Wednesday, July 2, 2014
GOJ securing Government Websites against Hackers - Linux-based GovNET to remove Windows vulnerabilities and change Human Behaviour
“If hackers were to go on to the STATIN (Statistical Institute of Jamaica) or PIOJ (Planning Institute of Jamaica) Websites ... where international people are looking for data on Jamaica, the hackers could misinform them. So one of biggest dangers is embarrassment to the country”
Cyber-Security Consultant, Andrew Gordon in an interview with the Sunday Gleaner
According to their own admission, the GOJ (Government of Jamaica) are sitting ducks, vulnerable to hackers as stated in “Easy targets - Scores of government Websites open to hackers”, published Sunday June 29, 2014, The Jamaica Gleaner. Thus far, the Ministry of Science, Technology, Energy and Mining’s response to this impending onslaught has been to create additional legislation to deal with the cybercriminals.
They’ve receive extensive free help from the OAS (Organisation of American States) through their Inter-American Committee Against Terrorism Program. The Danger is very real; if hackers can get access to the various Databases that house GOJ ID’s, Credit Card information and other personal information on Jamaican Citizens from such Websites as the Registrar's General Department, Tax Administration Jamaica or one of 43 other Government Websites, we could be facing a massive case of identity theft....assuming it hasn't happened already.
The lack of any news of any major hacking breach is not because none has happened, but avoid causing alarm, when discovered by Server Administrators during routines checks of their Websites and Data, it's usually hushed up by the Management, fearing legal repercussions and possibly embarrassing the country on an International scale.
Very little has been done on the preventative front, though, aside from the establishment of CERT (Cyber Emergency Response Team) in May 2013 to respond to Hacking Threats to Jamaica as explained in my blog article entitled “GOJ amends the CyberCrime Act of 2010, enlists Ethical Hackers in a Cyber Emergency Response Team - White Hat Hackers are the Q.U.E.E.N Project Janelle Monae and Erica Badu Style”. In fact, CERT is a part of Minister of State in the Ministry of Science, Technology, Energy and Mining Julian Robinson’s Three (3) pronged approach:
1. Amended Anti-Cybercrime Law of 2010 with stiffer penalties
2. A comprehensive strategy/policy
3. Emergency Response Mechanism
Granted, Minister of State in the Ministry of Science, Technology, Energy and Mining Julian Robinson means well. Their legislative framework in the form of the CyberCrime Act of 2010 isn’t new, being mainly a response to Mr. Philpott Martin’s infamous hack of Telecom Provider Digicel as documented in my blog article entitled “Mr. Philpott Martin is the DPP and Digicel Hacker - Jamaica Cybercrimes first Django Unchained makes it clear that Digicel's MINSAT and DWS are hackable”.
But on reading this article, I’m getting the impression that they’re being taken for a ride by their own Cyber-Security Experts. Also, a part of the problem is the GOJ laisse-faire attitude to Computer Security, being as many of them still transact most of their business on paper and due to their advanced age, rarely use Computers.
GOJ and Cybercrime – Reduce Hacking Treats by simply changing Human Behaviour
The reason why I say that is because using Security software to spot vulnerabilities in a Website is of very little help without an understanding of what they mean and what actions to take to rectify this. You see, all Websites in order to render and appear properly, have to be compiled like any program before being loaded into their WebServers.
Scripting errors, as they’re called, usually refer to:
1. Dead Links – HTML (Hyper Text Markup Language) links to lead to non-existent Websites
2. Font Errors – CSS (Cascading Style Sheet) that dictate how Text is rendered on difference screens and browsers
3. Java Script Errors – Programs that need JVM (Java Virtual Machine) to run but can’t, usually due to an issue with computers running Windows XP and no JVM installed
Most Scripting errors are really due to the Browser used on a Government Computer. In most Government Institutions, the common Browser used in Internet Explorer 7.0 on a Window XP Computer. Internet Explorer is an outdated Browser. To fix most Website rendering errors, in most cases it’s as simple as:
1. Upgrading to Internet Explorer 8.0 if you on a computer running Windows XP
2. Upgrading to Internet Explorer 9.0 or higher if you on a computer running Windows 7 of 8
3. Use an alternative Browser such as Mozilla Firefox or Google Chrome Browser
4. Install the JVM if you have a computer running Windows XP
5. Update the Service Packs if you’re running a computer running Windows XP
As for Dead links, you’ll have to just do a sitemap using a site-mapping software such as Micro System Tools A1 Sitemap Generator. Once you determine the dead links, you Web Administrator can log in to the Admin for the Website and remove them one at a time. This can be done by rerouting them back to either the main page or a warning page advising the visitor to the Website the link no longer exists so that they don’t end up seeing the traditional “404: Page not Found” message.
Finally educating persons not to click on links in email would go a long way in preventing persons from becoming infected with Keyloggers, the main way by which hackers can gain access to Servers and Login remotely to a Server as explained in my blog article entitled “Professor Marco Gercke warns of Scammers using Keyloggers for Spear Phishing - How to use Keyloggers and how to Protect yourself from Scammer's American Hustle for Fast Cash”.
Defacement of Websites – Not possible if you have a strong password
Which brings me to the next issue of defacement of Websites. Good to note here this isn’t spray paint Graffiti; one cannot overlay a Website onto another like spraying on graffiti as the term “defacement of Websites” implies. Rather, to deface a Website, the hacker has to gain access to the Website by logging into the Website’s CMS and then altering the Website design.
To deface a Website, the hacker would have to gain access to your webserver by using your login and password. To that end, they usually look what type of Server your Website is hosted on as well as the CMS (Content Management Service). Once the hacker figures this out, then try to access your Website by finding out the login name, which in most cases is usually an email address.
Their main method of doing this is by using email Sniffing software such as Atomic Email Hunter to sniff out any emails associated with your Website. Additionally the same Site mapping software Micro System Tools A1 Sitemap Generator can be used to sniff for Server Login or Challenge screen for the Website.
They may also download the entire Website using Website downloading software such as HTTrack so that they can analyze the Website in greater detail and locate the Server Login Screen along with the login name. Once they gather enough information and locate the Server Login Screen, they then raise an army of Botnets as described in This Site Shows Who Is Hacking Whom Right Now — And The US Is Getting Hammered”, published JUN. 26, 2014, 12:34 PM, by JEREMY BENDER, Business Insider to hack the Server Login screen via Brute-force i.e. running a list of passwords until they gain access to the Server.
This can all be prevented by the Webserver Admin routinely changing the login and password name once every 30 days to a non-standard mix of lower and upper case letters and numbers. As simple as that might sound, that’ll be more than enough to prevent someone from accessing your Website CMS Account e.g. Blogger, Wordpress, Joomla and uploading a new Webpage, which is effectively what defacing a Website involves.
I know. That’s what I’ve been doing to prevent hackers altering my blog My Thoughts on Technology and Jamaica as I’d chronicled in my blog article entitled “Strategies to mitigate against Blogspot Shutdown – How to do a backup of your Blogger Blog in case Disaster Strikes as Maintenance is key”.
Hackers are also Social Engineers as sometimes pose as employees of an organization in a bid to gain information about that organization. Hackers also know human behavior; they know that once they find one password, their target will usually use the same password for everything else.
Some even go the extra mile of sending email and getting you to click on a link so that they can install keyloggers via the link that you clicked or sometimes just to verify your email for hacking purposes. By having different passwords for all your different online services is more than effective enough to prevent hackers gaining access to your Website.
GOJ and Linux OS – GovNET needs to be implemented to remove Windows vulnerabilities
These above tips will be more than enough to secure individual computers at any Government Ministry as well as the Main Server sans any serious security software:
1. Updated Browsers
2. Password and Login Rotation every 30 days
3. Encourage workers to have different passwords for different services
4. Awareness campaign among staff to have them not click on links sent in emails from people they don’t know
5. Blocking Social Media on Desktop and Laptop computers
Overall, upgrading the individual computers in the GOJ to Linux OS as part of GovNET as was originally planned and chronicled in my blog article entitled “GOJ Parliamentarians upgraded to Microsoft Surface Tablets and GovNET Wide Area Network - Minister Paulwell efforts to reduce paper may accelerate Jamaican Tablet Adoption” is the best Security decision.
This as a lot of hackers often gain access to Servers via flaws in Computers running Windows XP which Microsoft recently fixed as described in my blog article entitled “Microsoft issues Bug Fix Windows OS including Windows XP - Corporate irresponsibility averted as CERT and DHS Slap on the wrist made a difference”. These vulnerable computers that are a part of a Network, are usually hacked via the same keylogger or Brute-force hacking of Server Remote Login Screen as described above.
By switching to using a Linux Distribution, not only can the GOJ save on paying for Windows Licensing or being accused by Microsoft of Software Piracy, but it would be a cost-effective way to upgrade from Windows XP without having to buy more Windows 7 or 8 Licenses as described in my blog article entitled “NetMarketShare Second Quarter Stats show Windows XP Growing Strong while Google Chrome in No. 2 Spot - Windows 7 Upgrade Windfall for Computer Repair Technicians”.
After all, the problem is Microsoft Windows. The upgraded version will cost in terms of Licenses. So a follow-through with the implementation of GovNET would be the best long-term security defense for the Websites holding sensitive Government of Jamaica information.