By Mia Rosienna Mallari / Second of three parts
A USERNAME like Kyuubei is a dead giveaway for fervor over anime and manga, moreso the Japanese animation and comics pop culture. Deep in the Web, Kyuubei is nothing more than another speck of data-consuming user. Unlike millennial Internet residents like himself, the data he expends are put into an entirely different use.
“[I get hired by] desperate people who want to know the Facebook password of their enemies or people they’re in a relationship with,” he shakes his head. The man explains that, while he tries to understand the motive of these people, he is saddened by the superficiality of their being.
He gets paid for what he does, but that’s only the surface-level kind of work. The 20-year-old lives for the thrill of hacking, the exhilarating feeling he gains from being able to infiltrate high-profile systems past layers of coding and intricately put up security walls. Kyuubei is credited for defacing several government web sites in 2011, barely a year before the Cybercrime Prevention Act of 2012 was enacted.
To date, Kyuubei has committed several offenses under the act. Based on the information gathered during the interview with BusinessMirror, the hacker has already several counts of illegal access, illegal interception, data interference and system interference.
“Once I managed to keylog a US citizen and I spent all his credit-card money for exchanging bitcoin and use it to host some CP on TOR,” Kyuubei said in staccato, not caring if the listener understood the hack-speak. “It was worth it,” he said with a grin.
Bitcoins are considered a new-age payment system, a digital asset that operates with no central authority or banks. The CP Kyuubei was referring to is an online lingo for child pornography. He said he used an anonymous browser that prevents traffic analysis, protecting the user from data surveillance and diverts server signals from being tracked down.
According to law, people, like Kyuubei, who willfully use child pornography materials, face six to 12 years of imprisonment and a fine of P0.2 million or $4,317.32 at current exchange rates. He has never been detected.
“The Philippines still does not have a strong protection for technological infrastructure against cybercriminals,” Niño Valmonte, director of product management and marketing at to IP Converge Data Services Inc. (IPC), said.
Valmonte said the most common malware encountered locally are called “worms” and “trojans,” which infect almost half of all computers in the country. Computer worms can self-replicate on computers, or via computer networks, without the knowledge of the user. Trojans are malicious programs that perform actions that have not been authorized by the user.
Government infiltration
FOLLOWING a round of attacks toward government websites before the 2013 elections, the Department of Science and Technology (DOST) beefed up the security around government’s online assets emphasizing the additional layer of protection for the agencies providing their services online.
These include the Government Service Insurance System, the National Statistics Office, Pag-IBIG and Philippine Health Insurance Corp. While not purely a government agency, the Social Security System is also included. The protection is for such sites requiring sensitive information from its users. If compromised, these data could be used for identity theft and extortion, among others, according to Valmonte.
“It depends on the software, really,” Kyuubei said. “That’s the basis of the system’s vulnerability especially if the software is outdated.”
The young hacker explained the facets of hacking and how overlooking safety measures can pose threats, not only to an individual, but to any organization he or she is affiliated with.
He said accounts can be compromised through the user’s system. If the system’s defenses are weak, it is easily exploitable through bypassing the thin layer of protection it has, Kyuubei explained. The targeted victim can be exploited through any web site he is signed up in, though it may be difficult if the hacker does not have any initial background on the victim.
“The same thing goes with hacking an e-mail. Based on my experience, you have to do some stalking first before I look for the e-mail. If I find it, all I have to do is check the two questions on his ‘forgot password’ page and that’s when I start gathering data,” Kyuubei said.
He added that hackers can easily pretend to be a relative or a person who has been granted access by the victim. With the inconsistent web-site security in the country records can easily be accessed, example would be from a school registrar web site, or any web site that may contain vital information that can give clues.
If this doesn’t prove to be successful, the next option would be to obtain data through a phishing technique, which involves creating a fake web site, which will fire up the victim’s specific interest, to acquire the username and password. In some cases, the phishing method is used by hackers to obtain credit- card information.
Having strangers access personal computers, too, can also pose a threat to the users through keylogging, which records the keys pressed for the duration of the system’s usage.
“Easy game, easy life,” the hacker said, shrugging his shoulders.
“Assuming an attack is a possibility, it could be orchestrated by anyone who may gain from the hacking, be it to manipulate results, steal confidential data, etc.” Valmonte said.
Questionable safety
LATE Easter Sunday, the Commission on Elections (Comelec) web site was compromised, hacked by Anonymous Philippines, through a Distributed Denial of Service (DDoS) attack, which disrupted the traffic of the web site. The hacktivist group egged on Comelec to ensure that all of the Precinct Count Optical Scan (PCOS) machines, which will be used in this year’s national elections, will have its security feats optimized.
“What happens when the electoral process is so mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld? We request the implementation of the security features on the PCOS machines,” the message posted by Anonymous on the Comelec web site said on March 27.
The hacking of the web site created buzz on social media and had netizens questioning the safety of the elections. But Comelec Spokesman James Jimenez was quoted as saying no such ruckus will transpire during the election proper, and no sensitive information was compromised during the hacking.
Jimenez said the Comelec’s Information Technology Department (ITD) and its Web Development Team are already working to restore all the databases of the Comelec web site, as soon as possible.
Meanwhile, the Comelec dismissed fears by some groups that hackers might be able to penetrate the poll body’s server that contain election results.
“The election web site will be very secured,” Jimenez said. “It will have its own set of security features, which are different and of a higher quality than the one we are using now.”
He said there are different level of securities being adopted for the Comelec web site and the would-be election results server.
“It is a difference between securing a grocery list on the one hand and securing a list of commands to the army. Sure they are both important…but are you going to use as many resources protecting your grocery list as your order to the army?” Jimenez explained.
The Comelec web site was restored at about 3:15 a.m. on Monday, said Jimenez. “However, as we continue to scour the site, all databases remain temporarily off,” Jimenez said.
VVPAT
DURING a congressional hearing in the Senate in February, the Comelec disclosed they have reached a unanimous decision not to print receipts or the voter verification paper audit trail (VVPAT). This document is meant to show the voter that his or her ballot has been received and read by the machine. It also verifies that the votes have been
correctly placed.
Comelec Chairman Andres D. Bautista explained the process would mean allotting more time during the election proper. Bautista said it would take about 13 seconds to print the ticket, another 15 to 20 seconds for a voter to read and crosscheck the printout and several minutes to change the ribbon once the paper roll is finished.
On March 8, the Supreme Court (SC) requested the Comelec to allow the implementation of the the VVPAT on the vote-counting machines (VCMs) to be used in the elections. Ten days later, the SC ruled with a 13-0 vote that the Comelec implement the VVPAT. “It is incorrect for the [Comelec] to argue that the law does not require each voter to verify whether the vote-counting machines recorded his or her votes properly.”
The Comelec’s decision to do away with the VVPAT triggered fears that groups would be emboldened to hack and tamper poll results to favor certain candidates. However, Sen. Aquilino Pimentel III quickly pointed out the latest cyberattack was limited to the Comelec web site, and noted no indication the poll-body servers were compromised.
“Yes, the hacking should put Comelec on notice that “hacking can be done” Pimentel told the BusinessMirror. “But web site is different from the election servers.”
Another group called Lulzsec earlier reported to have claimed separately it gained entry in the Comelec database and leaked it to the Internet. However, this has yet to be confirmed by authorities.
Asked if lawmakers will seek a firm guarantee from the Comelec of the May 9 elections’ integrity despite the hacking of its web site, Senate Minority Leader Vicente Sotto indicated they intend to do so.
“We must have concrete assurances from Comelec that their computerized-voting systems are well protected,” Sotto III said in a text message to the BusinessMirror.
Everything’s hackable
IN 2015 Smartmatic TMI Corp. representative Marlon Garcia said in a public statement it will take a hacker 10 years to successfully hack a single PCOS machine.
Only a conspiracy among those with authorized control over the system can possibly meddle with the results, automated-election expert Pablo Manalastas said during a hearing last month.
A single machine has its unique encryption key. The only possible way to hack through it is from the inside, and only with those with access to all the sign-in keys. To date, there are over 96,096 VCMs ready for use in May.
Kyuubei thinks otherwise.
“Everything connected to the Internet is hackable. There are so many ways. You can edit the firmware, connect to the Comelec’s SSH and delete all [content in] their database or edit their database to rig the elections.”
Nevertheless, he also thinks this may be improbable. “There is a minimum probability compared to before since ’di tulad ng dati, may utak na sila ngayon. [Unlike before, the people in Comelec appear to be now using their brains.]”
(To be concluded)