Poor security measures at fault for cyber attack, say government IT experts

IT experts have suggested that the scale of yesterday’s attack on government sites was due to poor security mechanisms.

Government IT experts have told Minivan News today that the hosting of multiple government sites on a single server was a security concern of which government was aware.

“Shared hosting is cheap, while having a dedicated server could be expensive. So this is a price versus security choice. But even with shared hosting if the server is secured properly it would minimise the risks,” said a cyber security official at one government institution.

Dhiraagu has today confirmed that the 117 websites defaced in yesterday’s cyber attack by a Syrian anti-war group were hosted on a single Dhiraagu server.

The Maldives’ oldest telecommunications company noted that all affected websites were fully restored last night, within twenty four hours of the attack.

“Attacking government websites is a criminal act and this is being investigated by the police now. Such attacks are carried out against many corporations and organisations around the world, even the most secure,” said Dhiraagu Public Relations Executive, Ibrahim Imjad Jaleel.

“Our engineers have assure that assured that security will be upgraded even further to ensure such an incident is not repeated in the future. It is equally important for developers to increase the security features of websites,” he added.

Shared hosting issue previously flagged

IT experts have told Minivan News today that the attack was likely to have been carried out by the manipulation of one or more vulnerable government websites hosted on a single Dhiraagu server.

“It seems that after accessing the server and gaining elevated privileges, the attacker decided to deface the websites. If it was someone with really malicious intentions they could have done more,” explained a local software engineer.

“Defacement is the least of our worries – think about what somebody could do or have probably done already. Load in exploit code on the pages and nobody would notice. It is possible to compromise thousands of Maldivians and offices,” they warned.

The case is now being investigated by the cyber crime division at the Maldives Police Services (MPS).

Ahmed Athif, head of Information & Communication Directorate at MPS said police will conduct an assessment and share the information and recommendations with the National Centre for Information Technology (NCIT) and other relevant authorities.

While he noted that this is the biggest attack of this nature to be carried out against the Maldives government, he said specific details of the case could only be revealed after a thorough investigation.

The NCIT has made no official comments regarding the issue, but a source within the centre today told Minivan News that the shared hosting of sites and other security concerns have frequently been raised during security assessments of government institutions.

In August 2013 the Elections Commission reported that their servers were continuously under attack at the time, while in the same month the Department of National Registration’s (DNR’s) ID card database with political party affiliations was leaked online.

Police later said the database was stolen from an Elections Commission web server after it had been hacked.

In March 2013 the United Nations (Maldives) website was also defaced in order for a hacker to deliver a message saying that securit on their website was insufficient.

Responsibility for yesterday’s attacks was claimed by Dr. SHA6H – an anonymous figure who has claimed to have infiltrated hundreds of similar sites across the globe over the past two years.

“This site has been hacked because of the world’s silence of three years of massacres that occur in Syria and this is still happening,” read the message left on the defaced websites, attributed to a group called the Syrian Revolution Soldiers.


Anti-war activists target government websites to raise awareness of Syrian conflict

Multiple Maldives government websites were taken down early this morning after an online hacker defaced pages with messages raising awareness of atrocities in the Syrian civil war.

“This site has been hacked because of the world’s silence of three years of massacres that occur in Syria and this is still happening,” read the message attributed to a group called the Syrian Revolution Soldiers.

Responsibility for the hacking was claimed by Dr. SHA6H – an anonymous figure who has claimed responsibility for the infiltration of hundreds of similar sites across the globe over the past two years.

Neither the President’s Office nor the National Centre for Information Technology (NCIT) were prepared to comment on the story at the time of press, although Minivan News understands that sites targetted were hosted on the servers of national telecoms firm Dhiraagu.

Dhiraagu’s facebook page acknowledged that there had been a “malicious attack” on some of the sites hosted on its server, assuring that it was working to restore affected sites.

Online accounts used by Dr. SHA6H claimed to have targetted over 200 Maldivian government websites, while the defaced website archive site Zone-H listed details of 117 Maldives government sites successfully infiltrated this morning.

“This security breach is not to make damage. It is only to deliver a specific message to the world,” read the posted message, along with a video detailing atrocities committed during the Syrian conflict.

The list also shows the hacker to have successfully targetted nine Maldivian government website in January last year.

Zone-H’s list of sites hacked by Dr. SHA6H show the attack on the Maldivian government sites to have been one of the hackers most effective attempts to infiltrate government sites, with a July 2013 attack on the Mexican IT infrastructure the only comparable incident on record.

All the sites affected  – including the Ministries of Tourism, Foreign Affairs, Education, Housing, Environment, and the Maldives Monetary Authority – were still down at the time of publication.

The intrusion of Dr. SHA6H marks the second time the civil war in Syria has made headlines in the Maldives this week, after reports that two Maldivian nationals had died in fighting after having travelled to the middle east to fight forces loyal soldiers to Syrian President Bashar Al Assad.


PPM requested access to Elections Commission IT software: Elections Commissioner

Amid constant attacks on the Elections Commission’s (EC) internet server and concerns over voter database security, Commissioner Fuwad Thowfeek has revealed that the Progressive Party of Maldives (PPM) had previously requested access to the commission’s IT section.

Despite admitting their ongoing concerns in this matter, the PPM have denied asking for this kind of access.

The EC’s internet server is currently facing continuous attacks from hackers both within the Maldives and abroad, although EC Commissioner Fuwad Thowfeek has previously dismissed rumours that any such attempts had been successful.

Earlier this month, PPM and Jumhooree Party (JP) lodged a complaint with the EC expressing fears that foreign nationals had access to the Maldives’ voter database for the upcoming presidential election. The EC has sought assistance from Indian IT professionals to set up software in order to oversee future council elections.

Earlier this year, the Elections Commission of India (ECI) and the Maldives’ Elections Commission agreed on a roadmap for cooperation that includes jointly developing an assistance project to enable free and fair elections later this year.

In response, the EC met with a “combined team” representing the JP and PPM to dismiss these fears, explaining that only local staff had access to sensitive information or the commission’s security systems.

Thowfeek further explained to Minivan News today (August 21) how the commission had addressed the PPM’s concerns.

“A few times they have come and met me – twice a delegation from PPM came and met me and once a delegation met the vice chair of the elections commission,” said Thowfeek.

“We attended to almost all their requests, but there are some demands that we cannot meet. For example, one of their demands was to see our IT section,” he continued.

“They wanted to see the hardware and software of our network system, which we cannot do and we are not ready to do for the safety and security of our system,” he explained.

“We conducted local council elections – which were much more complex and complicated [than the presidential election] – without any problems. And we have also held three parliamentary by-elections and over 20 local council by-elections,” he continued.

“In each election or by-election there were complaints [filed], but no one has ever complained about the members of the Elections Commission.”

“[Now] suddenly they have started questioning our competence and ability, this is very strange,” he noted.

“We have given really clear answers to them. We are not hiding anything. We are very transparent. Everything is really clearly explained, so I don’t understand,” Thowfeek added.

“President Waheed and President Nasheed are very confidant in this commission, they have no complaints at all,” he noted. Based on the feedback the commission has received, “the public recognises our efforts and they have confidence in us.”

“So it is very strange when suddenly the PPM found this type of problems with us,” he added.

Thowfeek expressed confidence in the “really good, professional” work the EC has been doing and does not believe that the PPM has any grounds for legal action.

PPM’s response

PPM MP and Spokesperson Ahmed Nihan denied that the party had requested access to the EC’s IT section to see its hardware and software while speaking to Minivan News today.

“No, we did not ask to see the EC’s hardware or software, just regarding the officials and their allocated tasks,” said Nihan.

He explained that PPM and JP raised the issue two times and in a written letter “as we do not know the Indian IT officials.”

“We are still quite uncertain and unsure why these people are here at this time,” Nihan continued.

“The EC should be very much clear about about this assistance, who the people are, where they are from, etc. They should be very carefully and clearly letting people know about who has access to [voter] data,” he continued.

Software hackers gaining access to the EC’s voter database remains an additional security concern of the PPM’s.

“We have heard unconfirmed rumors that hackers had gained access to the voter re-registration database, which was shocking,” said Nihan. “We’ve lost faith in all of the EC and the institution’s functionality – they are dysfunctionally handling everything.”

“The EC seems to be agitated and counterattacking. We really regret that EC officials lack the responsibility to reply, [instead] they go on media and attack us,” he continued.

Nihan claims that the EC had deleted all the election registrations from the previous elections –  repeating claims that deceased voters were still registered. He also alleged that the commission has hired very naive and fresh recruits.

“Even during the Ungoofaaru by-election we had these complaints,” he said.

Since the EC is run from public money with parliamentary approval, the PPM is seeking a legal resolution for their “unaddressed” concerns, explained Nihan.

He added that the PPM’s vice presidential candidate Dr Mohamed Jameel Ahmed was heading a team charged with gathering similar complaints.

“If we find enough evidence we will take the EC to court,” said Nihan.

Despite his insistence that the party would take legal action should it find enough evidence, Nihan explained the importance of holding free and fair elections and that the party would not want to hinder the election by filing a court case.

“We are all prepared to give the Maldives an election, which is most important,” said Nihan.

“If there is anything from us [filed in court], it would not be the best practice for democracy,” he added.