There have been a lot of misconceptions why Philippine Government Websites get defaced or hacked, some say because of the lack of security hardware , because of corruption, IT Professionals, etc. Well it does not say it all, but a security hardware does help but if you don’t have a budget then all you need to do is patch your website and analyze the codes, what is required is knowledge. In creating a website, knowledge and familiarity of what codes are inserted (copy and paste codes does not help at all) is a must. And so here are some of the main reasons why PHL gov’t websites and if this article opposes from what you’ve seen in the TV, blame the media for all those misconceptions and publicity about hacking sprees:
If only they hire good security professionals and programmers instead of hiring fresh graduates who are just website designers then there are good chances that PHL websites could be secured. But the problem is they always blame on the lack of budget. Oh really? I find it hard to believe!
Jejomar Binay is the Vice President of the Philippines, and his IT claims that his website lacks budget to fix their website and to pay for a hosting (but their website is hosted on a free hosting); it really sucks because it does not really cost a lot to fix their website. Budget is not a problem, he is the Vice President! And worst, they blamed on its free web-hosting; well even though it’s hosted on a paid web-hosting but the codes are all messed up and is still vulnerable to simple attacks like SQL Injection then it is still a major problem. Like I said, knowledge is required not some shitty budget which I think is just kept on the pockets of our leaders. You see, this is what I dislike about modern democracy!
Aside from corruption, they all have their excuses. What is common to some website administrators is that they have their own excuses, instead of all those excuses they should fix their website. Check this video, which is a report that denies the defacement of the OVP website. Luckily there is an evidence that they haven’t cleaned this yet : http://www.ovp.gov.ph//ovp/uploads/File/
Ignorance to website vulnerabilities and 0 day exploits excuses no one. Even the CIA was attacked with XSS.
3. Poor Enforcement of Security and Poor Coding
Most websites are vulnerable to SQL Injection and that they have some flaws in their codes. It’s time to clean their folder with all those flaws and use clean URLs. Aside from updating their framework and mysql version, the admin should use prepared statements, stored procedures (parameterized queries) and array_map; for more information about avoiding SQL Injection check our article on how to avoid it.
Also if your website is hosted on a Linux, Unix, or BSD box you could install Chkrootkit to scan for rooktkits and add some open source hardening tools for your web server like downloading a free and open source WAF (Web Application Firewall) just like Mod_Security.
Securing the admin panel is also a good practice in order to disallow malicious people from entering your admin panel. Not budget but knowledge!
4. They don’t hire Web Security Analysts and Pentesters
With all those budget issues, I think it’s time for them to wake up and stop corrupting our taxes and the budget of the government. It’s time to hire pentesters before they get defaced. There are a lot of website pentesters here in the Philippines, they should find one instead of evading them.
Ohw and one last thing, I Lol’ed at this video. XD