A few days ago, the court acquitted Paul Biteng of criminal charges. It was a sensational cyber case for the security community. The case stemmed from a defacement of the COMELEC website AND a later data breach of the voter ID database. Authorities nabbed Paul Biteng for both of these.
In the "People vs Paul Biteng," the prosecution charged him with violations of RA 10175 sec 4(a) 1, 3 and 5. COMELEC filed the case with the NBI. At the time, the NBI claimed to have an air tight case against him and yet Paul was later acquitted. What? How was this possible? As I set out to learn more, my contacts highlighted troubling things surrounding this case.
I started by reading the court filings and documents. I consulted with friends who are industry experts and insiders familiar with the case. None of my sources have agreed to be identified for obvious reasons.
What follows are my personal reconstruction of what most likely happened.
Paul Biteng most likely is the hacker Kh4lifax. This hacker was part of Anonymous Philippines or Lulzsec, or another pinoy hacker group. He also most likely defaced the COMELEC website. But he was NOT likely to have stolen the COMELEC data.
How it started
Paul discovered that the COMELEC website was vulnerable to a serious flaw. Paul warned COMELEC using its official email address sometime on March 20, 2016. The website had an SQL injection vulnerability. This meant that hackers could exploit this vulnerability for "remote code execution." Once executed, any hacker can gain administrator/root access. They would be like Gods and do whatever they wanted on the COMELEC server. One such ability includes being able to steal the voter ID database. This formed the 2nd part of the criminal charges.
Paul must have expected an immediate reply from COMELEC. This vulnerability was huge. As a patriot, his expectations were like any white hat hacker were at this point. A note of thanks perhaps? Days passed, but COMELEC had not replied. Nothing.
“Di pa uso ang bug bounty program,” said an insider, familiar with the case.
A series of unfortunate events?
Unknown to Paul, the official COMELEC email address was overflowing with spam and hate emails. The upcoming elections and voter systems were the top priority. Because of this, no one from COMELEC’s IT department paid any attention to the emails. That was the first in a series of unfortunate events.
For Paul, COMELEC’s inaction might have led him to think that the COMELEC was incompetent. The COMELEC did not read or escalate the issue. No one from the "top" knew about it. No one fixed the vulnerability. The data breach was inevitable. Maybe Paul wanted to call attention to COMELEC’s ineptitude. Or Maybe to the vulnerability? Maybe this frustration caused him to deface the website. I can’t say for sure.
Soon, the details of the vulnerability became known inside the hacking community. A lot of the reference links to the vulnerability were shared from Facebook. One of those who saw the links happen to be an asset of NBI. This asset may have tipped off the NBI. This might be how the NBI got wind of the vulnerability.
Sometime on March 23, 2016, an NBI computer tested out this vulnerability. I am guessing that the NBI agent got carried away. He did not stop at merely validating the claim. Against better judgement, he/she decided to go further. He actually downloaded the Voter ID database. NBI in effect was the first to violate Sec 4 (a)(1). This was the second in a series of unfortunate events.
This person then realized his/her mistake and tried to cover their tracks. He thought he was smart. He deleted the server logs that tracked his actions. Unknown to him, COMELEC had installed an extra logging system just a few months before. This second logging system tracked and logged the NBI’s IP address. This will later come back and haunt the prosecution.
By now, the NBI knew of the vulnerability. It could have helped secure the comelec web server. It was its duty after all. But, as far as I can tell, NBI never reached out to COMELEC. So again, no one patched or fixed the vulnerability. This was the third in a series of unfortunate events. FYI: The comelec server is designated as "Critical Infrastructure of the Philippines." Some say this was not only criminal act but was also a gross dereliction of NBI’s duties to the Republic.
On March 27, 2016, which was 4 days later, Kh4lifax, the hacktivist, defaced the website. The NBI obtained warrants. They served it to Paul. Upon his arrest, TV Patrol's Ces Drilon interviewed him and he did admit to attacking the website. Indeed, forensic tests on seized equipment showed './kh4lifax' in them.
But by this time, if my memory serves me right, the copy of the stolen voter ID database was already widely circulated online. If NBI did find a copy of the database on Paul’s hard disk, could they use it as proof of the actual download? Or was this only a proof of illegal possession? And did NBI find the stolen data inside Paul’s sequestered hard disk? Strange. But I don’t seem to find any references that they did.
Even if NBI did, were these enough to secure a legal conviction? Some might say "yes" to the defacement, but most will say "no" to the data breach. These are two different animals. Some say Paul should have been charged with the defacement only.
The Shockers
What follows is a series of testimonies that ultimately led to Paul’s acquittal.
COMELEC IT officer Rouie Jarme Penalba testified that the attacker/s' IP was 27.110.135.130. This was a PLDT IP address block. Strangely, neither of the parties pursued this lead further. There was also talk of another Japanese IP in the 112.x.x.x range. It was supposed to be the 2nd known instance of downloading the stolen data. But I could find no further reference to it. Could this Japanese IP address lead to the identity of another local hacker group that ‘stole the COMELEC data’?
Did the NBI do proper IP address tracing or not? If not, why not? In any case, did the prosecution tie these IP addresses back to Paul? I could not tell. There was no discernible IP tracing effort to tie the IP addresses back to Paul B.
On the other hand, the defense had an ace. Remember the 2nd logging server?
"NPC Records Officer Pilamar Maglunog testified that on March 23, 2016, a computer with IP address 202.90.136.202... stole the COMELEC data." Further testimony by ASTI's Bayani Benjamin Lara showed that the IP address was assigned to NBI.
When confronted, the NBI "... merely skirted the question...". This looks REALLY bad for NBI. Cyber security experts now think that the NBI was caught red handed. NBI was even trying to frame Paul Biteng for criminal acts that they themselves committed.
Now imagine you are COMELEC, and you relied on NBI to help you prosecute the hacker. Then you discover this revelation. COMELEC realizes that someone inside the NBI actually caused the data breach. This act was 4 days ahead of the criminal acts Paul supposedly committed. Would you still want to work with the NBI? Did COMELEC realize that it was running after the wrong party? Did the NBI investigate further to find out who among their ranks was responsible for this fiasco? We have no information that heads rolled over at NBI.
At this point, the prosecution crumbled. In fact, the judge cited this in the acquittal : “... in the light of the finding that the IP address tagged in the commission of the instant offenses is assigned to the NBI, it casts reasonable doubt on accused’s imputed liability for the subject offenses.”
Paul was a now a free man.
Your thoughts?
What do you now think of Paul Biteng? Was he a hero or a heel? Was he a victim himself - a scapegoat to take the rap for the data breach? Some experts say that he was lucky that NBI messed up up his investigation. Do you agree? What are your thoughts about NBI? And what about COMELEC? Did they exercise the standard of due diligence in protecting our private data? Should heads roll at both COMELEC and NBI? The revelations in this court case has left a lot unanswered.
Lessons to be learned
But let us learn from the lessons of this case. Allow us to share some thoughts:
-
In Singapore, My CISO friends suggest that a playbook be followed when someone reports a vulnerability:
Always respond and thanks the person reporting it.
Immediately validate the claim
If validated, fix it ASAP.
Do some forensic analysis to gain more insights
There is an actual website that helps system administrators with incident response. This site is: https://www.incidentresponse.com/playbooks. It provides step by step instructions to take for most types of incident.
One never ignores the tips. This is an important lesson not only for COMELEC but also for the rest of us. Paul wasn’t even asking for monetary reward. Had COMELEC read and fixed the vulnerability then, none of our private data would be exposed today. -
If your official email is clogged up, take the time to clean it. Either use an anti spam service, or take time to unsubscribe from all the junk emails.
-
Network monitoring is critical for security.
As with most government agencies, I'm guessing that the COMELEC did not have enough budget. They failed to hire a dedicated network monitoring team.
So when the 320 gb file was compressed to a 80-90 gb file, the spike in CPU went unnoticed. And when the 80-90 gb file was sucked out, no one noticed the increased bandwidth on the 50 mbps line. Word on the street was that it took under 20 hours to download the 80 to 90GB file over the limited bandwidth. An alert team would have spotted and stopped the data breach right then and there.
-
Security was not a concern from the start.
Like most web projects, the COMELEC website was engineered more for scalability and speed. Security may not have been included in the scope of work. Only 1 year after the data breach did Comelec decide to ask for penetration and security tests. I submit that this should have been done on day 1. -
Consider a bug bounty program
A bug bounty program is an agreement set up by organizations to recognize or reward individuals that help provide information to secure systems. These offers benefits both the company and the security researchers. It also sets up a dedicated channel of communication between the company and white hat hackers. A well known bug bounty program is HackerONE. -
Government Policy Changes needed.
For governments, maybe political appointees to sensitive posts should also carry a minimum qualification. This ensures that appointees also have the tech skills to match those needed for the role. For procurement process, security requirements should be part of the scope of work in every data project.
Here, the relevant sections that prosecution charged Paul Biteng with were as follows:
a) Offenses against the confidentiality, integrity and availability of computer data and systems:
(1) Illegal Access. – The access to the whole or any part of a computer system without right.
(3) Data Interference. — The intentional or reckless alteration, damaging, deletion or deterioration of computer data, electronic document, or electronic data message, without right, including the introduction or transmission of viruses.
(5) Misuse of Devices.
Got something to add to this? I’d love to learn more. Do add to the comment section.