What CIMB Malaysia has not told you, but should

There is no such thing as a bullet proof system in today’s connected world – even banking institutions are not spared. When an incident like what has transpired today with CIMB Malaysia comes to light, you would expect the organisations involved to be well prepared to deal with it in the best interest of everyone involved.
But, that’s always easier said than done, and once again we are faced with yet another security incident that is being poorly handled by those who are tasked with protecting the privacy as well as the financial information of their customers.
Before we get down to the nitty-gritty details, this is what CIMB should have told you weeks ago, but even today, after the social media storm that has taken place, they have yet to enforce a mandatory password change for ALL their users. So if you haven’t already done so, do it NOW. Please change your CIMB Clicks password immediately. ‘Encouraging’ is not an option, as they have so gently requested in their FAQ. We also strongly recommend that if you do not conduct overseas online transactions, to disable overseas transaction option for your CIMB Debit Cards. Whenever possible, set your CIMB Debit card transaction limit to the lowest possible value.
We are aware of the other issues related to CIMB Malaysia, but to avoid any overlaps, we will only be looking at the password issue in this post.
That 8 character password
The 8 character issue with CIMB Malaysia’s password is not something new. Frankly speaking, we were able to trace it back all the way to 2011 based on complaints on social media in relation to their constant changing of their password policy.

@CIMB_Assists, did u guys change the length of the password on the login form? It seems now it's limited to 8 characters. I can't login
— Imran Syed Jaafar (@imranjaafar) May 20, 2011

All the passwords i have used with CIMB Clicks Malaysia myself have always been more then 12 characters. Never have i had an 8 character password, but at some point in time, the policy did change – and the passwords were limited to 8 characters. Now this in itself is not a simple exercise to do, because even based on the above tweet, when the password length was trimmed down to 8 characters, those with longer passwords were not able to login (without having to change their passwords).
So, CIMB Malaysia, has claimed, that they have once again updated their password policy, and it is now a requirement that the password be between 8-20 characters, and require a combination of letters, numbers and special characters. While it is not specifically mentioned in the FAQ, there is now a mandatory requirement for the new password to contain at least one special character. Why? More on that later.
This particular FAQ, which was only released today confirms that the new policy came into effect on the 18th of November 2018, however, for reasons unknown, CIMB Clicks continued to accept logins from legacy password users. Whatever the reason for a password policy change, it is critical that all users are explicitly informed of the change, and should be compelled to change their passwords to comply with the new policy.
How to change your Password Policy and retain old passwords in 2 minutes
So, when the new password policy came into effect, CIMB Malaysia somehow decided that instead of compelling all users to do a password change to adhere to the new policy, they would instead allow both new and old passwords to co-exist simultaneously. And instead of making massive changes to how their system would allow this to be done securely, they chose a very simple, insecure, and downright nasty way of doing it.
Coding is an artform, and any self respecting coder would not be using this piece of code to check for the passwords to his grandmothers basement, let alone on the front end of a major Online Banking system.
Essentially, what the code does is this.
So, when this code came into effect, even if you had a password of 15 or 20 characters before November 18, 2018, only the first 8 would be need to be correct to gain access to your account. While this does not automatically grant anybody access to your account, it greatly increases the chances of someone who more or less knows your password habits to guess the right password.
Now, if your password was a combination of letters and numbers, it would be harder to crack, but there are a lot of people who use just numbers as their password. How long does it take to crack a 8 character all number password – about 5 minutes.
Whats that reCaptcha doing there?
One of the first tell tale signs that something was seriously wrong with CIMB Clicks Malaysia was when they suddenly, without any warning decided to implement a reCaptcha authentication on their site. This of cause was after the CIMB Clicks platform was completely inaccessible for most of Saturday.

Some smaller banks around the world do turn to Google’s reCaptcha to keep away unwanted traffic because its free, and extremely easy to implement, but to say reCaptcha has been implemented to enhance customers’ security is nothing but a blatant lie.
What reCaptcha does is slows down spam bots (and in the case of CIMB Clicks brute force scripts) from hammering their system with millions of queries as it tries every single password combination to get into a customers account.

There are so many more elegant, secure and much more effective ways to keep spam bots, nasty scripts and even malicious users away, and reCaptcha does not figure anywhere on this list for an organisation of this size.
To hash or not to hash
We are going to get a little technical here for the last bit, so turn away now if you must. Based on the minified javascript we went through on the CIMB Clicks site, we are fairly certain that post 18th November, the passwords are now stored in a one way hash algorithm, making them quite secure in the event of any future breaches.
However, we are now somewhat concerned on how the passwords were stored before November 18th. There are generally two ways that passwords are usually stored on the backend databases of any systems (we say two, because we are hoping to God that it isn’t stored in plaintext). It could have been encrypted, or it could have been hashed.
Now the good thing about hashed passwords is, even without a salt value, it is pretty much one way traffic. While not entirely impossible to reverse the hash, it is going to take you forever and a day to retrieve the actual plain text password. So going back to the CIMB Clicks issue, if the passwords post 18th November were hashed, it would have been quite impossible for them to have played around with the number of characters – simply because there is no way of knowing the first 8 characters of the password, or even correctly guessing how many characters were in the password to start with just from the hash stored on the database.
For a quick example on how a MD5 has works, see below.
String: Lowyat MD5 Hash : 3d9511b72653307778afe42b5164c38e
String: lowyat (no caps) MD5 Hash: 9a7485524402678db8c71d5fddaad6d6
String lowyat1 MD5 Hash : 39b53cce07126625efedf6c4826bab65
As you can see, even one letter change, completely changes the MD5 hashing result, and in a hashed system, only the hash is stored in the password field. You can test it yourself here.
So, unless CIMB has been only hashing the first 8 letters all the way back from 2011, it is looking very unlikely that the customers passwords were hashed.
Which leaves us with the passwords being encrypted (again we are hoping its not plain text!). Encrypting passwords works as well, but the big issue with encryption as seen from the illustration above is that, anybody with a decryption key will be able to reverse the password from its encrypted form to a plain text form. More often then not, the encryption key will be a single key across the entire data set. Even if its not, it is very likely that the decryption keys will be stored within the database itself.
If the passwords were indeed encrypted, then it would be entirely possible to change the number of characters required for the password to be accepted as required by their password policies. However, this also means that anybody with access to the database very probably also has access to your plain text passwords.
Now, remember a little over a year ago when CIMB Malaysia lost their backup magnetic tapes? Lets all now pray that the data in these tapes was hashed and not encrypted.
And on that bombshell.. cue Top Gear credits.
The post What CIMB Malaysia has not told you, but should appeared first on Lowyat.NET.

Continue reading »

AMD Radeon Technology Group Senior VP Mike Rayfield To Resign From Position

Mike Rayfield, vice president and general Manager, Radeon Technology Group (RTG), AMD, will be leaving his position at the company. Announcement of Rayfield’s departure comes less than a year after he and another colleague, David Wang, were brought on to replace Raja Koduri, who had joined Intel shortly after leaving his position at RTG.
AMD confirmed that Rayfield’s departure is due to his decision to retire and “spend more time with his family and pursue his personal passions”. With Rayfield stepping down, Wang will act as RTG’s interim leader until RTG finalises its search for a new business leader.
David Wang, Senior VP of Engineer, RTG. Wang will be acting as interim leader of RTG.
Before joining RTG, Rayfield was the leader of NVIDIA’s Tegra unit, and before that was Micron’s mobile storage business unit. Prior to joining RTG, Wang himself had worked as a GPU engineer for ATI (and then AMD) from the year 2000 to 2012. Before becoming the senior vice president of engineering at RTG with Rayfield.
(Source: Anandtech via TechPowerUp)
The post AMD Radeon Technology Group Senior VP Mike Rayfield To Resign From Position appeared first on Lowyat.NET.

Continue reading »

NES Classic And SNES Classic Going Out Of Production

If you recall, the highly popular Nintendo Entertainment System (NES) Classic Edition went out of production once last year. This was followed by the announcement of the Super Nintendo Entertainment System (SNES) Classic Edition not too long after. This time, though, it looks like both will be going out of production for good.
In an interview with the Hollywood Reporter, Nintendo of America President Reggie Fils-Aime said “at least from an Americas perspective, these products are going to be available through the holiday season and once they sell out, they’re gone. And that’s it.”

While it doesn’t seem like this is due to a supply issue, it may have something to do with the fact that Nintendo also has its classic games via Nintendo Switch Online. After all, the platform has just added three NES games – Ninja Gaiden, Wario’s Woods and Adventures of Lolo.
It’s also entirely possible that popular demand will see the two classic consoles come back in the future, the way the NES did. If not, then this will be your last chance to get your hands on either or both of Nintendo’s classic consoles before they run out forever.
(Source: Hollywood Reporter via The Verge)
Edited By John Law
The post NES Classic And SNES Classic Going Out Of Production appeared first on Lowyat.NET.

Continue reading »

Blizzard Moves Developers Away From Heroes Of The Storm; Cancels 2019 Heroes Tournaments

Blizzard has announced that it will be moving manpower away from its Multiplayer Online Battle Arena (MOBA) title, Heroes of the Storm. The announcement goes on to say that the developers shifted from Heroes of the Storm will be working on other live games and unannounced projects.
Following this, the company also announced that the game’s tourneys, Heroes Global Championship and Heroes of the Dorm, will not be returning in 2019.
While Heroes of the Storm was never explosively popular like the two dominant MOBA titles League of Legends and Dota 2, it still has a passionate following of fans. Pro players of Heroes of the Storm are also clearly unhappy about the sudden cancellation of Heroes Global Championship.

That said, the game will remain as a live service, with updates and new content coming in. This includes new heroes and themed events, according to Blizzard’s statement. They just won’t come as frequently as they did before.
As for the announced projects, perhaps the mobile Warcraft title we heard of last month is among them.
(Source: Blizzard via PCGamer [1], [2])
Edited By John Law
The post Blizzard Moves Developers Away From Heroes Of The Storm; Cancels 2019 Heroes Tournaments appeared first on Lowyat.NET.

Continue reading »

Apple Is Being Sued For “Misleading” iPhone XS Ad; Claims She Didn’t Know About Display Notch

They say ignorance is bliss. In the case of a lady named Courtney Davis, she is now suing Apple over the latter’s misleading ad of its iPhone XS and XS Max. Unbelievably, her argument was that the ad had hidden the display notch on both phones from her, giving her the impression that both phones didn’t have one.
Davis’ lawyers are accusing Apple of designing its advertisement to obscure the notch, and therefore leading Davis to believe that the iPhone XS Max that she had ordered wouldn’t have a notch. Nevermind the fact that the notch itself was first introduced on the iPhone X.
The ad image Davis refers to is the ad that prominently displays both the iPhone XS and XS Max in a purely black background. Both the phone’s OLED display feature the the curvature of a planet, with the black parts of it blending into the background. In a sense, Davis’ accusation is valid, as the image was criticised by many in the industry for blatantly hiding both the phone’s notch at the top of the display.

“Images that disguise the missing pixels on the products’ screens are prominent on Defendant’s website, as well as in the advertisements of retailers who sell the products,” the complaint said.
Davis’ lawsuit is seeking class-action status, along with any damages that the judge deems fit. Given the absurdity of the claims, though, observers are skeptical that the lawsuit will even come to court to begin with. You can read the entire lawsuit here.
(Source: Business Insider)
The post Apple Is Being Sued For “Misleading” iPhone XS Ad; Claims She Didn’t Know About Display Notch appeared first on Lowyat.NET.

Continue reading »

ASUS CEO Jerry Shen To Step Down; Will Be Starting A New Company

ASUS’ CEO, Jerry Shen, is stepping down from his seat of power. Shen, who has been with the brand for 11 years, will now reportedly be creating his own new company.
In an interview with Business Next, Shen says his stepping down is part of a “comprehensive corporate transformation” in ASUS that will begin next year. A change, Shen says, will enable the brand to focus more on gaming and power user markets, as well as AI technology.
Shen’s new company will be, as he describes, an AIoT (AI and Internet of Things) that goes by the name of iFast. Naturally, ASUS itself will have a 30% stake in the new company.

The restructuring also serves to help the brand to restructure the current state of its mobile division. A division that is currently putting ASUS US$160 million (~RM669 million) in the red. Specifically, the brand is planning on refreshing its Zenfone series, but will shift most of its focus on expanding its presence in the gaming smartphone division.
It makes sense for a company like ASUS, especially since the brand released its own ROG Phone earlier this year. The phone features some pretty premium hardware, including a overclocked Snapdragon 845, 8GB RAM, and a 90Hz OLED display.

To that end, mobile gaming hardware is still a relatively untapped and extremely lucrative market. Especially in the Asia Pacific region, where the mobile eSports market is quickly emerging.
(Source: Techspot, Business Next, Gadget 360 // Image: Gizmodo)
The post ASUS CEO Jerry Shen To Step Down; Will Be Starting A New Company appeared first on Lowyat.NET.

Continue reading »

Xiaomi Mi Mix 3 To Be Available In Malaysia This January For Under RM 2,500

While we already knew for quite some time that Xiaomi is planning to release its Mi Mix 3 in Malaysia, the exact release date for the device in our market has remained a mystery since its media briefing for Malaysian medias two months ago. Today, the company finally has something to say about the release date.
According to a post on its official Facebook page, Xiaomi Malaysia has teased a new phone without naming the actual device. However, the caption especially the word “sliding” clearly pointed out to Mi Mix 3.

As you can see from the teaser image above, expect the new Mi Mix 3 to be available in Malaysia next month with a price tag of below RM 2,500. In China, the phone is currently being sold from CNY 3299 (~RM 2002) to CNY 4999 (~RM 3034) onwards.
Hence, it is rather hard to guess which variant that the company will bring into Malaysia with the exception of the Palace Museum Edition that already cost more than RM 2500 in China.
We’ll keep you updated once we heard more from Xiaomi Malaysia but for now, do check out our first look at the Xiaomi Mi Mix 3 right here.

(Source: Xiaomi Malaysia)
The post Xiaomi Mi Mix 3 To Be Available In Malaysia This January For Under RM 2,500 appeared first on Lowyat.NET.

Continue reading »

Serious security flaws in CIMB Clicks might have led to accounts being hacked

Something strange is happening with CIMB Clicks, and judging by their rather abrupt implementation of a reCaptcha code on their login page today, there is reasons to be concerned.
We are not publishing details for now, as it might lead to more abuse. We recommend changing your password to something complex using an online password generator until this massive security flaw is patched.
Developing story…
The post Serious security flaws in CIMB Clicks might have led to accounts being hacked appeared first on Lowyat.NET.

Continue reading »

OnePlus 6T McLaren Edition Available For Pre-Order In Malaysia; Goes For RM 3,388

This phone was launched earlier this week, but it seems that OnePlus is more than happy to bring the new iteration of its current flagship device, OnePlus 6T into Malaysia very soon. As you might have heard, the new model comes in the form of OnePlus 6T McLaren Edition which was crafted in collaboration with the legendary automotive and motorsports powerhouse, McLaren.
While the majority of its specs are rather identical to a standard OnePlus 6T, those minor differences seem apt enough to make the OnePlus 6T McLaren stands out. One of them is the carbon fiber pattern on the phone’s back cover together with the Papaya Orange outline on its bottom half which is one of McLaren’s signature colorway.

The OnePlus 6T McLaren Edition also comes with a McLaren’s badge that is located on the bottom center of its back cover. Other than that, the phone also comes with 10GB of RAM and a new fast-charging implementation called Warp Charge 30 that apparently able to deliver from 0% to 50% of battery capacity in 20 minutes or 1 hour if users aim for 100% capacity.
The phone also comes together with McLaren-themed animations, themes, wallpapers, and icons alongside an exclusive packaging that includes a book, and commemorative plaque. In Malaysia, the OnePlus 6T McLaren Edition is available for pre-order since 14 December for RM 3,388.

However, the pre-order is already sold out for now according to the listing on OnePlus Malaysia Flagship Store at Lazada. Nevertheless, we have reached out to the local distributor, Mi Han to obtain further information about whether more units will be made available in Malaysia. So, stay tuned.
The post OnePlus 6T McLaren Edition Available For Pre-Order In Malaysia; Goes For RM 3,388 appeared first on Lowyat.NET.

Continue reading »

Microsoft Gives Away Windows 95 Sweaters Of Questionable Taste

It’s quite clear at this point that Microsoft has something of a sense of humour. As people in the Northern Hemisphere have begun packing up for the holiday season, the brand decidedly announced that it would giving away some Windows 95 sweaters to a select few fans.
Specifically, Microsoft has made just 100 of these sweaters, and distribution of the clothing article was done via Twitter. Where it picked out several winners who were already following its account (@Microsoft).

Introducing the latest #Windows95 custom "softwear." Wish you could rock the #WindowsUglySweater? your DMs, because we're giving a few lucky fans one of their very own. pic.twitter.com/84kQLtYsF2
— Windows (@Windows) December 13, 2018

For the record, Microsoft is aware of the sweater’s less-than-fashionable nature, so much so that it even attached the #WindowsUglySweater hashtag to its post. But that hasn’t deterred its followers from trying to “argue their worthiness” to own it. At the time of writing, several of the sweaters had already been given away.
(Source: Windows via Twitter, Hot Hardware)
The post Microsoft Gives Away Windows 95 Sweaters Of Questionable Taste appeared first on Lowyat.NET.

Continue reading »