After crippling of President’s home page, cyber experts warn … … :

Is computer ‘hacking’ this easy?

Over 1,500 cases so far this year :

by Kishani Samaraweera

Last week, a 17-year old schoolboy from Kadugannawa made headlines when he was arrested for allegedly hacking the President’s website. The suspect posted a message calling for the postponement of the A Level examination.

After arrest by police, the student, as a minor, was put under probation and later released on bail. In the past, a considerable number of non government and government websites were hacked.

It is interesting to note that this is the first time a teenager has been arrested under the Computer Crimes Act of 2007.

Subsequently, a 27-year old from Moratuwa was also arrested, for allegedly assisting the 17 year old hacker, and placed under remand custody.

Tracking

The Police Cyber Crime Division, however, would not reveal how they identified the hacker and traced him. Division head Chief Inspector Senaratne refused to give any details “without written permission”.

But, hackers can be tracked with ‘digital forensic’ investigative tools, cyber security expert Vasana Wickramasena, executive director, Centre for Integrated Communication Research and Advocacy (CICRA), told the Sunday Observer. All computers automatically maintain a log of activity which includes the IP address of the machine used by the hacker, he explained. “The police will, naturally, be reluctant to disclose their methods and the technology they use for detection,” he added.

One of the suspects accused of hacking into the President’s website being taken to court. Pic: Sarath Peiris

“Even if the hacker uses a computer in a public cyber café, most centres nowadays record the national identity card details of users as required by current regulations,” said Wickramasena, whose CICRA Consultancies gives cyber security training and certification. He also pointed out the fact that the hacker was not from a big city which indicated the degree to which computer and internet usage has spread countrywide with rural youth becoming as computer savvy as urban youth.

The analysis of the data with regard to this incident is done by the Sri Lanka Computer Emergency Readiness Team (SLCERT). Speaking to the Sunday Observer, the Principal Information Security Engineer of SLCERT, Roshan Chandragupta said that they hope to reveal their observations and findings with regard to the incident, soon.

“Our job is to find out the vulnerability which led to it and discover whether the people handling the website have given any helping hand,” he added.

Cyber attacks

He is of the view that cyber attacks are a very common occurrence. However, if a person/company follows the general guidelines, such issues will not arise.

He says the daily update of a website or a database is a must, “If it’s not updated, there’s a high probability that such sites or accounts are hacked,” he said.

Chandragupta also pointed out that up to now 1,570 cases have been reported to SLCERT, of which, 80- 90 percent is Facebook related, and not really serious issues.

“If we consider the numbers reported there is a decrease. Last year it was about 2,300 cases, the year before, over 2,800 and currently 1,500 cases have been reported to us.

On the other hand, people have now started to seek help when they face such situations, which is a good trend. Therefore, there is definitely a rise in the numbers seeking help from us,” he said.

Dileepa Lathsara, Chief Executive Officer of TechCERT says, when a website is set up, information security is crucial and should be a major concern. “ Unfortunately, they are only concerned about the content and not information security,”he said.

Explaining the reason for the frequency of web hacking incidents, Lathsara says, the freely available hacking tools on the internet is a main reason. He said, with guidelines, it is not difficult to hack a website.

“There is this concept called, ethical hacking. That is remotely trying to hack in to these organization websites. They do not do any destructive attacks or exploit any vulnerabilities. It is done to identify the issues of a particular website and later rectify it,” he added.

He thinks that people do not understand the impact of the law if such incidents are reported. “The Computer Crimes Act of 2007 clearly lays down actions that the court can take against a person found guilty of committing cyber crimes. So, I believe, if people are aware, much more can be done with regard to the issue,” said Lathsara.

Reputation

Expressing his displeasure at some who ‘admired’ the hacking of the President’s website by a 17 year old, Lathsara said, “It is a bad precedent. My opinion is, by expressing how smart the student is, gives out a wrong message to the young generation. They would assume, it is the easy way to gain recognition.”

A hacker who wished to be anonymous, voicing his views on why people tend to hack websites and databases said, some do it to make a political statement, some to get data to use (Sony/PSN getting cracked for credit card and account data) and some others to embarrass people.

“An interesting fact about hackers is that they do not want you to know your systems have been breached so they can get more data from you. Also, companies whose websites or database are being hacked, don’t want the public to know about it, because it would damage their reputation as well as business,” he said.

He believes that state owned websites are quite vulnerable to cyber attacks.“They use a Content Management System(CMS) mandated by the ICTA and there is (as far as I am aware) little or no maintenance done.

CMSs have to be updated regularly. A well designed and maintained CMS will come with security and usability updates, some of which can be applied by simply pressing a button that says ‘update’, he said.

When inquired about the recent incident of the President’s website being hacked by a 17-year old, he said, “We call them ‘script kiddies’, they are not real hackers who get into systems in novel and interesting ways, but people who use tools created by others. It does not need much skill to press a button on a piece of software that automatically runs and exploits.”

He said, what the schoolboy did was a ‘defacement’, which didn’t do anything more than cosmetic harm, no data stolen, nor was any security breached.

“The Sri Lankan government departments release far more important information than is necessary, due to incompetency,” he said.

Meanwhile, Minister of Telecommunications and Digital Infrastructure Harin Fernando was quoted as saying the government will look into introducing new and improved cyber laws. What steps the relevant authorities will take regarding this, is yet to be seen.