of unauthorised access to the server that hosted the Istana webpage in November last year.

On three occasions, starting at 12.34am on Nov 8, he caused the webpage to display a picture of an old woman pointing her middle finger, along with a string of offensive words in Hokkien. The two other charges were considered during his sentencing.

Moo had hacked into the website using a technique called cross site scripting and exploited a vulnerability in the embedded Google search bar, which helps users to search for items within the site.

The aim of Moo's cyber attack was to deface the webpage, said Deputy Public Prosecutor (DPP) Suhas Malhotra yesterday.

Attacks using cross site scripting, he said, can also be part of a wider criminal activity - for example, where such an attack is used to ''phish'' for information about a victim, which is then used to perpetrate some other crime.

Instead of entering basic text in the Istana website's Google search engine, Moo entered hypertext markup language (HTML) code that he had crafted.

As a result, the server hosting the Istana website processed the injected script, and generated a webpage incorporating the offending text and images put in by Moo.

DPP Malhotra said Moo learnt about the vulnerability on the Istana website from other Facebook users.

His act, however, did not cause any damage to the contents of the Istana Web server.

The DPP said Moo's offences took place at a time when concerns about cyber security were particularly heightened.

On Oct 31 last year, a video had been released by a person calling himself ''The Messiah'', and who claimed to be associated with a global activist hacker group called Anonymous.

In the video, Anonymous declared ''war'' on the Singapore Government through ''aggressive cyber intrusion'', and called on Singaporeans to stage a protest on Nov 5.

The alleged hacker who used ''The Messiah'' pseudonym, James Raj Arokiasamy, 35, has been charged, and his case is pending.

Similar cases against the alleged hacker of the website of the Prime Minister's Office, Mohammad Azhar Tahir, 28, and Melvin Teo 17, who is also accused of hacking into the Istana website, are still at pre-trial stages.

Pleading for leniency, Moo's lawyer, Mr Anil Balchandani, said his client was remorseful for his actions, which were made not only in a moment of folly, but also in a ''sense of adventurism''.

He said the Istana website was not permanently altered, and Moo's changes or processing were seen by his browser in his computer.

There was no way anybody else could have replicated the defaced site without the code that Moo had used, he said.

Moo was also said to be surprised that the Istana website was not protected against his attack.

Agreeing with the prosecution that a jail term was not necessary, District Judge Liew Thiam Leng took into account that there was no alteration or disruption of the data in this case on the affected website, no ''phishing'', and no steps taken by Moo to disseminate the hyperlink containing the cross site scripting attack.

''However, there is considerable inconvenience caused in the present case, and as highlighted by the prosecution, the website was not available for a certain period in time, and the necessary steps have to be taken to rectify the website,'' said the district judge.

The maximum penalty for the offence is a $10,000 fine and three years in jail.

This article was first published on June 6, 2014.
Get a copy of The Straits Times or go to straitstimes.com for more stories.