The dark side of IT, Hackers and the future of cyber security
The cyber attack suffered by the .lk domain in the morning of Saturday (6) has now started a discourse on Sri Lanka’s cyber security situation, in particular the security measures adopted by government websites.
Even though in the evolving world of information technology, no website or computer system can be completely protected from hackers, in a context where Sri Lanka has faced similar cyber attacks in the past few years, perhaps it is high time that the authorities look more closely into this matter, in a bid to prevent such incidents from occurring in the future.
Especially in 2019 and 2020, a number of government websites were hacked. While these cyber attacks are believed to have been carried out by supporters of the now-defunct Liberation Tigers of Tamil Eelam (LTTE), who carried out the latest attack remains unknown. The main purpose of the attack, according to the nature of the message the hackers had left, was to express opposition regarding certain policies of the Government.
What happened after the recent attack?
LK Domain Registry Domain Registrar Prof. Gihan Dias told The Morning that investigations are underway to find out further information about the said cyber attack, and also to see to it that similar incidents would not take place in the future. “We will identify and rectify any existing issues that may have caused this situation,” Prof. Dias said, adding that in order to do that, steps have been taken to improve the security measures of the existing systems. He also added that around 10 more domains are suspected to have been affected in the said cyber attack.
Sri Lanka Computer Emergency Readiness Team (SLCERT) Cyber Security Engineer Ravindu Meegasmulla told The Morning that they are closely assisting the investigations in this connection, along with the LK Domain Registry and the Telecommunications Regulatory Commission of Sri Lanka (TRCSL).
Information technology professionals’ opinion
Software engineer and cyber security researcher Duminda Jayasena told The Morning that when he attempted to look into the latest cyber attack, the Internet Protocol (IP) address directed him to a company based in a foreign country.
He added: “Usually, when a Google domain is searched, it should come under Google, making it possible to find out the entity that has registered the relevant domain. Even when this incident happened, when searched after clearing the cache memory, it redirected to the correct US server. It should also be noted that after some time, Google had indexed the hacked website, without realising that it had been hacked. Even though it was reported that several other websites had also been hacked, currently, there is no further information in that connection. If these other websites included important entities such as banks, there is a higher risk, as online banking involves using usernames and passwords. As we see, there are two possibilities – it could be a domain name system (DNS) poisoning incident, or, a computer connected to the Domain Registry may have been hacked. If it was in fact a DNS poisoning incident, they may have planned well.”
He explained the technological aspect: “When an internet user searches for a certain website, the browser cannot understand the name that was searched, but only the IP address. A domain register maintains a cache regarding what the website in question is, and it can be changed in a number of ways. In this context, intervening in this process can be called hacking. Changing the cache in this manner can also be called as an incident of DNS poisoning (cyber attacks that use the vulnerabilities in the DNS, in order to divert the internet traffic away from the legitimate servers to an illegitimate one). When users search for Google.lk, instead of the real IP, what they received was another IP.”
Jayasena also said that the Domain Registrar should take steps to inform Sri Lankan information technology administrators to be vigilant of their systems/domains being hacked. He further requested internet users to be cautious about cyber attacks and to reset their usernames and passwords regularly.
He added: “This is not the worst damage hackers can do to a country, the hackers who carried out this cyber attack merely delivered a message. It is not possible to rule out the possibility of hackers using similar or advanced methods to carry out more cyber attacks in the future. They are always looking for vulnerabilities in the computer systems they want to hack.”
Bug bounty programmes
Jayasena said that one of the very effective measures Sri Lanka can adopt to counter rising cyber security-related issues, especially cyber attacks, is “bug bounty programmes”.
A bug bounty programme is a concept which involves organisations, websites, and governments getting the support of information technology experts, including hackers and private information technology professionals, to test and identify bugs (an error, fault, or flaw) in computer programmes and systems, in exchange for recognition and/or monetary rewards.
He added: “Bug bounty programmes have gained recognition in the modern world as one of the most effective approaches to identify and rectify bugs, and a lot of entities and governments, including Google, Facebook, and also governments such as the US Government and governments in Europe, have adopted this method. This has also evolved as a mainstream industry. The most important characteristic about this method is that it can attract the best information technology experts from around the world, since there is a reward.”
According to Jayasena, if the Sri Lankan Government also pays attention to launching a method of this nature, which may or may not involve a monetary reward, the service of experts from around the world will come forward to assist Sri Lanka to rectify existing issues in computer systems. He also said that there are a lot of information technology experts in countries friendly with Sri Lanka such as the US, India, China, as well as Russia. He noted that Israel also has good experts who might be able to extend support in this connection, adding that Sri Lankan experts in the field are also able to help if they are given an opportunity to do so. “For all we know, hackers from such countries may have already penetrated into Sri Lanka’s information technology systems,” he added.
He emphasised that adopting newer methods is necessary in order to deal with information technology-related issues, and that even though it may be difficult to completely prevent cyber attacks, it is possible to significantly reduce such incidents.”
Updating government websites
Meanwhile, Information Technology Society of Sri Lanka (ITSSL) Chairman Rajeev Yasiru Kuruwitage said that the Government should pay attention to introducing effective laws pertaining to cyber security and updating government websites more frequently.
Kuruwitage told The Morning that government websites not being updated as they should be could make these websites vulnerable to cyber attacks.
He added: “The updating of government websites with a focus on improving security updates is something that is lacking currently. Some government-maintained websites have not been updated for years. Information technology is a field that evolves rapidly, and in this context, these updates are of extreme importance. It does not seem like they are enthusiastic to do these updates. There are a number of state-run information technology institutions, and more attention needs to be paid by them in this connection. Moreover, cyber security also falls under the broader topic of national security, as cyber attacks can be used to cause greater damage, and the Government should raise awareness about this topic more often. If the Government takes steps to do that, the public can also pay adequate attention to protecting themselves as far as cyber security is concerned.”
Meanwhile, Jayasena added that in a context where Sri Lanka, especially government websites, have faced cyber attacks in the past, information technology organisations should pay more attention to averting the recurrence of similar attacks. The failure or delay in doing so may indicate the lack of use of resources of experts, as Sri Lanka possesses adequate infrastructure.
Need for new, strengthened laws to address cyber attacks
Kuruwitage also added that in Sri Lanka, the right to privacy, especially concerning cyberspace, is lacking. He stressed that in order to address this loophole, laws pertaining to cyber security should be strengthened and updated. According to him, the most applicable law existing in Sri Lanka is the Computer Crime Act, No. 24 of 2007, and that the Cyber Security Bill also lacks definitions about certain terms pertaining to cyberspace and related attacks. He also said that even though cyber crimes are increasing in various forms, the legal provisions available to deal with such crimes is lacking and can be an issue when instituting legal action against incidents involving cyber crimes. He noted that while introducing new laws, amending the existing laws in line with the developments in the information technology field, with a focus on terminologies and defamation, is also important.
He noted: “This latest incident was mainly carried out targeting the Google.lk domain. Internet users were not directed to the Google server, but a different one. These types of incidents are difficult to be referred to under the provisions of the Computer Crime Act, No. 24 of 2007, and it would be difficult for Google also to take legal action in this connection. Some claim that this happened due to government websites not being updated properly, and that therefore, identifying and rectifying the existing loopholes should be given priority.”
He added that even though a number of information technology organisations have held discussions with the authorities including politicians regarding the Cyber Security Bill and other relevant laws, so far, no concrete decisions have been taken to improve the laws.
Internet user protection
When queried about how cyber attacks can affect regular internet users who do not possess in-depth knowledge to protect their internet-based accounts and data, and what steps they can take to avert such, Jayasena added that two-factor authentication, even though it has been in use for some time, is a recommendable precaution that provides a good level of protection.
He explained: “One of the most used methods of hacking a computer system or an internet-based account is by showing the internet user an interface similar to that of the authentic one. When the user types in their username and password, they are directed to the hacker, and hackers can use them to access the user’s internet-based accounts. If an internet user has activated two-factor authentication, they receive a one-time password, which allows the users to access their accounts with advanced protection. This method prevents the hackers from accessing the accounts, even if they had obtained the log-in details including the passwords. There are other ways also to hack an account, but this method can provide significant protection.”
Speaking of the evolving information technology field, Kuruwitage noted: “What used to be physical conflicts have transformed into technological wars. Cyber attacks can not only affect computer systems, but also a country’s national security as well as the economy. Current cyber threats may not be very significant, however, other countries have reported incidents of cyber attacks leading to greater damages such as the loss of lives and disruptions to services such as power supply, operations of hospitals, and online banking activities. Due to the increasing use of information technology in almost all sectors to ease day-to-day activities, cyber attacks can now affect people’s lives more than before.”
Sri Lanka, like all other countries in the world, has to evolve with the new technological advancements, and a future without information technology is almost impossible to imagine. In this context, while embracing the new technology, it is important to adopt newer methods to protect the privacy and security of the country’s computer systems. The latest incident, and several similar incidents that happened in the past few years, emphasise this need.