Easy targets - Scores of government websites open to hackers
Published:Sunday | June 29, 2014 | 12:00 AM
Ryon Jones, Staff Reporter
At least 43 government entities, some with sensitive data on thousands of Jamaicans, are at the risk of being hijacked by cybercriminals as they lack the requisite security features.
A study by one of the country's top cyber-security consultants has pointed to the websites of the Bank of Jamaica (BOJ), Tax Administration Jamaica and the Ministry of National Security among other key state agencies, which could be at the mercy of hackers who could steal your credit-card information or email address or other sensitive data.
"If hackers were to go on to the STATIN (Statistical Institute of Jamaica) or PIOJ (Planning Institute of Jamaica) websites ... where international people are looking for data on Jamaica, the hackers could misinform them. So one of biggest dangers is embarrassment to the country," cyber-security consultant, Andrew Gordon, told The Sunday Gleaner.
Financial implications
He noted that apart from the possible embarrassment to the country, there is also the financial implications for websites that allow online transactions.
"There are websites like the Registrar General's Department (RGD), Tax Administration Jamaica where you can pay online, those are the ones where hackers can hijack people's accounts," argued Gordon, who is a certified forensics examiner.
State Minister in the Ministry of Science, Technology, Energy and Mining Julian Robinson has accepted that the websites of some government entities lack well-needed security features; however, he argued that this is being addressed.
"If you are following the trends globally, cybercrime is the way countries are now using to attack each other, and if you can pull down someone's banking network, you bring the country to a standstill; or disrupt their utilities, you bring the country to a standstill," said Robinson.
"Every single entity and agency should ensure it operates at a level where its data is protected, and all of them need to ensure that."
Last week, a number of the agencies admitted that they face cyber-security challenges even as they defended their actions.
"The BOJ regards security of the website and the availability and accuracy of the information that is published on the site as an ongoing exercise involving the timely identification and elimination of new vulnerabilities that may arise from time to time," said Deputy Governor Livingstone Morrison.
"In this regard, we are pleased with the level of support from our team of developers and suppliers who work with us to ensure that the site enjoys the highest level of security at all times," added Morrison, as he pointed to a number of measures employed by the central bank to protect its site.
Numerous weaknesses
The cyber-security consultants had reported that up to January the websites of 43 state entities, including 12 critical agencies, had numerous weaknesses that made them soft targets for hackers.
Twenty of those entities were among more than 200 local websites that were hacked between 2001 and 2010.
"Based on our research, all 43 government websites checked for potential exploitation had coding deficiencies and vulnerabilities," said the cyber-crime experts.
"Only two of the 43 were free from which Cascading Style Sheet (CSS) and Hypertext Markup Language (HTML) errors and warnings making them disasters waiting to happen," added the experts who mainly used the web-application vulnerability scanner 'Wapiti' to test the sites.
CSS and HTML are the main coding scripts that are used to create and format how information is displayed on web pages and their presentation.
HTML is used to
create the web pages while CSS is used for the styling or formatting of
the pages. These were used to create and format all of the Jamaican
government websites that were assessed.
"HTML and CSS, if not
coded correctly and with security in mind, are exploitable; like
everything else," said Gordon.
"There are individuals
who are proficient in identifying such lapses in security and exploiting
these vulnerabilities."
Gordon noted that some
hackers indulge in web defacement, where a website is completely taken
down and replaced by something new. In other instances, a hacker may
inject codes to add images, pop-ups or text to a
page.
"In order to deface a person's website, you have
to be able to hack (it), but because these (government agencies)
websites are already poorly developed it makes hacking into them a lot
easier to accomplish," argued Gordon.
The
cyber-security consultant said there is no sure-fire way to ensure that
one's website is totally secure, but defacement can be
avoided.
"I am in no way saying that correcting all
these errors will lead to a 100 per cent safe website, but this will
eliminate an avenue used for
defacement."
Blocking hacking: State agencies ready to fight hackers
- Passport Immigration & Citizenship Agency - Keith Montague, Director of Information Technology
Yes, we were aware of the errors that were on it and we have changed our website. We have revamped that platform and use a different platform to do our platform now. The previous website was developed by some different people, we now have internal persons and we have made a number of changes. And we have people trained in a course called certified ethical hacking.
- Ministry of National Security - Carla Nicholson, member of the Information Technology Service Unit
We will have to speak to our webmaster to look into it, as it would be something that is of concern to us. I know the website was revamped late last year, so I will have to speak to the webmaster to find out exactly what was done.
- Petroleum Corporation of Jamaica - Millard Raymond, Information Systems Manager
We are going to be upgrading the website this year. We are aware of all of this, as are most government agencies. It is just a matter of when we do what needs to be done.
- Tax Administration of Jamaica - Natasha Samson, Chief Information Officer
About two to three years ago we had the website hacked ... we identified at the time where some of these vulnerabilities existed, and some of these had to do with some of the tools that were being used in the development exercise, and steps were taken to address those. Also from the provider end in terms of the hosting environment, some measures were taken there as well.