Monday
June 22nd, 2015 was a sensational day for IT Security peeps in Jamaica .
Clearly ISIS doesn't like Jamaica!
I
guess the GOJ (Government of Jamaica) claim to have begun securing their Websites
against attack as reported in my blog article
entitled “GOJ
securing Government Websites against Hackers - Linux-based GovNET to remove
Windows vulnerabilities and change Human Behaviour” was not actually true
based on what transpired.
The
JIS (Jamaica Information Service) Website got hacked Monday June 22nd,
2015 as reported in the article “UPDATE:
JIS Website Hacked, Sensitive Data Not Lost – Management”, published Monday
June 22, 2015, The Jamaica Gleaner.
But
it wasn't just the JIS Website alone that was hacked. Five (5) other Websites
hosted on the same Server as the JIS were also hacked:
1.
CHASE (Culture, Health, Arts, Sports and
Education) Fund
2.
GC Foster College
3.
SDC (Social Development Commission)
4.
Houses of Parliament
5.
Jamaica National Commission for the UNESCO
(United Nations Educational, Scientific and Cultural Organization)
When
the Website had been check by the Jamaica Observer up to 10:00pm on Monday June
22nd, 2015 as noted in the article “5
Websites hosted by JIS defaced”, published Tuesday, June 23, 2015, The Jamaica Observer the Hackers had
left their mark.
They’d
left the following message was posted on the JIS Website: “Hacked by Team
System Dz: I am Muslim & I love jihad. I love Islamic state (heart).
Message to all the peoples of the world and especially to governments, Islamic
State List to restore the rights of Muslims who have been killed by your
governments savage and unjust, Islamic state will restore dignity for Muslims.
Will purge the land of the Muslims from the hypocrites infidels. It intervenes
you will equip you to dwell in cemeteries. Op USA & Israel. Hackers Islamic
State/.2015” Facebook”.
Based
on the basic verb-subject agreement, it's fair to say that English isn’t the
first language the attackers, lending credibility to the idea that the hack was
carried out by Muslim Fundamentalists, possibly “Hactivist” supporters of the
IS (Islamic State).
JIS Websites hacked – Hours
after Hactivists hacked the GOJ Website, it was back up
A
few hours after 10:00pm, the Website landing page had gone blank, except for
the words “hacked by Holako”, possibly the Hacker's call sign as used in
Chatrooms online.
Apparently
what was a happening behind the scenes was that the Website administrators had
gone to work around 9:02 pm and 9:38 pm, setting about the task of restoring
the Website, a procedure which involved first deleting the old setup files and
then replacing them with an image of the backup copy taken a few days before.
Within
four (4) hours, the JIS Website was restored as the investigators began their
investigations of the hacking attempt. Preliminary conclusions thus far
indicate that they only managed to change the main page of the Website but had
not gotten to any of the connected Databases or services that can be accessed
via the JIS or other Websites.
According
to JIS CEO, Donna-Marie Rowe, the
hackers merely deface the JIS Website and did not get access to sensitive information
and they'd be have the site up and running, which fits with what was observed,
quote: “The aggressor's attempts at breaching our system did not result in
access to sensitive data but was
constrained to 'surface defacement'. Our security team is undertaking recovery
and reinforcement procedures as we speak and the JIS Website will resume normal
function in short order”.
So
how did this hack occur?
Anatomy of JIS Website -
Hackers tied up Strong Man using Keyloggers
Well,
in order for anyone to deface a Website, they'd have to have the login and
password for your Website. In order to obtain your login and password without
your permission, they'd have to steal it from you, most likely via a phishing
attack as explained in my blog article
entitled “Russian
Gang steals 1.2 billion Logins and Passwords - Defense Against the Dark Arts on
How to protect yourself against Hacking
and Phishing”.
So
clearly what must have happened was that the hackers, after scraping the Website
to determine the login page was well as email addresses for JIS employees, they
may have bombarded them with an email offer to encourage them to click on a
link to receive something free.
That
appears to be the case, as two (2) weeks earlier on Wednesday June 10th
2015, an email with the subject “Problems with invoices” was found to have contained
a virus in an attachment labeled “New.zip”.
GOJ
employees has apparently been receiving the mysterious email and after opening
its contents, it began crippling the Computer Networks of the PIOJ (Planning
Institute of Jamaica) as confirmed by JCF (Jamaica Constabulary Force) report
in the article “Computer
Virus Attacking Government Networks, PIOJ Affected”, published Wednesday
June 10, 2015, The Jamaica Gleaner.
The
Ministry of Science, Technology, Energy and Mining soon took action that very same
day, issuing an advisory to all GOJ (Government of Jamaica) employees not to
open this or any suspicious email as detailed in the article “Ministry
issues e-mail virus alert”, published Friday, June 12, 2015, The Jamaica Observer.
Unfortunately,
the email must have been forwarded to others within the various Ministries and
Executive Agencies of Government, including the JIS. At that point, someone
ignored this warning, clicked on the email and open the attachment.
The
virus, most likely containing a keylogger as described in my blog
article entitled “Professor
Marco Gercke warns of Scammers using Keyloggers for Spear Phishing - How to use
Keyloggers and how to Protect yourself from Scammer's American Hustle for Fast
Cash”, sprang to life, installing itself on the various computers.
The
virus also began to spread itself within the GOJ’s Intranet and the Intranet of
the various Ministries and Executive Agencies of Government without the help of
hitchin’ a ride as an email attachment. It spread itself to other computers via
the JIS Intranet and its connection to the Internet, installing itself and
using its keylogger functionality to record keystrokes on the infected
machines.
As
explained in my blog article above, the hackers most likely got updates from
their virus keylogger function, which emailed them copies of keystrokes from
various computers infected with the virus, possibly via a *.bin or *.txt email
attachment or upload to a designated location on a Cloud Server.
Eventually,
one of those infected computer belonged to the Website Administrator, who
entered his password while doing routine maintenance on one of the Websites
that got hacked.
The
keylogger captured it along with possibly hundreds of other passwords, sent it
to the hackers, who after patient trial and error, succeeded in gaining access
to the web server for the JIS, which also happened to be where the five (5)Websites
and thus proceeded to deface those Website.
Why the JIS hack wasn’t worse –
Hactivists failed Validation to access sensitive GOJ
The
reason they couldn't get access to any critical Databases was because those Databases
had possibly required validation i.e. comparisons against another Database for
verification. That is, the individual gaining access had to possibly enter a
GOJ ID i.e. TRN (Tax Registration Number), Passport Number or Driver's License
in order to be allow to view any information.
Even
then, if they had gotten such access, they would have had to have a higher
level access, such as a Database Administrator, in order to gain actual access
to ALL Databases file entries and execute read/write commands or delete the Database.
Such Databases include:
1.
TRN (Tax Registration Number)
2.
Passport Number
3.
Driver's License
4.
Credit Card Payment
Thanks
to verification using a GOJ ID, effectively a form of TSV (Two Step
Verification) similar to a described in my blog article
entitled “How
to enable Apple iCloud TSV using Apple ID – Apple iCloud Fappening created
Hipster Trend of Flip Cellphones, Vinyl Records and Polaroids”, the Hackers
did not get very far.
Some
possibly speculate that they were “hactivists” out to prove a point. But it could
have been much worse.
They
could have hacked the JIS Websites and NOT made such a big fuss about it,
silently gathering an army of hacked email and Database logins and passwords
until they eventually got access to one that gave them read/write access to a Database.
This
hack is therefore a wake-up call for the GOJ to implement GovNET based on Linux
Servers and re-train staff on how to recognize hacking attempts, the weakest linking
their security.
Otherwise,
the next time, hackers may make a bigger statement by not only defacing the Website,
but hacking the GOJ's Databases and publishing its contents online.
No comments:
Post a Comment
Please register and leave you comments. For contact, leave an email or phone number and I'll be sure to get back to you.