How hackers breached vulnerable PH schools

While the world was preoccupied with fighting the pandemic, new tech problems have surfaced that IT departments of schools need to face.  While everyone was in a hurry to implement a new work from home scheme and new school learning arrangements, hackers were also busy exploiting holes in the new systems that are being put into place. The changes brought about by the pandemic did not only bring new ways to work and learn, but also new problems on Internet security and personal privacy.

A group of Pinoy hackers who called themselves Pinoy Grayhats observed that irresponsible hackers are making the PH Internet a playground by exploiting vulnerable schools at will.  This prompted the group to organize an event where members inform the systems administrators of vulnerable schools and teach them how to fix the problem.

The event got mixed reactions from schools.  Some systems administrators thanked the group and acknowledged the help, but most of the time, their warnings were ignored.

In an email and instant messenger interviews, the group said that together with a FaceBook security group Philippine Hacking University (PHU), they have decided to scan servers for weaknesses. Because of the slow reaction from the concerned schools, they took matters in their own hands and fixed the security issues they found. “This has become personal, if these schools would be breached a lot could be affected not only the students but possibly their friends and relatives” the group said.

Here’s what we talked about:


Art Samaniego: What is Pinoy Grayhats and who are its members.

Pinoy Grayhats:  We are the Grayhats, we neither profess to be as good as the whitehats nor as badass like the blackhats. We are a combination of both.  We are from diverse backgrounds, brought together by a common interest, -- internet and computer security.

AS:  Can you share what are you doing right now in PH schools’ servers and websites?

PG:  We scan schools for weaknesses in their websites and other devices connected to the Internet. At first, we send warnings to schools about the vulnerabilities that we found but because of the pandemic we believe that schools have no IT guys on duty, this may be the reason why our warnings were ignored.  We are now scanning PH schools for vulnerabilities and we inform them by sending a message using the details we get from the website.

AS: You said in our previous interview that you’re patching vulnerable PH schools, how did you do it and why?

PG: When we found vulnerabilities, we immediately inform the school.  If we don’t get any reply within an agreed time frame and when the vulnerability is severe, we will put a temporary patch to secure the server. We will also leave a message to the sysad informing him of what we patched and how to secure the site from attacks. Many of the sites could be easily taken down by Google Dorking, it’s a technique that uses Google search to find security holes that websites use. We also use BurpSuite and other security tools to look for vulnerabilities.

AS:  How did the schools take the information that they are vulnerable to hacking?

PG: We got mixed reactions from schools.  Systems Admins usually take our information in a positive way and immediately apply our recommendations, school administrators, on the other hand, take it as an offense and would not talk to us, some would even warn us that they would report us to the authorities.  Usually, these administrators do not fix the site.

AS:  What you’re doing is illegal, you know that of course.

PG:  What we’re doing may look illegal but we have no choice but to secure the vulnerable sites or else irresponsible hackers who are capable of doing the same could get critical data and sell it the highest bidder or use it in a malicious way. 

AS: What data are these?

PG:  Data like full name including middle name, birthday, provincial and city address, student number, contact details including cellphone number, email address, social media accounts, next of kin and contact details and more are considered sensitive information

AS:  What are the most common vulnerabilities you’ve found in PH schools?

PG: Most of the school portals we’ve checked were unsecure. Many have no SSL or expired certificates; this is dangerous as they could be open to attacks. This shows that the IT department is not doing its job of maintaining the site.  While other schools have secure websites, the problem is that their admin credentials are vulnerable to a brute-force attack or worse, saved in plaintext. There are also many school portals with weak passwords, we logged-in as an ordinary user, then escalate our privilege using common server exploits.  Also, many schools that we checked have .git disclosure. We consider this a vulnerability because it could let hackers see what codes are used on the website and could reveal how the site functions. Most of the time, we got the admin passwords if the site has git disclosure.

AS: What are your recommendations to fix the problems you’ve found.

PG: We always recommend to systems administrators to harden their servers, we also give them a list of tools that they could download and use.  It’s up to them if they will follow our advice. Aside from that we also recommend to properly backup their data, update regularly the operating system and software they are using, and do privacy impact assessment as recommended by the Kalasag CERT cybersecurity team a computer security incident response team based in the country, they offer response facility in handling computer incidents.

AS:  Do you have any message to our readers?

PG:  We can all just walk away with the knowledge that most of our websites are vulnerable and live our lives and careers pero papaano later mga biktima nung mga data dumps.  We might wake up one day and see that our personal information down to our pets' names are for sale in the dark web or somewhere else.


The group also sent a file containing a list of sites that they have checked from May to June this year, with a total of 20 schools found to have vulnerabilities. The group said that Pinoy Grayhats together with the Philippine Hacking University (PHU) will continue to check PH schools to make the students' internet experience more secure.