IT experts have suggested that the scale of yesterday’s attack on government sites was due to poor security mechanisms.
Government IT experts have told Minivan News today that the hosting of multiple government sites on a single server was a security concern of which government was aware.
“Shared hosting is cheap, while having a dedicated server could be expensive. So this is a price versus security choice. But even with shared hosting if the server is secured properly it would minimise the risks,” said a cyber security official at one government institution.
Dhiraagu has today confirmed that the 117 websites defaced in yesterday’s cyber attack by a Syrian anti-war group were hosted on a single Dhiraagu server.
The Maldives’ oldest telecommunications company noted that all affected websites were fully restored last night, within twenty four hours of the attack.
“Attacking government websites is a criminal act and this is being investigated by the police now. Such attacks are carried out against many corporations and organisations around the world, even the most secure,” said Dhiraagu Public Relations Executive, Ibrahim Imjad Jaleel.
“Our engineers have assure that assured that security will be upgraded even further to ensure such an incident is not repeated in the future. It is equally important for developers to increase the security features of websites,” he added.
Shared hosting issue previously flagged
IT experts have told Minivan News today that the attack was likely to have been carried out by the manipulation of one or more vulnerable government websites hosted on a single Dhiraagu server.
“It seems that after accessing the server and gaining elevated privileges, the attacker decided to deface the websites. If it was someone with really malicious intentions they could have done more,” explained a local software engineer.
“Defacement is the least of our worries – think about what somebody could do or have probably done already. Load in exploit code on the pages and nobody would notice. It is possible to compromise thousands of Maldivians and offices,” they warned.
The case is now being investigated by the cyber crime division at the Maldives Police Services (MPS).
Ahmed Athif, head of Information & Communication Directorate at MPS said police will conduct an assessment and share the information and recommendations with the National Centre for Information Technology (NCIT) and other relevant authorities.
While he noted that this is the biggest attack of this nature to be carried out against the Maldives government, he said specific details of the case could only be revealed after a thorough investigation.
The NCIT has made no official comments regarding the issue, but a source within the centre today told Minivan News that the shared hosting of sites and other security concerns have frequently been raised during security assessments of government institutions.
In August 2013 the Elections Commission reported that their servers were continuously under attack at the time, while in the same month the Department of National Registration’s (DNR’s) ID card database with political party affiliations was leaked online.
Police later said the database was stolen from an Elections Commission web server after it had been hacked.
In March 2013 the United Nations (Maldives) website was also defaced in order for a hacker to deliver a message saying that securit on their website was insufficient.
Responsibility for yesterday’s attacks was claimed by Dr. SHA6H – an anonymous figure who has claimed to have infiltrated hundreds of similar sites across the globe over the past two years.
“This site has been hacked because of the world’s silence of three years of massacres that occur in Syria and this is still happening,” read the message left on the defaced websites, attributed to a group called the Syrian Revolution Soldiers.
It's same everywhere in Mordis. Drawing parallels.
Dilapidated taxis serving 400 odd people. Worn down jails keeping yet another 400. Huge costs per head, for reception rights of the WC matches. NCIT technicians would probably get paid under 10K Mrf a month. Why would they even bother to work to the likes of most IT security experts who get paid $15K a month.
It's all about economies of scale.
In any case the web servers are not allowed in the permanent residence of heavenly paradise. Hence one wonders why more needs to be spent on more security. Wouldn't it be better to work and spend on medications that would help appease the 70 virgins? After all you wouldn't want them upset, and you know the ruckus even a couple of wives can come up with!
Cyber crime unit of MPS? That's the worst joke I've heard. This is the same who consistently fail to find murderers on a 2 square mile island. The same MPS who failed to identify Ali Hameeds face from video evidence.
At every level this country is just the butt of jokes!