Cyberterrorism: Is Phil ready?

CEBU, Philippines - Osama bin Laden is dead. However, terrorism is alive and kicking.

According to lawyer Al Vitangcol III, certified computer hacking forensic investigator, this is because “terrorism continually reinvents itself in new and more dangerous forms – including cyberterrorism.”

The Internet also serves as the most democratic front of the Digital Age, thereby allowing the creation of a new battle zone for both good intentions and evil schemes.

Speaking before the Rootcon 5 Hackers Conference at the Cebu Parklane International Hotel last September 9 in observance of Information Security Awareness Month, Vitangcol tackled on how vulnerable the Philippines is in the absence of a clear and solid national policy in place on information system security and Internet infrastructure stability.

In fact, he disclosed that the creation of an Office of Cybercrime is still to materialize in 2012, under the Department of Justice, with an initial P5-million budget.

“The Philippines is seen as a nation lacking a strategy for cyberterrorism. We don’t have a clear national policy in combating cyberterrorism,” he said.

Even though we have a Homeland Security Act of the Philippines (Republic Act 9372) signed in February 2007 and an Electronic Commerce Act of 2000 (RA 8792), these ostensibly have not mitigated properly the current and emerging challenges in information security (infosec). Likewise, the acts have failed to punish offenders fairly because of the laws’ own loopholes.

Senate Bills 2676 filed by Senator Edgardo Angara and 1749 by Sen. Miriam Defensor Santiago have sought clear definition and wider scope of cyberterrorism as against cybercrime as these terms are not interchangeable. Definition of cyber-terrorism from “widespread extraordinary panic…” seeks the inclusion of “intention to coerce the government to give in to an unlawful demand.” Meanwhile, cybercrime is “disruption of electronic or info systems involving computers or computer networks.” The latter is the focus of SB 2786 (Cybercrime Prevention Act of 2011) providing for prevention, suppression and [stringent] imposition of [higher] penalties upon offenders.

With an ever-increasing use of the Internet, among cyberterrorists, to communicate, conduct operational planning, recruit and train, and obtain logistical and financial support, it isn’t far that various information systems in the Philippines could be the next major – and easiest – target. It’s not even a matter of how, but when. Attacks happen everyday through email bombing, Web defacement, and political propaganda. Release of malicious wares into the wild – from viruses, to worms, file infectors and backdoors - can also be carried out in information system-controlled water and distribution supply, cooling systems of power plants, traffic systems, and even health records, according to Vitangcol.

“It is a fact that vulnerabilities in security on the Internet and computers encourage cyberterrorists all the more. Take note that the suicide bombers in the 9.11 incident had booked their plane tickets online. They even communicated through cyberspace, aside from using steganography,” Vitangcol pointed out.

Steganography is employed to hide data within data. Otherwise referred to as cryptography, it is the science of writing in secret codes or writing in a concealed manner to produce the existence of a secured message. It can also be taken as a form of security through obscurity. “Deciphering codes would entail a look into graphic images where the messages are embedded similar to that of the film Da Vinci Code,” Vitangcol added.

This certified e-Commerce instructor then used as example our traffic system to show how unprotected program software can create widespread fear, panic, injury, and loss of lives (the elements of terroristic acts). “For example, the traffic lights here in Cebu. Isipin nyo na lang if ang program would normally take a stop for around two minutes and another two minutes for a go signal, tapos maya’t maya eh magiging three minutes ang stop. Tapos biglang three minutes ang go, then balik na naman sa two minutes interval. Anong mangyayari sa kalsada natin? Sa mga sasakyan? In the next seconds, cars would collide, our streets in a mess,” he said.

He used this analogy to represent a scenario of our vulnerabilities which continue to encourage terrorists to enhance their hacking skills. He cited that most computer attacks become successful because network computers with exposed vulnerabilities may be disrupted or taken over by the attacker. Imagine how our various industries’ reporting systems, item promotions, and banking functionalities, just to name a few, would be sent crashing and rendered useless – our precious resources wasted!

Another is that, even up-to-date security patches installed may still be vulnerable to a type of attack called “zero-day exploit.” This is a type of attack that takes advantage of security vulnerability on the same day that the vulnerability becomes generally known.

“Take note that this vulnerability persists largely as a result of poor security practices and procedures, and inadequate training in computer security,” he stressed.

Nevertheless, vulnerabilities come with counteractions like prevention, detection, reaction and recovery. “Note that one of the main tasks is reaction not proaction. We are encouraged to be proactive. However, it is underlined that in cyberterrorism, one can not be proactive [per se]. For how can you be proactive if you don’t even know the main mode of attack,” Vitangcol further explained.

In a demonstration to underscore how live hacking can manipulate online banking systems in a matter of seconds, two infosec professionals penetrated into one of the Top 3 most vulnerable banks in the Philippines. True to form, the hacking experts pounced on the bank’s simulated database and “gathered vital information such as PIN codes” to show how weak the system is.

“We are not touching any of the bank’s network, though,” the duo was quick to point out. The apparently “cloned Web page” where customers transact in electronic form was used to “show you that yes, it is this simple to get into the bank’s system so that something has to be done,” they emphasized.

It was ironic, however, that the banking and finance sector being one of the most susceptible industries had only one representative of the 150 participants in the two-day hackers confab organized by Rootcon, an online community of security enthusiasts headed by Mr. Dax Labrador (aka Semprix), founding director, and Ederlindo Cojuangco II, co-founder. Prior to the event, Cojuangco made mention that the event seeks to encourage more people to secure their own network from the prying eyes in cyberspace. “Know your enemy. Think like one of them. Defend your network,” he said.

Clearly, the event has sent the message across that prevalence of loopholes in infosec entices continued intrusion and exploitation, leading to massive security breaches.

And yes, the Philippines has not developed immunity to such! - (FREEMAN)