After crippling of President’s home page, cyber
experts warn … … :
Is computer ‘hacking’ this easy?
Over 1,500 cases so far this year :
by Kishani Samaraweera
Last week, a 17-year old schoolboy from Kadugannawa made headlines
when he was arrested for allegedly hacking the President’s website. The
suspect posted a message calling for the postponement of the A Level
examination.
After arrest by police, the student, as a minor, was put under
probation and later released on bail. In the past, a considerable number
of non government and government websites were hacked.
It is interesting to note that this is the first time a teenager has
been arrested under the Computer Crimes Act of 2007.
Subsequently, a 27-year old from Moratuwa was also arrested, for
allegedly assisting the 17 year old hacker, and placed under remand
custody.
Tracking
The Police Cyber Crime Division, however, would not reveal how they
identified the hacker and traced him. Division head Chief Inspector
Senaratne refused to give any details “without written permission”.
But, hackers can be tracked with ‘digital forensic’ investigative
tools, cyber security expert Vasana Wickramasena, executive director,
Centre for Integrated Communication Research and Advocacy (CICRA), told
the Sunday Observer. All computers automatically maintain a log of
activity which includes the IP address of the machine used by the
hacker, he explained. “The police will, naturally, be reluctant to
disclose their methods and the technology they use for detection,” he
added.
 |
One of the suspects
accused of hacking into the President’s website being taken to
court. Pic: Sarath Peiris |
“Even if the hacker uses a computer in a public cyber café, most
centres nowadays record the national identity card details of users as
required by current regulations,” said Wickramasena, whose CICRA
Consultancies gives cyber security training and certification. He also
pointed out the fact that the hacker was not from a big city which
indicated the degree to which computer and internet usage has spread
countrywide with rural youth becoming as computer savvy as urban youth.
The analysis of the data with regard to this incident is done by the
Sri Lanka Computer Emergency Readiness Team (SLCERT). Speaking to the
Sunday Observer, the Principal Information Security Engineer of SLCERT,
Roshan Chandragupta said that they hope to reveal their observations and
findings with regard to the incident, soon.
“Our job is to find out the vulnerability which led to it and
discover whether the people handling the website have given any helping
hand,” he added.
Cyber attacks
He is of the view that cyber attacks are a very common occurrence.
However, if a person/company follows the general guidelines, such issues
will not arise.
He says the daily update of a website or a database is a must, “If
it’s not updated, there’s a high probability that such sites or accounts
are hacked,” he said.
Chandragupta also pointed out that up to now 1,570 cases have been
reported to SLCERT, of which, 80- 90 percent is Facebook related, and
not really serious issues.
“If we consider the numbers reported there is a decrease. Last year
it was about 2,300 cases, the year before, over 2,800 and currently
1,500 cases have been reported to us.
On the other hand, people have now started to seek help when they
face such situations, which is a good trend. Therefore, there is
definitely a rise in the numbers seeking help from us,” he said.
Dileepa Lathsara, Chief Executive Officer of TechCERT says, when a
website is set up, information security is crucial and should be a major
concern. “ Unfortunately, they are only concerned about the content and
not information security,”he said.
Explaining the reason for the frequency of web hacking incidents,
Lathsara says, the freely available hacking tools on the internet is a
main reason. He said, with guidelines, it is not difficult to hack a
website.
“There is this concept called, ethical hacking. That is remotely
trying to hack in to these organization websites. They do not do any
destructive attacks or exploit any vulnerabilities. It is done to
identify the issues of a particular website and later rectify it,” he
added.
He thinks that people do not understand the impact of the law if such
incidents are reported. “The Computer Crimes Act of 2007 clearly lays
down actions that the court can take against a person found guilty of
committing cyber crimes. So, I believe, if people are aware, much more
can be done with regard to the issue,” said Lathsara.
Reputation
Expressing his displeasure at some who ‘admired’ the hacking of the
President’s website by a 17 year old, Lathsara said, “It is a bad
precedent. My opinion is, by expressing how smart the student is, gives
out a wrong message to the young generation. They would assume, it is
the easy way to gain recognition.”
A hacker who wished to be anonymous, voicing his views on why people
tend to hack websites and databases said, some do it to make a political
statement, some to get data to use (Sony/PSN getting cracked for credit
card and account data) and some others to embarrass people.
“An interesting fact about hackers is that they do not want you to
know your systems have been breached so they can get more data from you.
Also, companies whose websites or database are being hacked, don’t want
the public to know about it, because it would damage their reputation as
well as business,” he said.
He believes that state owned websites are quite vulnerable to cyber
attacks.“They use a Content Management System(CMS) mandated by the ICTA
and there is (as far as I am aware) little or no maintenance done.
CMSs have to be updated regularly. A well designed and maintained CMS
will come with security and usability updates, some of which can be
applied by simply pressing a button that says ‘update’, he said.
When inquired about the recent incident of the President’s website
being hacked by a 17-year old, he said, “We call them ‘script kiddies’,
they are not real hackers who get into systems in novel and interesting
ways, but people who use tools created by others. It does not need much
skill to press a button on a piece of software that automatically runs
and exploits.”
He said, what the schoolboy did was a ‘defacement’, which didn’t do
anything more than cosmetic harm, no data stolen, nor was any security
breached.
“The Sri Lankan government departments release far more important
information than is necessary, due to incompetency,” he said.
Meanwhile, Minister of Telecommunications and Digital Infrastructure
Harin Fernando was quoted as saying the government will look into
introducing new and improved cyber laws. What steps the relevant
authorities will take regarding this, is yet to be seen. |