Civil Service Commission data breach, thousands of user details exposed

A hacker who calls himself IamNoobie told me that he was so pissed-off with the way government agencies implement security in their websites and servers that he decided to "take matters into his own keyboard".

IamNoobie noticed that the server of the Civil Service Commission (CSC) has promising results when he Google dorked government websites. Google Dorking is just like a simple search but instead of searching for words alone, the attacker could incorporate functions to get results that may show hidden contents or services. If for example, you want to limit your search results to a certain domain, you need to use the operator "site:" without the quotes, and if you just need to see specific file types, use "filetype:" again without the quotes to limit your search. So if for example, you need to see if there are excel files in government websites that could be accessed, input filetype:xls in the search bar then press enter. Using this simple search function could give you interesting results.

Aside from the multiple vulnerabilities hackers found, the Civil Service Commission website is also using an expired SSL certificate that exposes users to the dangers of phishing and other hacking attacks.

Using passive scanning IamNoobie found out a bigger problem, the server is vulnerable to multiple vulnerabilities that could allow hackers to take over the server. Passive scanning is a method used to detect vulnerabilities, it relies on information from network data that is captured from the target machine without interacting directly with it. He then exploited the vulnerabilities and was able to get inside the server where he found copies of passports, company IDs, official receipts, and personal user information.

IamNoobie also said other hackers are exploiting the server of the Civil Service Commission of the Philippines. Many, according to him, have installed backdoors, a method used by hackers to bypass regular authentication in a computer system to make it easier to access and control anytime. When he saw other groups downloading data, he then decided to disconnect them one by one and started to secure the server of the CSC. He might be too late though as a complete list of more than 52 thousand users is now available online, posted by another group of hackers. The multiple vulnerabilities are now confirmed as a data breach.

Others who also contacted us about this said one good thing that they noticed is the strict password policy where users follow the best practices in setting up passwords. The admin however is using, according to them, a three-character all-small letter password that could be cracked in less than a second. This kind of security sums up the country's approach to cybersecurity where users and even companies were asked to strictly follow cybersecurity rules or else face sanctions and penalties, yet government agencies holding user data are using inferior or non-existent security measures. In the words of IamNoobie, the Civil Service Commission server is like a locked car but all windows are open.

As of this posting, the server of the Civil Service Commission of the Philippines is relatively safe. Vulnerabilities have been patched, backdoors closed and hackers were booted out from the server, all except one, the one who calls himself IamNoobie.