A month after hacktivist groups Anonymous Philippines and its Leyte chapter launched defacement and other attacks on government websites over perceived inefficiency and slow pace of Typhoon Yolanda (Haiyan) relief operations, a number of government websites are still down or defaced.
Following the attacks that were made public on Nov. 3, a second wave of defacement dubbed “Operation Infosurge” was launched over the weekend of Nov.8, the first year anniversary of the Yolanda tragedy.
While some of the sites were repaired and back online again over the following weeks, as of Tuesday, Dec. 2, a number were still down or compromised.
Please exercise caution if visiting some of the links below. Hackers sometimes leave malicious scripts in compromised sites and some of the ones listed below are still triggering warnings from Web security software.
Defaced/downed websites:
- davaotourism.com – Davao Tourism: down (under construction), with the subfolder davaotourism.com/~laanclar/the_real_story still defaced by “~dukh4|PH”.
- braulioedujali.gov.ph – LGU website for the Braulio E. Dujali Municipality, Davao del Norte: defaced and rendered inoperable by “#cDo.Pr1D3”.
- www.tesda11.com – local office of TESDA for Region XI (Davao): site rendered almost blank, with the homepage simply displaying the words “I Love You Joy”.
- www.picc.gov.ph – Philippine International Convention Center: down (Under construction).
- www.omb.gov.ph – Optical Media Board. Briefly up last week, down as of Tuesday Dec.2 (under construction), triggers anti-virus warnings and flagged as a malware vector as of Dec. 4.
- www.laguna.gov.ph – Province of Laguna: down.
New hackers
While it’s bad enough that the sites have not been repaired a full month after the attacks, what’s more is that other hacking groups had now joined in and added their own defacements using the same vulnerabilities in websites compromised from the previous activities (some dating back to last year).
Among them are:
- joserizal.nhcp.gov.ph — the Jose Rizal sub-site of the National Historical Commission of the Philippines — hacked by a Palestinean sympathizer, “Sys Ghost”.
- www.spda.gov.ph – Southern Philippines Development Authority. Compromised by BloodSec International — the same group responsible hacking multiple Globe Telecom websites last week over dissatisfaction on Internet service and also of several Chinese websites last Monday, Dec.1 in protest of the ongoing construction of artificial islands as bases near Philippine territory by the Chinese as well as the mass poaching and slaughter of hundreds of protected and endangered giant sea turtles within Philippine territorial waters earlier this year.
Database account leaks
Other targets in November were DTI websites. Database log-in details from services like the Bureau of Philippine Standards and Confirmation Portal were leaked and as of Dec.2, its website bps.dti.gov.ph was down.
The fact that majority of the log-in accounts in leak belong to auto-generated spambots show how lax the site administrators were. Some of the techniques used in the database breaches were SQL injection attacks due to poor data input sanitization like with the Online Price Monitoring System subsite as shown by a screen capture from an Anonymous PH video.
Compromised, too, was the Full Disclosure Policy Portal (FDPP) of the DILG’s Local Governance Performance Management System (LGPMS) program which is used by LGUs for sharing financial documents online.
Account details like full names, logins and password hashes of users and administrators were publicly posted online.
The situation is a rather ironic since DILG Secretary Mar Roxas is staunchly against the formation of a cabinet-level Department of ICT (DICT). A DICT could have better coordinated security for the different branches of government than the current ICT Office, which has been relegated to a smaller sub-office of the DOST.
It’s sobering, but with the dissolution of the Commission on ICT (CICT) under the Office of the President back in 2011, the Philippines (along with Laos and Cambodia) is now one of the only three remaining countries in the Asean without a cabinet-level ICT agency.
Measures to address the problem
After a spate of hackings which were carried out last year over the PDAF/pork barrel scandal, President Aquino issued Administrative Order No. 39, s. 2013 (AO39) which now mandates that all government agencies migrate their hosting to the consolidated Government Data Center (GDC) and Government Cloud (GovCloud) service of the Integrated Government Philippines (iGovPhil) project under DOST-ICTO.
Compliance with this measure will save the government and taxpayers a lot of money in maintenance costs and improve the overall security of government websites. As of the time of this writing, many government agencies and attached offices still have not done so and as a result, have been breached.
Aside from hosting, it is also urgent that government agencies and regional offices utilize DOST-ASTI’s DNS service and obtain Gov.PH domain names for their websites and GovMail e-mail addresses as soon as possible in order to secure their brands and digital identities.
This will help protect Filipino citizens from maliciously crafted websites that masquerade as official government ones (where users might enter sensitive personal information and become victims of cybercrimes like identity theft) as well as official-sounding but fake e-mail addresses (e.g., Yahoo Mail, GMail, Hotmail, etc.) which can be used for malicious activities like scams, phishing attacks, drive-by downloads, or deliver malware like trojan horse and virus e-mail attachments.
The non-use of gov.ph e-mail addresses for official government functions puts not only citizens who engage in e-government services at risk, but also government employees, officials and executives who may become the victims of targeted spear phishing, social engineering, and whaling attacks.
The Internet is no longer the realm of just the elite. It is already being utilized by the masses. With the rising toll of physical travel for many Filipinos in terms of transportation cost and man-hours wasted (currently losing us billions, projected to reach P1.5 trillion in 10 years from Metro Manila alone), services that can be shifted online can save enormous amounts of money not just for the government, but also for citizens.
In this day and age where the Internet has become a primary point of contact and engagement for millions of Filipinos (especially OFWs), government institutions need to pay more care and attention to the security of the medium in order to serve the public more effectively and efficiently.
In light of how important ICT management and security is in day-to-day operations, the Aquino administration needs to realize that by far, it is much more costly for the Philippines not to have a Department of ICT than it supposedly is to create and operate one.
Bear in mind that the recent public hacks on local websites by members of the scene are just the tip of the iceberg. They were performed by “friendlies” who were acting to expose security flaws.
What about malicious groups, possibly even state-sponsored ones given regional tensions? According to one security researcher, it takes an average of over six months before hacking activities become discovered. Some security flaws even go undetected for as long as almost 20 years, giving actors free reign to leave backdoors or create security exploits that may lay dormant for long periods before being activated.
Where five years is considered a lifetime at the pace of change in the world of IT, it is probable that a number of our existing information systems are not updated and require security overhauls. As such, it is not unreasonable to speculate that we may have other servers and databases that have already been compromised, but remain undetected.
Given the naive lack of ICT competence in many branches of our government today, it is clear that this rehabilitation is a monumental undertaking. A smaller office like today’s ICT Office might be very nimble and has successfully implemented many good projects, but the ICT Office in its current form might not be up to the task because it lacks legal powers of broader inter-agency oversight as well as greater resources at the scale required.
Back in 2012, both Congress and Senate had already passed bills approving the creation of a DICT, but it did not come into force because President Aquino did not sign the bill. A new effort for the DICT law has been started again earlier this year. Should it pass muster again in Congress and Senate, let us hope that Aquino finally signs it, lest the mistake of not creating one become the legacy for which he will be known, but ultimately, the rest of us will pay for.
——————
A note about the leaked government database account credentials linked in the article and concerns of harm due to increased public exposure: these Pastebin text dumps have already been posted in public for the better part of a month and have already made the rounds in hacker circles. The doors are wide open and the “bad guys” already have them, so what further damage can happen?
What needs to be done is for system administrators to be made aware of all of these as soon as possible to fix things. System administrators should change not just all passwords of accounts that were exposed, but also all the log-in names. It would probably also be safer to change the encryption salt and hashes for affected databases. A top-down audit of all the systems that were breached needs initiated.
As for some of the websites that were defaced multiple times, a number of the Davao/Mindanao websites above seem to have been serviced by the same third party IT company and are hosted abroad in the same server. Agency IT departments and third-party service providers should get in touch with the ICT Office as soon as possible and begin the migration to iGovPhil.
