Posted to ph-isp. More reason to subscribe ;) ----- Forwarded message from rastamad <[EMAIL PROTECTED]> ----- hi! i believe this hacking incident is recent as we (pcij) haven't come across it in the course of our research on philippine cybercrimes. we're coming out with a feature on the issue in our quarterly magazine, i, supposedly out this month. i just wish to share with the list, sort of an advanced screening, findings of our article. apologies for the lengthy piece. =) alecks The Dark Side of the Net by Alecks P. Pabico and Yvonne T. Chua A TELECOMMUNICATIONS company suffers severe disruptions in its services resulting in unsent text messages, missed calls and zero balances to newly loaded prepaid cards of thousands of its subscribers. Private investigators eventually trace the breakdown to a security breach committed by an engineer of the firm�s own equipment supplier. The culprit has altered the default settings, causing the entire system to crash. Losses are estimated at P50 million. Over at a bank, an insider copies the data on the magnetic stripes of credit cards that include personal information of approved cardholders. The stolen data are later discovered by authorities to have been used by a syndicate in unauthorized phone and online transactions amounting to P100 million. Brokerage firms selling stocks in non-existent companies to East and Southeast Asian nationals, meanwhile, evade law enforcers hot on their tracks by transferring the money via electronic banking and deleting all the transaction records from the computer system. Hypothetical situations to illustrate what mischief could be done with computers, you say? Think again. The scourge of cybercrimes is already upon us, and these are nothing less than real-life circumstances behind computer-perpetrated crimes in the Philippines. This is the dark side of the Internet, whose benefits include allowing people to interact electronically for personal and commercial purposes. But the Net also provides new opportunities and instruments for the pursuit of criminal activity, such that computers have become targets of offenses like hacking or virus attacks. Or they are used as tools to commit traditional crimes of fraud, theft, pedophilia and child pornography, among others. The anonymous character of the virtual world has also appealed to organized crime syndicates. Here in the Philippines, computer crimes ranging from petty website defacement -- the online equivalent of vandalism -- to sophisticated intrusions have plagued the computer networks of some of the country�s leading information technology (IT) companies, commercial banks and retail firms over the past several years. Such security breaches have amounted to significant financial losses and are becoming rampant as to seriously threaten industries, businesses, government offices and private citizens. But these have gone largely unreported to authorities and by the media since most victims tend to keep silent about the attacks. Incidents of credit card fraud, for instance, are usually not reported as doing so would lessen consumer confidence in the concerned e-commerce sites. To most firms, acknowledging a security breach in the system is bad for business, tantamount to signing their own death warrants. Elfren Meneses Jr., chief of the Anti-Fraud and Computer Crimes Division of the National Bureau of Investigation (NBI), admits the situation is getting alarming. �As I prophesied after we enacted a law in the wake of the destruction wrought by the �Love Bug� virus, cases will just multiply. That is what is happening,� he says. In June 2000, the Philippines passed the Electronic Commerce (E-commerce) Act or Republic Act 8792 -- the fourth Asian country to do so after Malaysia, Singapore and South Korea -- penalizing computer crimes like hacking, spreading computer viruses and online piracy. The law, which wasn�t even a priority bill in both Houses of the previous Congress, was partly in reaction to the �I Love You� virus unleashed by computer programming student, Onel de Guzman, a month earlier. The virus crippled email systems worldwide, causing damages of up to $10 billion. Since then, the NBI has been getting complaints mostly from online merchants that have fallen prey to credit card fraud, estimated to cost around US$400 million annually in the United States alone. Hackers have been able to download from global e-commerce sites or through generator programs credit card numbers or access codes that they use either to buy products online or sell to other Net users. What makes this crime even easier to commit is that online purchases don�t need to verify the credit card owner�s identity. Transactions are considered valid if the cards are found to have sufficient value. Meneses says most Filipino perpetrators are students whose purchasing power is enhanced by using other people�s credit cards. Website vandalism is another common grievance, as it is becoming a favorite pastime of Pinoy hackers. This consists of assaults on existing Web pages by supplanting these with their own. Not meant to alter operating systems or networks the way virus or distributed denial-of-service attacks do, defacements are more for the thrill they bring and for bragging rights in the hacker community. Besides, vandalism is in the culture, observes Norberto Chingcuanco, president of the Distributed Processing Systems, Inc. (DPSI). �Defacing, graffiti and all�there�s a distorted sense of achievement when they are able to destroy something,� he says. At least 32 victimized sites under the ph (for Philippines) country domain made it to the list of Attrition.org, a site that used to track down website defacement activity around the world. Twenty of these websites, mostly of IT companies, universities and government agencies, were defaced just this year. ONLY a few cybercrime victims, however, have gone as far as filing criminal cases in court, the most publicized of which involves the alleged stealing of proprietary data of the Thames International Business School by its own employees. Thames is the first school in the Philippines that grants a foreign degree. Its academic program consists of the first two years held here and validated by the University of Cambridge, and the last two years taken in any of the 14 university affiliates abroad. Owners of Thames have accused the school�s former IT head and a systems supervisor of hacking into the computer system and copying their intellectual property with the aim of selling these abroad. The NBI investigation also uncovered documents such as Thames�s business plan, copyrighted materials, study guides and training manuals in one of the suspect�s possession. The case, with damages amounting to US$3 million, is pending before a Pasig trial court. As the Thames case and many other serious instances of unauthorized access or network intrusion show, the greater threat to information security is internal rather than external. In the early 1990s, a leading local bank was hit by automated teller machine (ATM) fraud after one of its employees discovered a glitch in the ATM software. When done with a transaction, users just punched a sequence of numbers called an �open loop� that allowed the machine to dispense money until it ran out of cash. More recently, investigations into the problem of zero balances in newly bought prepaid cards have linked the anomaly to telco employees who have access to the codes database of unused cards and those classified for dealership. They then make the stolen codes available for a lesser fee to anyone to load to their cellular phones. The situation is somehow confirmed also by earlier surveys on computer crimes and security done by the Computer Security Institute (www.gocsi.com) of U.S. corporations and government agencies. Until this year, respondents were reporting more incidents of unauthorized access by insiders (71 percent) than outsiders (25 percent). Though this has dramatically dropped to 49 percent this year, the CSI says it is premature and dangerous to assume that the threat from insiders is actually decreasing. Lawyer Jesus Disini can only agree. An expert in the emerging field of e-commerce and cyberspace law, he maintains that computer networks are most vulnerable to the people using the network. �As a former hacker once said, the easiest way to get into a system is to get information from insiders,� he says. �And they don�t even have to hack it. They resort to �social engineering�, by befriending employees, courting secretaries and those with a low level of security awareness.� A lot of social engineering aimed at fraud, network intrusion, industrial espionage and identity theft also happens via fax and email, and even in Internet chat rooms. More and more, email is being used in lieu of the telephone in fraudulent telemarketing operations. A typical example would be an announcement about a free vacation to some Caribbean paradise the email recipient has won and which asks him or her to reply with basic personal information, including credit card number. Besides, Filipino hacking activity rarely involves information systems with high levels of security. Hacked sites are often those that don�t even practice basic security measures like firewall protection and password encryption. Miguel Paraz, Inter.net senior vice president for engineering, counts about a hundred local hackers but few of which are technically adept as say, their Russian or Eastern European counterparts. He also would rather refer to them as �crackers� or �black hat� hackers, to differentiate them from �white hat� hackers or IT security people like him. What compounds the situation is that for each one, there would be at least five to 10 more people who benefit from hacking in terms of stolen Internet accounts and passwords. If at all, the perception that Filipinos are among the best hackers is misplaced as well. �It�s the result of the Love Bug incident,� Chingcuangco says. IT practitioners like him doubt if de Guzman did write the virus program, which was a derivative of a very old malware called Minerva. Chingcuanco says what de Guzman might have done was to rename it, add a few codes as his signature, and send it out. �Because he named it �I Love You�, everybody opened it (including Pentagon officials),� he notes. �That was his �genius,� but it�s not expertise in programming a virus.� Chingcuanco concedes that there are a few good Pinoy hackers, but that these are the ones steeped in the mathematical field. Joel Santos, director of Thames, thinks the same, saying, �there are really very, very smart, clear-cut hackers. But those are very few. Majority are really the ones who just copy, download the source codes and launch them.� Which is partly correct, what with about 2,000 websites worldwide that teach anyone how to hack and offer a host of malware for free. Dirt-cheap pirated software containing hacking programs and tools are also easily bought from sidewalk hawkers. ALL this, Disini explains, boils down to the low level of security consciousness Filipinos have in cyberspace. �We understand the value of security. It�s nothing new. But how come this consciousness changes online? It�s a matter of shifting this attitude with respect to information. The way it is now, people think information has no value,� he says. With security concerns, the Internet service providers (ISPs) are put in a position of responsibility since they provide the Internet backbone as data carriers. After all, without the ISP, there would be no opportunity for any user to dial up and access pornographic materials or to hack a credit card account. But local ISPs are not being regulated in this regard. Inter.net�s Paraz points out, �It�s a case-to-case basis in terms of what the ISP administrator thinks is appropriate.� To Paraz, the worst crime an ISP can be accused of is negligence, �leaving your systems insecure, allowing hackers to come in.� Technically, of course, ISPs should abide by certain security standards in firewalls, intrusion detection systems (IDS), digital IDs, authentication services, anti-virus and filtering software. But few local providers have IDS in place. And it�s only now that caller IDs are being installed as part of the technical setup and security policy. The Philippine Internet Service Organization (PISO), an association of local ISPs, has likewise adopted a Code of Ethics emphasizing self-regulation within the framework of sound Filipino values. The Code discourages the use of the Net for morally harmful purposes. As the U.S. experience suggests though, information security is not remedied merely by deploying technologies for self-protection. Despite the wide use of firewalls, IDS and access controls, the CSI survey shows that 85 percent of respondents still detected security breaches in the last 12 months. This is where legal protection comes in. For the Philippines, the legal framework as provided by the recently enacted E-commerce Act is already in place. Patterned after the United Nations Commission on International Trade Law (UNCITRAL) on Electronic Commerce and the Singapore Electronic Transactions Act, RA 8792 is lauded for covering all 10 types of computer crimes. U.S. laws cover only nine. Only recently, the Supreme Court also issued the rules governing the use of electronic evidence. �It is there to prohibit cybercrimes and prosecute cybercriminals. The challenge now is on law enforcement,� says Disini, who is also co-chair of the government�s IT and E-commerce Council (ITECC) Legal Cluster. Unfortunately, law enforcement suffers from all sorts of inadequacies in particular, investigative skills especially in digital detective work and computer forensics and the corresponding state-of-the-art equipment. The NBI, for instance, still uses circa 1960s devices. Its agents survive on their own resourcefulness and the technical expertise provided occasionally by the U.S. Federal Bureau of Investigation (FBI). (Thames had to hire Hong Kong-based British professionals to do a probe using computer forensics equipment.) There are local law enforcers like Meneses, who has taken pains to learn the rudiments of information technology in order to fight cybercrimes. But the other pillars of the criminal justice system the prosecution and the courts are lagging behind. Few lawyers and judges are that knowledgeable in IT. Some do not even know how to open a computer, much less access the Internet. �I�m happy that we have a law,� Thames�s Santos says, �but it�s never been tested. We�re the test case and the judicial system is so slow. We�re going through the normal process.� Believing Internet crimes should be solved at Internet speed, Santos is advocating for a specialized court like the ones that prosecute infringements on intellectual property rights. A regular judge, he says, cannot be a judge of cybercrime as he or she has to be an expert on cyberlaw, both in terms of the legal and technical requirements. Yet even the Philippine Center for Transnational Crimes (PCTC), the only other agency combating cybercrimes, sees the e-commerce law as still insufficient and not specific. �There are a lot of crimes that can be done with the computer,� says Inspector Weneco Fuentes, adding that the Center is already working on the draft of a cybercrime bill. �Like trade in smuggled goods, child and even adult pornography, the sale of mail-order brides, even selling firearms, not just simple hacking.� The same frustration is shared by nongovernmental organizations like the End Child Prostitution, Child Pornography and the Trafficking of Children for Sexual Purposes (ECPAT), which reported two cases of online child pornography to the NBI last year. The websites Paradise Lolita and Lollipop featured Asian children, including possibly Filipinos, in varying nude poses and sexual acts. Paradise Lolita�s nameserver carried a ph domain csf.kin.com.ph but its domain name is registered to a U.S. company, Kinetic Computer Corp. The email provided had the domain bulacan.net.ph, which belongs to a computer company based in Bulacan. The Internet Protocol (IP) address of Lollipop, on the other hand, was traced to the Netblock of the Manila Bulletin. No cases were filed against the website operators. �The NBI had a hard time finding out what case to file. Under RA 7610, we can file for child abuse. But how can we file that if we don�t have the children? All we have were downloaded images,� Hope Abella, ECPAT executive director, says. BUT the law is only one part of the solution, especially given the jurisdictional question posed by the transactional nature of cybercrimes. The consensus is that a treaty is the only long-term solution. But countries have to agree first on contentious issues as basic as definitions and terms. In the meantime, governments are left to their own devices, including mutual cooperation agreements. One area of cooperation is on cybercrime investigation. The NBI complains of the non-cooperation of ISPs in accessing certain information. According to the ISPs, the requests touch on privacy concerns. But now the ITECC Legal Cluster is trying to cobble together an agreement between law enforcement and ISPs/telcos on information-sharing that takes into account specific concerns such as confidentiality. A similar memorandum of agreement (MOA) is being eyed by ECPAT with law enforcers to set up a surveillance team in the future. �The NBI will work on the police aspect, we work on the child-friendly aspect,� Abella says. ECPAT also hopes to work with ISPs on zero tolerance of all forms of online child abuse. The PCTC sees an even bigger role for government in the form of a single agency that oversees the security of the country�s information technology infrastructure like the National Infrastructure Protection Center (NPIC) in the United States. For IT educators, the path to take is via good old-fashioned education. Schools like the Asia-Pacific College provide their students with values education in the first year where they are taught email etiquette and netiquette. In their senior year, they learn professional ethics along with e-commerce and other business laws. Students of cybercrime victim Thames, meanwhile, are spearheading an IT ethics campaign (www. itethics.com). It�s the fastest, cheapest way to do law enforcement, Santos says. �We�re telling people it�s bad to steal, to hack, to infringe on other people�s materials. Nobody�s telling any high school kid who prides himself in having hacked a hundred minutes of Internet access from his ISP that it�s wrong. You start with petty crimes like that, and it just gets bigger.� Another motivation is correcting the impression created by a Time newsmagazine article earlier this year that referred to the Philippines as a �hackers� paradise.� Santos says Onel de Guzman is the �wrong icon we need and that the country should make a strong stand against that branding.� Advocating ethics in IT, he insists, will drive home the point that it is safe to invest in IT in the Philippines and to hire Filipino IT professionals. Well, Trend Micro, a U.S. technology firm, should know. They have Filipino programmers in their employ creating anti-virus software. At 12:22 PM 09/07/2001 +0800, you wrote: >Ever heard of the Filipino hacker who allegedly siphoned off funds from >Expedia.com to an account somewhere in Muntinlupa? ----- End forwarded message ----- _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
