Inside Comelec’s Hacked Website
On May 7, 2013, six days before the election day, #pr.is0n3r posted his ninth video on Youtube, lasting 7 minutes and 46 seconds.
The video showed him breaking into the network of the Commission on Elections (Comelec) using a simple technique.His hacker group Anonymous Philippines wanted to find out about the Comelec’s voter database. They wanted to know whether the dead and invalid voters had been purged from the list.The hacker under the pseudonym #pr.is0n3r injected an SQL code that helped him gain access to a trove of 60 million records.He got what he wanted.He found out that registrants from early 1900s still existed in Comelec’s records—despite pronouncements from the poll body as early as 2009 that it was “dead serious” in cleaning up the voters’ list.A year later, even DOST’s Information and Communication Technology Office (ICT Office) found weaknesses in Comelec’s cyberdefenses. The poll body was made aware of these vulnerabilities. But whatever steps Comelec took after that were not enough.On March 27 this year, two months before the election day, the defenses of Comelec’s database were breached through the same technique #pr.is0n3r did.Newly IT graduate Paul Biteng inserted a code to gain access to Comelec’s website. The 20-year-old only wanted to deface the site in an attempt to give “voice to the voiceless.” Around that time, he was aghast with Comelec’s refusal to add additional safety measures for the vote-counting machines.When the site was defaced, the network was unfortunately left wide open.Other hackers got hold of Comelec’s most prized database. Hacker group, LulzSec Pilipinas, dumped Comelec’s whole database, posting three mirror links to an index of files that could be downloaded.The biggest data breach in Philippine history soon unraveled, as personal information of around 55 million voters was freely floating in the cyberspace. The data dump contained 1.3 million passport numbers of Filipinos overseas and 15.8 million records of fingerprints.It’s exactly not known how the Comelec—an agency that started a long time ago modernizing the electoral process and computerizing its voter registration—didn’t put up a fight against one of the most conventional hack jobs.An anonymous source, who is currently a part of a local hacking conference, said it only takes a few minutes to penetrate websites such as Comelec. “The defacement was a simple SQL injection, when I checked it,” the source from a Philippine-based hacking conference for same-minded individuals who are into information security, told Stack. It’s even more intriguing why its network, which stores the most sensitive personal information of any voter, was compromised twice by a simple technique.“In the case of Comelec, they seem to be very reactive. Until their website was hacked, they would have not changed their security measures. I checked it and they started putting up measures by March 31, while the technology has long been in place,” the source from the local hacking conference said.
“They (Comelec) were not the most cooperative of government agencies.” – Roy Espiritu, DOST ICT Office
What’s undisputed is that there are still lingering issues with Comelec’s cyberdefenses that—if left unresolved—may expose once again millions of voter data to the underworld of unscrupulous hackers and criminals.The #Comeleak incident indeed offers a telling picture into how and why hacking government websites succeeds, revealing a myriad of problems that beset many agencies: poor execution of policies, weak capacity of agencies to defend their systems, and the agency’s slowness to follow best practices and guidelines. More importantly, it also provides what government agencies need to do to prevent their systems against total devastation.In Comelec’s view, the agency has an impressive cyberdefense.In a statement sent to Stack, Ferdinand de Leon, Comelec’s IT department director, maintained that “security, up-to-date technologies, guidelines, contingency measures, mitigation procedures, and migration activity are in place prior, during or after the hacking incident.” The director, however, declined to tell specifics because of the ongoing investigation.But to DOST ICT Office, the one that sets ICT policies and guidelines, the poll body is hard to be reached.“They (Comelec) were not the most cooperative of government agencies,” Roy Espiritu, DOST ICT Office’s information officer, told Stack. “They were informed of the vulnerabilities of their systems two years before the breach.” Whether these issues had been addressed is anybody’s guess at DOST ICT Office.
“Security, up-to-date technologies, guidelines, contingency measures, mitigation procedures, and migration activity are in place prior, during or after the hacking incident.” – Ferdinand de Leon, Comelec
What happened at Comelec stands as a landmark case.Over the past two decades, since the government laid down its e-government service plan, national agencies, local governments, financial institutions, and public enterprises have embraced the power of internet as a means to deliver better services and transact faster with citizens.More government websites are increasingly becoming transactional. In the process of building better service platforms, sensitive personal information are collected and stored in a band of connected networks.With the aggressive move to do online transactions and interactive services, the peril for the Philippine government seems to be growing faster than what it’s investing in fortifying its defenses against cyberattacks.In the past decade from 2003 to 2013, a total of 1,285 government websites were hacked, according to data from the Department of Science and Technology. From 2010 to 2013 alone, police authorities recorded internet fraud as the most common computer-related offense—and its records show a growing trend.
A loophole in the law
Three years ago, Former President Benigno Aquino was so alarmed over the rising number of government websites that were hacked and defaced.Through the Administrative Order 39, Aquino ordered all government agencies to migrate their web hosting to DOST ICT Office.The succeeding guidelines lay down detailed instructions on what measures should be set in place for data security and redundancy.The responsibility to handle intrusion prevention and detection system falls under the DOST ICT Office, based on the order. This system aims to protect against network and application-level attacks like what happened to Comelec.The centralized website management is part of the government’s broader interoperability framework, one of the main goals of the Medium-Term Information and Communications Technology Harmonization Initiative (MITHI). While some argue against putting all government websites under one roof, DOST ICT Office assures it has enough redundancies and tight security protocols in place.AO 39, however, has one loophole that unfortunately may have put Comelec at a disadvantage to defend itself against the latest cyberattack. The order cannot compel Comelec to follow the guidelines.According to the order, it’s mandatory for all national agencies, financial institutions, and government corporations to migrate their web hosting to DOST ICT Office. But it’s not for agencies like Comelec because they’re a body autonomous from the Executive Branch. AO 39 says: “Hosting of websites of Constitutional Bodies, Local Government Units, and other autonomous branches of the government by the DOST ICT Office shall be encouraged but undertaken at the instance of the above-mentioned government entities.”DOST ICT Office’s Espiritu admits that Comelec’s nature as a constitutional office gets in the way when it comes to government-wide guidelines. The commission can always assert its autonomy over certain policies.It’s this autonomy why the poll body wasn’t required to report back when DOST ICT Office forwarded its vulnerability assessment to Comelec two years ago. “Being a constitutional commission, [Comelec] is fiscally autonomous, and MITHI has limited influence over them,” Espiritu said. “With the breach, however, I think changes will have to be made and they have been more cooperative.”Before DOST ICT Office hosts websites, they shall first undergo security audit. Sites found with vulnerabilities should do remedial action. Once sites are hosted under DOST ICT Office, they will be monitored regularly. The idea for this procedure is to ensure that no cyberattack on one website can leap through sites hosted by DOST ICT Office.
Compliance is a problem
What happened to Comelec can sadly happen to many of government agencies, even as AO 39 is very strict about security audit for all websites.That’s because a lot of the government agencies are not complying.
Currently, only 4 in every 10 government websites have complied with AO 39, according to DOST ICT Office.
The Administrative Order is silent on penalties or sanctions for noncompliant agencies.AO 39 states: “All NGAs, GFIs, GOCCs, and inter-agency collaborations, programs and projects shall completely migrate their websites to the GWHS, without prejudice to contractual rights of the existing web hosting providers, if any, within one (1) year from the effectivity of this AO.” The order was issued on July 12, 2013. The order asks all agencies not to renew current web hosting contracts and refrain from entering into new contracts.“Government offices are citing different reasons. It all boils down to the priorities of the agencies. Some say they do not have the mandate to do it. Others, because their websites were established under a contract with a third-party provider, do not know how to start the migration,” Espiritu said. “But we’re helping them step-by-step.”According to the guidelines, the government web hosting service should run on two data centers with redundant hardware with automatic failover, multiple uplinks, dual-powered equipment, generator sets with uninterruptible power supply, redundant data communication connections, environmental controls, secure locations.Based on records from the Commission on Audit, the poll commission appears to have two data centers, redundant hardware, and redundant data communication connections, and biometrics and CCTV system installed.But it was only after the hacking incident that Comelec began the process of migrating its webhosting to DOST ICT Office.Comelec’s website has yet to be fully migrated under DOST ICT Office’s management. Comelec’s current website management firm, Cloudfare, is being used by DOST ICT Office. Espiritu confirmed that DOST ICT Office is now handling the migration of Comelec’s site.
Elections laws without clear-cut security standards
It’s been more than two decades since Comelec first began studying how to modernize its voter registry. The move wasn’t a cosmetic one—the poll body had long wanted to get rid of flying voters from its database.That the dead or minors were able to vote in past elections had scarred the dignity of the institution and, in many instances, put the credibility of the electoral exercise in question. So Comelec’s solution was to move from manual registration to an electronic one where biometrics and fingerprints of each voter would be collected.The poll body attempted to register voters for the 1996 ARMM elections using digital photos of registrants as a feature of the voter card. But this did not cleanse the list of ineligible voters and multiple registrants.A law was passed in December 1997 authorizing Comelec to use automated elections for the May 11, 1998 elections. Part of the automation system was to computerize voter registration.The nationwide automated election didn’t happen but the computerized voter registration project did push through. Comelec awarded in 1999 the contract to Photokina Corporation, which would supply IT equipment and ancillary services for the project. The project went in limbo amid legal tussles.In 2003, the poll body revived the project, this time awarding the contract to a French company Sagem. The system, however, lacked automated fingerprint identification system, among other concerns. The Sagem project was then abandoned.Between 2004 and 2009, only half of registered voters had their biometrics captured. According to the National Movement for Free Elections, no Automated Fingerprint Identification System (AFIS) was done until late 2009 or early 2010.The poll body gave another contract to the joint venture of Unison Computer System, Lamco Paper Products, and NEC Philippines. This time, the registration system could capture voter’s photographs and digital images of fingerprints.In 2010, Comelec planned to take AFIS records of 35 million voters who had previously taken their biometrics. But there was no law mandating obligatory biometric capture. After all,Republic Act 8189 or the Voter Registration Act of 1996 hadn’t contemplated yet the use of biometrics in voter registration. Two years later, Congress passed RA 10367 for the mandatory biometrics voter registration. The law’s section on database security states: “The database generated by biometric registration shall be secured by the Commission and shall not be used, under any circumstance, for any purpose other than for electoral exercises.”The law can’t be enforced immediately without the implementing rules and regulations, which act as the detailed guideline on how the law will be executed.DOST ICT Office admits that the law’s IRR did not specify particular technology for data security. Espiritu of DOST ICT Office said that because technology changes rapidly, it is best not to indicate any specific technology in the law.E-Commerce Lawyer JJ Disini said that it is counterintuitive to specify a technology to be used for database security in a law. “What is important is to state the standards, such as the level of protection, declaration of objectives,” he said.The problem with the law’s IRR is that there’s no provision in there, which states minimum standards for database security.
“What is important is to state the standards, such as the level of protection, declaration of objectives.” – Lawyer JJ Disini
In fact, the IRR’s provision on database security is the exact same version of the law’s provision: “The database generated by the biometric registration shall be secured and shall not be used, under any circumstance, for any purpose other than for electoral purpose.”The absence of minimum standards in the IRR has consequences in the way laws are enforced. Implementing which type of security strategy is required then becomes arbitrary and thus subject to wide-ranging interpretations of what minimum security standards would mean.
Anticipating the next big attack
It’s been months since the Comelec’s network was attacked. At that time, when Paul Biteng thought of hacking Comelec’s website, it was out of boredom. Biteng is now under investigation and authorities are looking into the causes of the hacking, even the Comelec’s liability.It also appears that the links to the data dump have been taken down. Elsewhere in government, in the aftermath of the colossal data breach at Comelec, agencies are fortifying the security of their networks. Some like the Bureau of Internal Revenue assure public that their computers employ “a lot of security.” But the damage has been done and the possibility of another breach in Comelec’s system or other agency’s is not an impossibility in the future. But risks can be mitigated and hackers can be detected early.
In the case of the Philippine government, the first line of defense is actually enforcing policies.
DOST ICT Office should ensure a catch-up strategy for agencies that have yet to comply with AO 39. A work-around for constitutional offices should also be studied.MITHI can play a role in going after non-compliant agencies. Former President Aquino attempted to harmonize all ICT policies and projects of the Executive Branch. A steering committee would look into each proposal. In theory, agencies should come up with their ICT plan, which the MITHI steering committee evaluates. Failing to do so has financial repercussion. Espiritu said, “The agency’s budget will not be approved if it fails to be at par with the industry standards.” But the MITHI initiative has yet to be taken up with Budget Secretary Benjamin Diokno and ICT Secretary Rodolfo Salalima. There’s also a need to take another look at the IRR of the Biometrics Voter Registration Law. At the minimum, the provision on database security should include minimum standards. A review of various database security guidelines shows that database policies should touch on these critical areas: information asset valuation, access controls, encryption, and routine auditing.First, defining the value of information asset is critical. The first order of business, according to the Database Security Consortium, is to identify information that must be protected and classify information according to importance. In a paper, the consortium noted that the goal is to “apply security controls effectively.” In a previous public comment, the Comelec assured the public had nothing to worry about. Speaking on behalf of Comelec, spokesperson James Jimenez said the day after the attack: “Again, I want to emphasize that the database in our website is accessible to the public. There is no sensitive information there.”International security expert Troy Hunt noted that Comelec’s database was a mess.“Clearly some of this should be public, but here you have a whole heap of very sensitive, poorly protected data somehow grouped in in with public domain info,” Hunt said in his blog post. “This feels like so many other large, legacy corporate databases I’ve seen which have had numerous developers applying various practices to it over a long period of time.”Second, access should be controlled. In a 2009 whitepaper, SANS Institute noted that “access control should be deployed based on the principle of least privilege,” suggesting default roles such as DBA should not be used and instead specific roles should be designed to grant only necessary privileges.System administrators should only have access to areas required for the job. Thus, the poll body should outline clear rules on who have the privilege to access data in line with what existing laws state.In every legislative district, it is the election officers who are primarily designated to collect initial identification data. Consulates and embassies, meanwhile, handle voter registration overseas.Each day within the registration period determined by Comelec, designated election officer files completed registration applications for action by the Election Regulatory Board.Together with a daily statistical report, a duplicate of these applications is sent to provincial or regional election supervisor. Comelec uses CDs to store voters’ biometric data.Statistical reports are sent weekly to the main Comelec office, while hard and soft copies (using CDs), collated for each month, are sent directly to the Information and Technology Division. The public are prohibited to access personal data of a voter in the Voter’s Registration Record, unless through a lawful order of the court.Third, databases should be encrypted as a general practice. IT groups note that encryption should be applied for two types of data: data in transit and data at rest.When Hunt looked into the data dump, he was surprised to see that some data were found to be encrypted, while others such as email addresses and fingerprints were not.Fourth, there’s routine auditing and monitoring. Auditing should be conducted prior to applying security policies and continuous monitoring should become a norm.It’s been more than three months since the country’s biggest data breach, but the election commission hasn’t fully addressed the issue yet. Early this month, Election Commissioner Rowena Guanzon said that Comelec Chair Andres Bautista has yet to meet with his fellow commissioners and talk about some of his decisions, including the hacking. This is a cause for concern because three months from now, the Comelec will once again spearhead the Barangay and Sanggunian ng Kabatan elections. [Updated: July 18, 9:53PM]