Monday, January 11, 2010

Comelec's IT Security Ignorance Has No Limits

Latest Comelec Statement Regarding Hacking Issues (please read)

1. After confidently challenging all hackers months ago and offering a reward of 10 million pesos ($200,000) to anyone who will suceed in hacking the ("hack-proof") philippine automated election system, they are now contradicting their own statement by warning of severe punishment if anyone tries to do so. Huh?!

2.  They proudly announced that they already have the codes used in the website attacks...of course you do it has been published repeatedly in the internet months if you only bothered to check but i guess using Google is to complicated for your people huh?

3. They are relying on the fact that the system will only be online for 2 minutes, uses 128-bit encryption and protected by firewalls...

Of course it is! And so does every system compromised throughout these past few years! Even the most expensive state-of-the-art firewalls in first-world countries have fallen to application layer attacks simply because firewalls are network layer based and are therefore of no use to application attacks such as those used to deface the philippine government websites. Who says the 128-bit encryption have to be broken within 2 minutes in order to compromise a system? Have you heard of SSL stripping technique that bypasses encryption protocols in a matter of seconds barely noticeable to the regular user?

4. They are assuming already that the attacker would be an individual one. Sure regular newbies who deface websites are often just one guy in front of a computer. But have you heard of the more sophisticated hackers who are well organized and some even funded by underground syndicates that uses advanced "Botnet" technologies capable of using multi-technique ("combo") and automated attacks in a matter of seconds?

The thing is, if there is one thing that the Comelec probably did right was to re-assure the general public (to the point of playing dumb?) in order not to cause alarm and lost of confidence on their competence. As always this blog will continue to disclose critical, unedited security vulnerabilities to raise the level of awareness even for just a little bit more. As they say, education is the key to ignorance.

*** But what REALLY gets on my nerves the most is the fact that the CICT want to turn this issue into another money-making scheme as an excuse to purchase costly equipments and get more kickbacks or "tongpats". Most of the website attacks would have been prevented by simple programming corrections all of which does'nt cost a thing if only they had competent people. No need to waste more taxpayer money by relying on technology to replace common sense !

1 comment:

  1. Pentagon called their data server as hack-proof,

    anyway atleast a group of intelligent people will has the capacity to cheat, not just a goons who use the barrel of the gun to win the votes.

    what is more important if theres a crime theres a evidence, im sorry to the hackers, they cant escape with that. a best hackers leaves small evidence(no such as hacker who doesnt leave an evidence). they are so called smooth criminals.


Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security