“If
hackers were to go on to the STATIN (Statistical Institute of Jamaica) or PIOJ
(Planning Institute of Jamaica) Websites ... where international people are
looking for data on Jamaica, the hackers could misinform them. So one of biggest
dangers is embarrassment to the country”
Cyber-Security
Consultant, Andrew Gordon in an interview with the Sunday Gleaner
According
to their own admission, the GOJ (Government of Jamaica) are sitting ducks,
vulnerable to hackers as stated in “Easy targets
- Scores of government Websites open to hackers”, published Sunday June 29,
2014, The Jamaica Gleaner. Thus far, the Ministry of Science,
Technology, Energy and Mining’s response to this impending onslaught has been
to create additional legislation to deal with the cybercriminals.
They’ve
receive extensive free help from the OAS (Organisation of American States)
through their Inter-American Committee Against Terrorism Program. The Danger is
very real; if hackers can get access to the various Databases that house GOJ
ID’s, Credit Card information and other personal information on Jamaican
Citizens from such Websites as the Registrar's General Department, Tax
Administration Jamaica or one of 43 other Government Websites, we could be
facing a massive case of identity theft....assuming it hasn't happened already.
The
lack of any news of any major hacking breach is not because none has happened,
but avoid causing alarm, when discovered by Server Administrators during
routines checks of their Websites and Data, it's usually hushed up by the
Management, fearing legal repercussions and possibly embarrassing the country
on an International scale.
Very
little has been done on the preventative front, though, aside from the
establishment of CERT (Cyber Emergency Response Team) in May 2013 to respond to
Hacking Threats to Jamaica as explained in my blog article entitled
“GOJ
amends the CyberCrime Act of 2010, enlists Ethical Hackers in a Cyber Emergency
Response Team - White Hat Hackers are the Q.U.E.E.N Project Janelle Monae and
Erica Badu Style”. In fact, CERT is a part of Minister of State in the
Ministry of Science, Technology, Energy and Mining Julian Robinson’s Three (3)
pronged approach:
1.
Amended Anti-Cybercrime Law of 2010 with
stiffer penalties
2.
A comprehensive strategy/policy
3.
Emergency Response Mechanism
Granted,
Minister of State in the Ministry of Science, Technology, Energy and Mining
Julian Robinson means well. Their legislative framework in the form of the CyberCrime Act of 2010 isn’t new,
being mainly a response to Mr. Philpott Martin’s infamous hack of Telecom
Provider Digicel as documented in my blog article
entitled “Mr.
Philpott Martin is the DPP and Digicel Hacker - Jamaica Cybercrimes first
Django Unchained makes it clear that Digicel's MINSAT and DWS are hackable”.
But
on reading this article, I’m getting the impression that they’re being taken
for a ride by their own Cyber-Security Experts. Also, a part of the problem is
the GOJ laisse-faire attitude to Computer
Security, being as many of them still transact most of their business on paper
and due to their advanced age, rarely use Computers.
GOJ and Cybercrime – Reduce
Hacking Treats by simply changing Human Behaviour
The
reason why I say that is because using Security software to spot
vulnerabilities in a Website is of very little help without an understanding of
what they mean and what actions to take to rectify this. You see, all Websites
in order to render and appear properly, have to be compiled like any program
before being loaded into their WebServers.
Scripting
errors, as they’re called, usually refer to:
1.
Dead Links – HTML (Hyper Text Markup
Language) links to lead to non-existent Websites
2.
Font Errors – CSS (Cascading Style
Sheet) that dictate how Text is rendered on difference screens and browsers
3.
Java Script Errors – Programs that need
JVM (Java Virtual Machine) to run but can’t, usually due to an issue with computers
running Windows XP and no JVM installed
Most
Scripting errors are really due to the Browser used on a Government Computer.
In most Government Institutions, the common Browser used in Internet Explorer
7.0 on a Window XP Computer. Internet Explorer is an outdated Browser. To fix
most Website rendering errors, in most cases it’s as simple as:
1.
Upgrading to Internet Explorer 8.0 if
you on a computer running Windows XP
2.
Upgrading to Internet Explorer 9.0 or
higher if you on a computer running Windows 7 of 8
3.
Use an alternative Browser such as
Mozilla Firefox or Google Chrome Browser
4.
Install the JVM if you have a computer
running Windows XP
5.
Update the Service Packs if you’re
running a computer running Windows XP
As
for Dead links, you’ll have to just do a sitemap using a site-mapping software
such as Micro
System Tools A1 Sitemap Generator. Once you determine the dead links, you
Web Administrator can log in to the Admin for the Website and remove them one
at a time. This can be done by rerouting them back to either the main page or a
warning page advising the visitor to the Website the link no longer exists so
that they don’t end up seeing the traditional “404: Page not Found” message.
Finally
educating persons not to click on links in email would go a long way in
preventing persons from becoming infected with Keyloggers, the main way by
which hackers can gain access to Servers and Login remotely to a Server as
explained in my blog
article entitled “Professor
Marco Gercke warns of Scammers using Keyloggers for Spear Phishing - How to use
Keyloggers and how to Protect yourself from Scammer's American Hustle for Fast
Cash”.
Defacement of Websites
– Not possible if you have a strong password
Which
brings me to the next issue of defacement of Websites. Good to note here this
isn’t spray paint Graffiti; one cannot overlay a Website onto another like
spraying on graffiti as the term “defacement of Websites” implies. Rather, to
deface a Website, the hacker has to gain access to the Website by logging into
the Website’s CMS and then altering the Website design.
To
deface a Website, the hacker would have to gain access to your webserver by
using your login and password. To that end, they usually look what type of
Server your Website is hosted on as well as the CMS (Content Management
Service). Once the hacker figures this out, then try to access your Website by
finding out the login name, which in most cases is usually an email address.
Their
main method of doing this is by using email Sniffing software such as Atomic Email Hunter to sniff out any
emails associated with your Website. Additionally the same Site mapping
software Micro
System Tools A1 Sitemap Generator can be used to sniff for Server Login or
Challenge screen for the Website.
They
may also download the entire Website using Website downloading software such as
HTTrack so that they can analyze the
Website in greater detail and locate the Server Login Screen along with the
login name. Once they gather enough information and locate the Server Login
Screen, they then raise an army of Botnets as described in This
Site Shows Who Is Hacking Whom Right Now — And The US Is Getting Hammered”,
published JUN. 26, 2014, 12:34 PM, by JEREMY BENDER, Business Insider to hack the Server Login
screen via Brute-force i.e. running a list of passwords until they gain access
to the Server.
This
can all be prevented by the Webserver Admin routinely changing the login and
password name once every 30 days to a non-standard mix of lower and upper case
letters and numbers. As simple as that might sound, that’ll be more than enough
to prevent someone from accessing your Website CMS Account e.g. Blogger,
Wordpress, Joomla and uploading a new Webpage, which is effectively what
defacing a Website involves.
I
know. That’s what I’ve been doing to prevent hackers altering my blog My Thoughts on
Technology and Jamaica as I’d chronicled in my blog article
entitled “Strategies
to mitigate against Blogspot Shutdown – How to do a backup of your Blogger Blog
in case Disaster Strikes as Maintenance
is key”.
Hackers
are also Social Engineers as sometimes pose as employees of an organization in
a bid to gain information about that organization. Hackers also know human
behavior; they know that once they find one password, their target will usually
use the same password for everything else.
Some
even go the extra mile of sending email and getting you to click on a link so
that they can install keyloggers via the link that you clicked or sometimes
just to verify your email for hacking purposes. By having different passwords
for all your different online services is more than effective enough to prevent
hackers gaining access to your Website.
GOJ and Linux OS –
GovNET needs to be implemented to remove Windows vulnerabilities
These
above tips will be more than enough to secure individual computers at any
Government Ministry as well as the Main Server sans any serious security
software:
1.
Updated Browsers
2.
Password and Login Rotation every 30
days
3.
Encourage workers to have different
passwords for different services
4.
Awareness campaign among staff to have
them not click on links sent in emails from people they don’t know
5.
Blocking Social Media on Desktop and
Laptop computers
Overall,
upgrading the individual computers in the GOJ to Linux OS as part of GovNET as
was originally planned and chronicled in my
blog article entitled “GOJ
Parliamentarians upgraded to Microsoft Surface Tablets and GovNET Wide Area
Network - Minister Paulwell efforts to reduce paper may accelerate Jamaican
Tablet Adoption” is the best Security decision.
This
as a lot of hackers often gain access to Servers via flaws in Computers running
Windows XP which Microsoft recently fixed as described in my blog article
entitled “Microsoft
issues Bug Fix Windows OS including Windows XP - Corporate irresponsibility
averted as CERT and DHS Slap on the wrist made a difference”. These
vulnerable computers that are a part of a Network, are usually hacked via the
same keylogger or Brute-force hacking of Server Remote Login Screen as
described above.
By
switching to using a Linux Distribution, not only can the GOJ save on paying
for Windows Licensing or being accused by Microsoft of Software Piracy, but it
would be a cost-effective way to upgrade from Windows XP without having to buy
more Windows 7 or 8 Licenses as described in my blog article
entitled “NetMarketShare
Second Quarter Stats show Windows XP Growing Strong while Google Chrome in No.
2 Spot - Windows 7 Upgrade Windfall for Computer Repair Technicians”.
After
all, the problem is Microsoft Windows. The upgraded version will cost in terms
of Licenses. So a follow-through with the implementation of GovNET would be the
best long-term security defense for the Websites holding sensitive Government
of Jamaica information.
No comments:
Post a Comment