The future of the Philippine cybersecurity looks bleak, here are the reasons why.
SSL or Secure Sockets Layer protects the data you send to the website by keeping the connection secure. Sensitive data that is being sent to and from your computer is safe as SSL prevents criminals from reading and modifying these data. You will know that your data is secure if there's a padlock next to the website address or when the address starts with https instead of http. In order to activate that padlock and the http changed to https, you need to install a piece of code in your server, this piece of code is called SSL certificate and issued from a trusted Certificate Authority or CA.
I have posted the list of PH government sites with expired SSL certificate in my previous post.
There are two kinds of SSL certificates that you could use. Self Signed Certificate and Trusted CA Signed Certificate. While both of them offer encryption, websites are advised NOT to use self signed SSL certificates as they have no value in the real world.
It's like handing over a driver's license you printed at home when MMDA traffic enforcer asked to see your license. You could argue that it contains all the correct information about you but the traffic enforcer will still look for the real one, issued by the government. The MMDA website by the way has also an expired SSL certificate as of this writing.
Now, this!
The website of Malacanang at www.malacanang.gov.ph is using a self-signed SSL certificate.
There's more, continue reading.
-o0o-
More on SSL certificate.
"For more efficient use of technology and greater protection against hacking and cyber-attacks", Administrative Order no. 39 was issued on July 12, 2013, by then President Benigno Aquino III mandating all line agencies to transfer their Internet hosting requirements to the Government Web Hosting Service or GWHS.
All government agencies were also tasked to strictly follow the Uniform Website Content Policy (UWCP) that would give government websites a common look and feel and the PH government a corporate identity.
One of the advantages cited in the website of GWHS is improved security. "Hacking and cyber vandalism is a major issue for government agencies, particularly for those who have frontline online services. The UWCP comes with security guidelines to ensure that industry best practices for web security are implemented."
Now, this!
Problem is, the GWHS failed to renew its SSL certificate making it vulnerable to attacks, exposing not only its own site but also all the agencies connected to it including the office of the president and the office of the vice president. The SSL certificates expired more than two months ago. As of this writing, these government offices are still using the expired SSL certificates of GWHS.
But wait, there's more.
-o0o-
Early this month, F5 Networks, a transnational company that specializes in application services and application delivery networking, has released a security advisory to address a remote code execution vulnerability in one of its products, the BIG-IP Traffic Management User Interface or TMUI. The company said that this vulnerability may result in complete system compromise which means that when exploited, hackers could download, copy, and delete anything in the affected system. The company also said that if you are using this product you need to immediately update to the latest version to eliminate the vulnerability.
Now this!
AJ Dumanhug, Secuna co-founder and one of the country's top cybersecurity professionals checked the instances of the vulnerable product in the Philippines and he found out that there are 95 instances in the country and four are connected to the Philippine government websites. Websites with millions of user information in it. He found out about this on July 6 and reported immediately to the government agency tasked to protect security threats and cybersecurity risks. As of July 9, all these instances were already fixed. Good, right? Wrong! If we check the timeline F5 disclosed the vulnerability on July 1, AJ Dumanhug learned about it and checked if PH servers are vulnerable on July 6 and then reported it, the concerned government agencies fixed the vulnerability on July 9. That's roughly nine days after the security advisory was released, enough time to let hackers download sensitive information from these government sites. Is there a Philippine government agency assigned to take care of issues like this?
F5 also warned that if the affected system is exposed to the internet, there is a high probability that it has been compromised. I asked AJ Dumanhug how long does it take to secure the affected site, he said it could take just a few minutes or just a couple of hours to update a vulnerable system.
-o0o-
The expiration of the government's SSL certificate is a cybersecurity problem that could be easily solved using simple housekeeping rules, a problem that security managers could easily fix by activating notifications and reading emails regularly. Using self-signed SSL certificate on a website that is available online is a different issue that borders on negligence and ignorance
The F5 Networks problem could have been fixed immediately if we have people monitoring the internet for possible threats. A non-issue if we have cybersecurity professionals who are assigned to check for possible threats before they actually happen. Highly technical problems could be solved by cybersecurity professionals with extensive knowledge not only in securing systems but also in using the advanced monitoring systems that could give a warning if things like this happen.
We could look back to what happened to COMELEC's servers in 2016, five months before the biggest breach in the history of the country, we already warned the agency that their system is not secure. Instead of asking us more details about our report, the IT head at that time said it is not true and shut down further talks. The rest is history.
If this goes on, expect more breaches that could put to shame comeleak in terms of number of Filipinos that could be affected.
Sadly, it looks like we did not learn our lesson.