Govt Websites Easily Hacked, Citizens’ Data Sold Freely
BPJS Kesehatan continues to deny that the data sold on RaidForums came from the agency. Meanwhile, the National Police have been unable to identify the perpetrators of the data theft and sale.
By
Kompas Team
·6 minutes read
Kompas
The Twitter account @son1x777 first shared screenshots of the attack on the BSSN website, on Monday (25/10/2021). Meanwhile, the site that was hacked was the site of the National Malware Center (Pusmanas) belonging to BSSN, https://pusmanas.bssn.go.id/.
Hackers are targeting the weaknesses in government websites. They not only change the appearance of the websites, but also steal data to trade on the internet.
JAKARTA, KOMPAS—In May 2021, an account named Kotz on hacker hub RaidForums (raidforums.com) claimed to have the personal data of more than 270 million Indonesian citizens obtained from the Health and Social Security Agency (BPJS Kesehatan). Kotz sold the data for 0.35 Bitcoin, around Rp 297,850,000 according to the rate on the Indodax crypto exchange at 3:08 p.m. on Thursday (28/10/2021).
BPJS Kesehatan continues to deny that the data sold on RaidForums came from the agency. Meanwhile, the National Police have been unable to identify the perpetrators of the data theft and sale.
The Noka provided by Kotz was identical to the number on the BPJS Kesehatan card issued for the particular NIK.
To ascertain whether the data traded on RaidForums was obtained from BPJS Kesehatan, the Kompas investigation team contacted Kotz and tested the validity of the data by sending two population identification numbers (NIK). Kotz responded by providing the complete data associated with the NIK, including the individual’s full name, address, religion, date of birth and blood type, their income for three consecutive years (2017-2019), and their BPJS Kesehatan card number (Noka). The Noka provided by Kotz was identical to the number on the BPJS Kesehatan card issued for the particular NIK.
Meanwhile, a vulnerability assessment and monitoring hacker activities in Indonesia revealed how easy it is to hack government websites. A few days ago, a subdomain of the National Cyber and Encryption Agency (BSSN) website experienced a defacement attack.
Kompas
Illustration: computer monitor screen about hacking.
A hacker initialed “Z”, who was interviewed in person in a city in East Java on Wednesday (29/9), demonstrated how easily he could gain entry and control over a website belonging to a regency administration. He did not take long to demonstrate his skills when he was asked to do so. After setting his laptop on the table, he browsed the targeted website briefly, and then typed something moments later.
On observation, it seemed as though he still needed to complete additional stages. But no, he had hacked the site in less than 20 seconds.
"Done. We're logged into their system. I don't use complicated techniques because I'm used to hacking government websites. We know where the weaknesses are," said Z.
Meeting Z was not enough, and the team went on to examine the management of government websites in Jakarta, West Java, and East Java that had been the target of cyberattacks over the September-October 2021 period.
Manager and budget
At the Population and Civil Registration Office (Disdukcapil) of Bogor city in West Java, the team met the agency's sole database administrator, Sabur Yusnandar. Sabur's job is to secure digital devices, even though he has no background in electronic and information technology (IT) systems.
The senior high school graduate helped design an online services application called Si Kancil Berlari that later collapsed in May 2021 due to a cyberattack. He suspected that the hackers had gained entry through a third-party plugin, an add-on program that was downloaded for free.
"After that incident, we created a new structure for Si Kancil Berlari. We completely changed it," said Sabur.
AFP/NICOLAS ASFOURI
In this file photo taken on August 4, 2020, a member of the hacking group Red Hacker Alliance, who declined to give his real name, uses his computer at their office in Dongguan, China's southern Guangdong province.
In Bandung, the IT division of the West Java provincial Health Office (Dinkes) experienced cyberattacks for two consecutive days on 20-21 July 2021. The team could not do much, and also did not know what to do. The site was restored once, but was then hacked again the next day.
"We immediately coordinated with the Communication and Information Office," said Aris Munandar, a member of the West Java Health Office’s IT team.
As a result, their cybersecurity systems relied on outdated or free software, borrowed tools, or applications and programs they had developed themselves.
The Kompas investigation also discovered that the IT managers of electronic services (e-services) at regional administrations lacked funding. As a result, their cybersecurity systems relied on outdated or free software, borrowed tools, or applications and programs they had developed themselves.
In East Java, the head of the Malang Information and Communication Office’s information and communication technology (ICT) infrastructure division, Tri Darmawan Sambodho, said he used a firewall, or network security system, that he had “borrowed” from distributors before he was able to purchase one.
The current budget for e-services management was limited. "Meanwhile, we only use script [a set of commands] for routers [internet networking device]," he said.
The firewall is important for the Malang Information and Communication Office’s e-service, because it secures around 700 websites consisting of 378 village websites, 12 subdistrict websites and 33 district websites, as well as the software of regional instutitions.
Technical aspect
These findings add to the results of the vulnerability assessment Kompas conducted in collaboration with a cybersecurity consultant on 30 government websites at the regency/municipality, provincial, and national levels. The assessment subjects comprised the websites of four regency/municipal election commissions, three district courts, four Regional Legislative Councils at the regency/municipal level, four national agencies, five regency/municipal administrations, five provincial administrations, and five ministries.
The results of the vulnerability assessments found that only three out of the 30 government websites did not have detectable vulnerabilities. The remaining 27 websites had multiple vulnerabilities of various levels from critical, high, and medium to low.
Kompas
Infographics: Hacking government sites.
The vulnerability breakdown shows that critical vulnerabilities were detected in nine government websites: one central government website, six regency/municipal websites, and two provincial websites. Hacking these websites required no sophisticated techniques, and hackers could simply exploit the CVE (common vulnerabilities and exposures) database.
High vulnerability was detected in total of 26 websites: six central government websites, seven provincial websites, and 13 regency/municipal-central government websites. One of the vulnerabilities was characterized by weak encryption between a user's browser and the government’s web server. As a result, hackers could easily steal the user’s information.
The assessment also detected moderate vulnerability in 27 websites comprising 7 central government websites, 7 provincial websites, and 13 regency/municipal websites. One website had a module error that allocated excess memory that allowed suspicious activity to go undetected.
By and large, the vulnerabilities were because the web server had not been updated or because the system relied on an outdated web server. This created a loophole for unauthenticated, remote attackers to hack the server and gain network entry.
According to Ruby Alamsyah, who founded Digital Forensic Indonesia (DFI), the higher the vulnerability level and the larger number of vulnerabilities, the easier it was for hackers to infiltrate the website. (FAI/DVD/IRE/NDY)
