Int'l web security expert slams Comelec for slow acknowledgment of data hack

An international expert on online security on Friday scored the Commission on Elections for its slow action over data leaked by hackers online.

"Part of the problem is that Comelec are still not acknowledging the problem," said Troy Hunt, the creator of haveibeenpwnd.com, a website that allows people to check if their online accounts have been breached.

Hunt described the Comelec response as irresponsible, adding, "All they need to do is to compare the data in the breach with that in the source system. That's a three hour job, not a three week one."

On Thursday, hackers released a website allowing people to search through the leaked data. While the website has inaccessible since Friday morning, Hunt notes that the data is impossible to remove from the internet.

"There's an analogy which says. 'Trying to remove information from the internet is like trying to remove pee from a swimming pool'" said Hunt, noting that the data is currently being passed around through file sharing applications and is still accessible to the public.

How big is the breach?

With the website down and a large number of the population unaware of what private information is now available online, people are left to wonder how the leak affects them.

Hunt says that the situation is "certainly very serious, in terms of the volume of data and the nature of the data itself."

"The risks include impersonation, identity theft, spam, and other risks that exploit information that should be private now being made public," he said.

What makes the leak more problematic is the sheer volume of records.

"Fifty-five million is a huge number for any data breach, but when it's more than 50% of a nation's population then that's an incident that affects a serious portion of the country," Hunt said.

"The data released is spread across many different tables and databases so it's important to note that not everybody has been exposed in the same way — it's worse for some people than others."

For example, if a voter's passport information was part of the leak, a change in passport may be necessary. Less sensitive information like height or weight, Hunt said, may still make people feel uncomfortable as it is personal information they may not wish to publicly share.

When asked if the information leaked can be used to access bank accounts or credit cards, he said, "Indirectly, it's very possible."

"The data attributes that were leaked are often used for identity verification; if I know someone's name, address, birth date, and passport information then I have a significant portion of the information requested by a bank when requesting financial information," he explained.

Comelec still in denial

Hunt said that without knowing what personal information was made available publicly because of the leak, it would be difficult to figure out how to protect yourself against identity theft and other threats.

"(Ordinary citizens should) pressure Comelec to acknowledge the breach is legitimate. They're still in denial and whilst that's the case, it'll be hard to move forward," Hunt said.

"Next, there should be a collective demand to provide impacted citizens with exactly what was compromised about each individual. People deserve to know their exposure.

"Finally, there should be a very clear commitment on the measures they'll take to defend against sort of attack in the future.

"Also worth noting—often after a breach, those responsible for losing the data provide free identity theft services to victims, usually by subscribing them to existing commercial services. This is a case where that could be quite valuable."

Security shortcomings

Hunt said that based on direct observation of how the site works and a video of the purported attackers breaking into the system, there were obvious security shortcomings.

"Questions need to be asked of whoever built this service in the first place, including what they've now changed to ensure it doesn't happen again," he said.

"There was also definitely no formal security review of the website as these were very obvious flaws. For a government site of this nature, you'd expect to see proper review."

Asked to describe how easy it was to take the information from the Comelec, Hunt responded, "Exceptionally easy. The video I saw showed a SQL injection risk being exploited. This is the biggest—and one of the most well known—risks we have on the web today. It's also one of the easiest to exploit and we often see children using it to compromise websites."

If the same practices have been applied to other government websites, Hunt said that the same risks would likely be present.

A formal review of these sites does cost money and so does other security devices, but Hunt noted: "The secure software development patterns that would have prevented this are free."

"It costs no more to write code that is resilient to this form of attack than code that is vulnerable, the difference is simply the competency of the software developers," Hunt added.  —JST, GMA News