Poor security measures at fault for cyber attack, say government IT experts

IT experts have suggested that the scale of yesterday’s attack on government sites was due to poor security mechanisms.

Government IT experts have told Minivan News today that the hosting of multiple government sites on a single server was a security concern of which government was aware.

“Shared hosting is cheap, while having a dedicated server could be expensive. So this is a price versus security choice. But even with shared hosting if the server is secured properly it would minimise the risks,” said a cyber security official at one government institution.

Dhiraagu has today confirmed that the 117 websites defaced in yesterday’s cyber attack by a Syrian anti-war group were hosted on a single Dhiraagu server.

The Maldives’ oldest telecommunications company noted that all affected websites were fully restored last night, within twenty four hours of the attack.

“Attacking government websites is a criminal act and this is being investigated by the police now. Such attacks are carried out against many corporations and organisations around the world, even the most secure,” said Dhiraagu Public Relations Executive, Ibrahim Imjad Jaleel.

“Our engineers have assure that assured that security will be upgraded even further to ensure such an incident is not repeated in the future. It is equally important for developers to increase the security features of websites,” he added.

Shared hosting issue previously flagged

IT experts have told Minivan News today that the attack was likely to have been carried out by the manipulation of one or more vulnerable government websites hosted on a single Dhiraagu server.

“It seems that after accessing the server and gaining elevated privileges, the attacker decided to deface the websites. If it was someone with really malicious intentions they could have done more,” explained a local software engineer.

“Defacement is the least of our worries – think about what somebody could do or have probably done already. Load in exploit code on the pages and nobody would notice. It is possible to compromise thousands of Maldivians and offices,” they warned.

The case is now being investigated by the cyber crime division at the Maldives Police Services (MPS).

Ahmed Athif, head of Information & Communication Directorate at MPS said police will conduct an assessment and share the information and recommendations with the National Centre for Information Technology (NCIT) and other relevant authorities.

While he noted that this is the biggest attack of this nature to be carried out against the Maldives government, he said specific details of the case could only be revealed after a thorough investigation.

The NCIT has made no official comments regarding the issue, but a source within the centre today told Minivan News that the shared hosting of sites and other security concerns have frequently been raised during security assessments of government institutions.

In August 2013 the Elections Commission reported that their servers were continuously under attack at the time, while in the same month the Department of National Registration’s (DNR’s) ID card database with political party affiliations was leaked online.

Police later said the database was stolen from an Elections Commission web server after it had been hacked.

In March 2013 the United Nations (Maldives) website was also defaced in order for a hacker to deliver a message saying that securit on their website was insufficient.

Responsibility for yesterday’s attacks was claimed by Dr. SHA6H – an anonymous figure who has claimed to have infiltrated hundreds of similar sites across the globe over the past two years.

“This site has been hacked because of the world’s silence of three years of massacres that occur in Syria and this is still happening,” read the message left on the defaced websites, attributed to a group called the Syrian Revolution Soldiers.


Immigration Department dismisses reports of expat system “flaw”, won’t rule out abuse by employers

Immigration officials have dismissed reports of a “flaw” in the country’s online expatriate registration system despite expressing concerns the system may be open to abuse by registered companies.

A department spokesperson confirmed this week that although new online registration introduced to try and streamline providing work visas to foreigners was not itself flawed, the system was nonetheless open to abuse from employers who allowed others to access their password-protected accounts.

The Department of Immigration and Emigration has also confirmed it has faced challenges in verifying whether construction projects were real or a front to smuggle foreign labour into the country, but told Minivan News it expects to resolve the issue from next month.

The comments were made after local newspaper Haveeru last week reported that a “serious issue” had been identified within the expatriate registration system installed by the National Centre for Information Technology (NCIT) that had allowed a steep rise in the number of foreign workers coming to the Maldives in May 2013.

Citing an anonymous immigration source, the paper reported that 4,000 expatriate workers had entered the country last month due to certain recruitment agencies abusing a “critical flaw” in the system.  According to the report, the flaw allowed recruiters to obtain an extra quota of foreign workers in order to profit from their transfer into the Maldives.

The NCIT, which was charged with installing the component of the monitoring system, this week rejected suggestions that such a flaw existed in the program in a joint statement (Dhivehi) issued with the Department of Immigration and Emigration.

The expatriate quota system had been assigned through procedures set out by the Immigration Department to the NCIT, the statement read.

Once a quota is obtained, the NCIT stated that an expatriate would only be granted entry into the country upon providing a photograph, their passport bio page and other official documents required by immigration officials that are required to be entered into the system.

“Therefore, we can confirm that 4000 expatriates have not entered the country unknown,” the statement added.

The NCIT’s dismissal of the media report’s comes as the Maldives faces increasing pressure to tackle the issue of unregistered expatriates, with the country appearing on the US State Department’s Tier Two Watch List for Human Trafficking.  The country has appeared on the list for three years in a row.

Employer responsibility

Although claiming no technical flaw had been found by authorities within the expat system, immigration spokesperson Ibrahim Ashraf told Minivan News that registered employers had a responsibility to prevent abuse of their company accounts.

Ashraf said all companies employing foreigners had to be registered on the expatriate registration system through official documents like a business registration certificate and a valid national ID.

If approved, he said the employer was then assigned through the online account a maximum quota of foreign workers depending on the size of their business or the specific project they were working on.  These accounts are protected with a password.

Ashraf said there were suspicions in the Immigration Department that some employers may have provided access to their unique account to employees, who were in turn bringing in foreign workers under the company’s name – and while personally profiting from trafficking them into the country.

He compared the practice to a member of the public giving their ATM bank card and pin number to another individual, then trusting them not to draw money out from their account.

“People that are being trusted to use [the expat online system] may be doing wrong. I think this is what has been happening. Management maybe putting too much trust in other people to use this system,” Ashraf claimed.

“Systematic abuse”

Immigration Controller Dr Mohamed Ali has previously told Minivan News that while almost all foreign workers coming to the Maldives arrive under registered companies, some were finding themselves “illegally used” by employers due to “systematic abuse” of the visa system.

Foreign low-wage workers are often lured to the country by agents after paying a ‘recruitment’ fee or entering into debt – sometimes as high as several thousand dollars – that is shared between local agents and recruiters in the country of origin, most significantly Bangladesh.

In many cases the workers are then brought into the country ‘legitimately’ by a specially-created paper company, created using the ID of a complicit or unwitting Maldivian national, for the stated purpose of working on a ‘construction project’ of dubious existence.

Senior immigration sources confided to Minivan News in April this year that almost no human verification was undertaken by authorities to ensure workers were genuinely employed once a business or construction project was approved.

Ashraf this week confirmed that there had been “issues” in inspecting construction sites across both the country’s inhabited and resort islands due to a shortage of staff.

However, he claimed that by July 31, 2013, the Immigration Department was to begin inspecting construction and other projects requiring foreign labour with the assistance of local councils and key industry associations.

These groups are expected to include the Maldives Association of Tourism Industry (MATI) and the Maldives Association of Construction Industry (MACI), according to the Immigration Department.

Ashraf added that the government had recently approved the hiring of an additional 30 staff for the department in order to help oversee what is expected to be a comprehensive audit of the visa system.  Officials would then move to penalise any abuse of the system by local employers.

Unregistered workforce

The exact scale of the Maldives’ unregistered foreign workforce remains unknown, with estimates ranging from between around 40,000 people to potentially double that amount.

Earlier this year, former MACI President Mohamed Ali Janah said an estimated 40 percent of the foreign employees in the construction sector were thought not to be legally registered.

Considering these numbers, Janah said at the time that he could not rule out the involvement of organised crime in certain employment agencies, which supply a large amount of foreign labour to building sites in the Maldives.

Janah claimed that 95 percent of construction groups operating in the country were Maldivian owned. However, as the country’s second largest industry on a GDP basis, the vast majority of employees in the sector were migrant workers, he said.

“We employ a huge workforce of some 60,000 to 70,000 people,” he explained at the time. “Of these people, sadly we have 40,000 to 50,000 who are expatriates.

By April of this year, Immigration Controller Dr Mohamed Ali confirmed that authorities had targeted the return of 10,000 unregistered workers by the end of the 2013.

The pledge to return a predetermined number of expatriates was criticised at the time by the Human Rights Commission of Maldives (HRCM), which raised concerns that some workers were potentially being punished for the actions of employers or agents acting outside the law.

While the government earlier this year launched a special campaign intended to raising awareness of the rights of foreign workers, NGOs and independent institutions continue to identify human trafficking as a significant issue needing to be addressed in the country.

Human rights groups in the Maldives have for instance continued to criticise both the present and former governments for failing to pass legislation that would allow authorities to press charges against individuals directly for the offence of human trafficking.  The legal measures to do so are presently under review in parliament.