By Mia Rosienna Mallari
Conclusion
GRATIFICATION is what hacking is about for 20-year-old Kyuubei.
As young as 10, the person behind the name has entered the myriad of codes and computer systems—a contrasting shift to his fascination for animé and manga.
“It is self-satisfying; the bounty comes last,” he said. “For example, on Facebook, you get $100 per exploit. Last time I checked in Google, you can earn $1,337 per exploit.”
It is rarely regarded in public there are two kinds of hackers: white hats and black hats. Kyuubei considers himself neither.
Based on his narrative, white-hat hackers are usually seen on online meet-ups, those who enjoy reading white paper and guides on hacking and earning for it in a “respectable way.”
Black hats, on the other hand, are more notorious online. Kyuubei usually encounters them selling credit-card information from exploited web sites and selling exploit software in the underground online market.
They’re usually found on the anonymous browser that blocks traffic analysis, diverting data surveillance and prevents users from being tracked down.
“You can’t get tracked if you’re not stupid. That’s where pedophiles hang out to sell and share CP [child pornography], Hard Candy or Snuff. Again, if you’re not stupid. That’s the price for making it so secure.”
Uncertainties
ACCORDING to Niño Valmonte, director of product management and marketing at IP Converge Data Services Inc. (IPC), there is no specified data as to how many security attacks are launched periodically in the country. Nevertheless, the global report of cloud-based security service Imperva Incapsula recorded alarming rates of Distributed Denial of Service (DDoS) attack growth worldwide.
“Web application and DDoS attacks are doubling in number every year, with a recorded peak of more than 100-gigabytes per second attack [in terms of] bandwidth last year,” Valmonte said in an interview with the BusinessMirror. “With these massive attacks, most organizations cannot withstand it and will become vulnerable.”
He explained companies, such as IPC, offer mitigation services “as far as technologies against DDoS attacks are concerned.”
“This would be beneficial for the Comission on Elections [Comelec] and Namfrel [National Movement for Free Elections], because they provide election-related information via their web sites, making them a potential target this coming elections,” Valmonte said.
The Incapsula report is a clear indication of how DDoS poses a formidable threat to the government and businesses in any industry worldwide, including the Philippines. The Comelec web site was defaced by Anonymous Philippines some time around midnight of March 27. The homepage was compromised, as the hacktivist group demanded that the full-security features of the Precinct Count Optical Scan machines be utilized. This is in line with the decision of the commission not to print voter’s receipts in the upcoming May 9 polls.
In the latter part of 2015, the web site of the National Telecommunications Commission (NTC) was infiltrated by the hacktivist group Anonymous, protesting the sluggish Internet speed in the country. The group said they “are sympathizing with our fellow Filipino netizens whose battle cries are the ‘overpromised, underdelivered’ system of our Internet service providers.” The hacking was done shortly after the NTC conducted a bandwidth test on the broadband connection of four Internet providers in the country.
The group vandalized the site’s homepage with its staple black background with the overlaid message alongside a figure of the character “V.” The anarchist and vigilante from the V for Vendetta movie has become the unofficial face of the group.
It was the same figure used by 60 masked hacktivists in 2013 during a protest against pork barrel in Batasang Pambansa. The protesters held placards that said, “The corrupt fears us. The honest supports us. The heroic joins us.” In the same year, the group has paralyzed more than 30 government web sites simultaneously as it expressed its political views.
Kyuubei said that, despite the slow Internet speed in the country, it does not post much of a hindrance for hackers like him.
“If you’re doing some big s_t, you will use another machine or virtual private server.”
According to him, there are endless ways of hacking into a web site, like using a cross site script (CSS), where he can run a modified script into the system that can hack an end-user of the web site. Another is the file-inclusion exploit, where a hacker can upload any kind of file to a web site that without that does not filter its content.
“This is the most common and most dangerous kind of exploit, especially if the web site handles tons of user information, SQLi or Structure Query Language Injection, where they can execute commands in a page and download all the contents of a database on a web site,” he explained.
Kyuubei disclosed that this is what Anonymous uses most of the time to hack into web-site databases. He also said this is the easiest exploit a hacker can learn to run.
Improvements
AFTER the implementation of the Cyber Crime Act and the beefing up of security on government web sites, he commended the government for the drastic measures it has taken.
“Improved!” Kyuubei said. “Dati ’di marunong mag-filter ng SQL ’yung mga DB ng government web site at gumagamit sila ng exploited CMS.”
Now, according to Kyuubei, all software used by the government are updated. He didn’t say how he got this information.
Still, these measures are not enough as, he said, hackers have consistently managed to infiltrate government web sites, the latest of which was the Comelec’s.
“DDoS is a serious online crime that cannot be ignored. It warrants a definitive course of action from highly skilled professionals trained in this type of cyberwar,” IPC President Rene Huergas said.
The study published by Incapsula revealed there were changes in the DDoS attack patterns during the last quarter of 2015 and a surge in the use of DDoS-for-hire services. A 25.3-percent increase from the previous quarter in terms of frequency of network layer attacks was also recorded.
Protection
POLITICAL concerns aside, the young hacker said online protection is not always up to concerned government organizations. What gets hackers like him through a system sometimes is the absentmindedness of users.
“My point is that the government does not protect you from the Internet. It’s up to you,” Kyuubei said. “Once you’re online and you post information about yourself, you’re only making yourself vulnerable like most people. What you only have to do is lessen your vulnerability.”
He encourages users to come up with passwords that are lengthy and difficult to guess. Avoid signing up in doubtful sites, because some web sites do not encrypt the user’s password, he added. He also recommended the use of GNU Privacy Guard when sending sensitive data to another user. This lessens the probability of risking information, as well as encrypting e-mail conversations, providing the only keys to the user to unlock the encryption.
“And people are still stupid enough to click scandal and hoax links. For crying out loud, that is the No. 1 target of hackers, because it lures a lot of people.”
He also added that both individuals and organizations should update their systems regularly and use trusted antivirus and antispyware, even if it means spending on software.
On the legislation side, the Philippines has the Cybercrime Prevention Act of 2012 that protects web sites from defacement and data hacking. Nevertheless, most hackers remain undetected, because of the anonymous hosting software they use for operations.
Kyuubei has already committed several crimes, including illegal access, illegal interception, data interference, system interference and willfully streaming of child pornography.
If taken into account, his crimes could land him between 12 years and 48 years in prison. If found guilty, Kyuubei also faces a P1-million fine. That is, if he ever gets traced by authorities.
Ironically, Kyuubei stated that if ever a netizen feels like his online rights were abused, they should report it immediately.
“Read up on laws? If you feel like your rights were violated on the Internet as stated in the cybercrime law, then go directly to the Electronic Frontier Foundation,” he said. “If you feel like you were ever offended through posts and comments, welcome to the Internet: this is the reflection of humanity.”