Government Websites a Haven for Hackers

By Denise Hruby and Neou Vannarin
The Cambodia Daily
January 10, 2013

Greeting visitors to the website of the National Military Police on Tuesday morning was a picture of a masked man wearing a red cape. Above his head appeared one word printed in capitals: “Hacked.”

Those surfing the website of the Supreme Court would also have seen a simple message in the top left corner stating “hacked by Hmei7,” the signature of an Indonesian hacker, who claims to have attacked 70,000 websites worldwide.

While both websites were corrected by midday, the attacks on the state-run sites are nothing new in Cambodia. Experts say that hackers are continually able to infringe on government websites with ease due to a lack of trained information technology specialists capable of protecting the state’s online portals with secure passwords and a reliable firewall. They also say that if online security doesn’t improve, the government risks tarnishing its reputation, especially abroad.

“I think [the government] is realizing the importance of the issue now but they don’t have the skills and education in this area, so it will take time,” said Phu Leewood, a board member and the former secretary-general of the government’s National Information Communications Technology Development Authority.

“If people give their information to the government and they are hacked, people will not trust the government anymore,” Mr. Leewood added.

In the past year, online intruders have managed to hack the websites of the National Police, the Ministry of Agriculture, the Ministry of Industry, Mines and Energy and the Ministry of Women’s Affairs.

Mr. Leewood explained that since 2010, each ministry has been responsible for its own online security and every website has its own server, most of which have no firewalls, which are designed to keep networks secure.

“All websites are on different servers now and there’s no firewall behind them because people have no idea how to use it,” Mr. Leewood said, adding that after the government’s first record of a cyber-attack in 2002, all websites were hosted from the same server with a frequently updated firewall. Mr. Leewood said he was unaware why the decision was made to give more autonomy to the government-run websites and put them back on individual servers.

Information technology experts say if hackers are able to alter websites, it would also be easy for them to access secure information inside state-owned servers.

“Once someone has managed to get into a secure system, it is not difficult to get inside another one,” said Nobert Klein, an expert on the development of the Internet in Cambodia. “If you manage this once, you can use the same method to get into a similar system.”

Indeed, in September, the website of the Ministry of Foreign Affairs was hacked and 5,000 documents that included people’s passport information and visa requests were stolen from government hard-drives.

The hackers claiming responsibility for the attack said it was revenge for the arrest and deportation of Gottfrid Svartholm Warg, co-founder of the file-sharing website The Pirate Bay. The government outright denied that any attack had taken place.

Ou Phannarith, the head of the Cambodian branch of Computer Emergency Response Team, a global organization established to coordinate response to Internet security incidents, said hackers had a number of ways to attack government websites, such as taking advantage of dated software, vulnerable servers and weak passwords.

“It is not easy to know who is behind the attack and where they came from as the attack technique is so advanced these days,” he said.

Sok Huot, the webmaster of the Military Police’s website, said Tuesday’s cyber attack was carried out by a hacker who had taken advantage of the website’s four-year-old software.

“We updated the system to a new software so it is fine now,” he said, adding that no data had been retrieved by the online intruder.

According to Bernard Alphonso, an independent cyber security consultant based in Cambodia, most attacks go unnoticed.

“We will have to put up with a more and more dangerous Internet. Web hacking is just the tip of the iceberg,” he said. “Malicious hackers hack tens of thousands of websites across the world every year.”