Information security awareness at Republic of Macedonia
Like a citizen of Republic of Macedonia I am asking myself, why we are so unsecured?
Why we are not taking care about personal information security?
Why our government servers are getting hacked nearly every day?
Why we are not respecting the personal security law who is in function in our country since 15.03.1994 public newspaper 12/1994 with some updates until 2011.
Why? Why? Why?
Here are the answers:
The public and private sectors that is storing a personal data of the citizens of RM are acting non-‐sense about information security. During my professional carrier I was able to communicate with some banks and other institutions that was really unsecured and ready to be hacked. During my communication with these holders of personal data I was getting a non-‐sense answer like: “we have a backup and we are secure” Come on guys, we are talking about personal information leak and flaws and hacks and information and identity thief! When you don’t know something doesn’t try to improvise things. The companies and institutions here at RM are not playing the game with the rules. IT security has an own defined rule, procedures, policies, frameworks, and certifications. The banks that are directly exposed to the threats and risks are also acting very non-‐sense when a question is IT security. They are waiting for some bad thing to happen and after that they will act like “we hade an electricity failure”. We are reading nearly every day at dally newspapers about credit card frauds and victims who are getting skimmed from the ATM machines.The ATM machines and E-‐banking is a property of the owner so the owners of these assets must take care of these assets in security aspects and support. If some end users are hacked from ATM machine with some skimmer method or from E-‐banking solution the responsibility for this must be at owner side, not on user side! Unfortunately this is not like must be on RM .If you get hacked! The bank will not refund your money and, they will blame your from education side like you didn’t change your password or you didn’t saw that the skimmer that was installed on the ATM machine. This is funny because every normal user can’t be a security expert to detect the skimmers, loggers, weak passwords, phishing etc. So the biggest job here is on hands of ombudsman’s because they must prepare some penalties for those companies who are not protecting the personal information’s. So dear asset owners secure yourself because the hackers are always one step ahead of you. Today there are world security standards to secure information and technology that are mandatory for asset owners. Of course that this procedures and standards will not protect you 100%, that is impossible because risk is 50% -‐ 50% with profit. No risk no profit is most secure way off course but nobody doesn’t want this because everybody wants to work and profit.
The mandatory standards for asset owners (private and public sector) are: *ISO 27001 Information Security Management System
*ISO 27002 Cyber Security
*ISO 27005 Risk Management
*ISA Security Compliance Institute
(And other standards related the technology.)
For the employees who are dealing with personal and confidential assets: *CISSP
(And other certifications related to the position of the asset owner.)
The companies are making biggest mistakes when they are taking some already employed IT employee to get a education and certificating for IT security. Because they can’t be so successful like an Ethical Hacker or White Hacker or some IT security professional who is experienced and who is dealing only with IT security. They can’t think OUT of the BOX because they have a limited education just to take the exam and to get the (IT security) certification, this is because companies don’t want to hire a new employee.
Earlier I published some articles for IT Security in RM and I want to share them here together with this article, so like you can see before 2 years I published the security threats on the 3 biggest web hosting servers in RM. I tried to contact them on proper way but I didn’t have any answer from them. After that I decided to share them in public manner for education purpose.
1260 web sites… Can be HACKED for 5 min!
At June 10, 2010 I modified and found a new FLAW for FCKEDITOR to gain full root access to the 3 biggest Internet services providers in Macedonia. The hack was working on IIS Web Servers from Microsoft and an Exploited version of open source web based editor FCKEDITOR.
During a penetration test on a web site of our relative I discovered that the hosting server is not well secured. During the scans I discovered that owners of the web server are not informed about the exploit of FCKEDITOR in ASP platform. I contacted the authorities in all regular way to warm them about the exploits but nobody didn’t take my advice serious. After couple of mounts of waiting I released the information public on my BLOG and FACEBOK fun page. The funniest thing is that same flaws are still remains on that server after 2 years.
For a proof I released the username and password of the web server local administrator credentials marked with asterisk *.
|Web server of NEOTEL Platform: IIS Microsoft.
Ip: 220.127.116.11 user:IUSR_WEBSERVER pass:GE|-‐TWRZc***** domain:80 path:c:inetpubww wroot
Full Read Write Execute access!
Web server of ULTRA Platform:IIS Microsoft. Ip:212.13.93-‐95 user:IUSR_APOLLO pass:$rEM273#****** domain:80 path: D:wwweb
Full Read Write Execute access!
Web server of T-‐HOME Platform:IIS Microsoft. | Ip:18.104.22.168
user: IUSR_WEB3NEW pass:d4O0Y)JT’***** domain:80 path: c:inetpubwwwroot
Proof of concept:
To hack these servers you need to find a web site who is using a FCKEDITOR. For that you can use a Google or other search engine with this option:
“Site: MK Inurl: FCKEDITOR”
After that you need to test the url path of the FCKEDITOR with this modified function: “browser.html?Type=/././&Connector=connectors/aspx/connector.aspx”
Like you can see here I am asking to list me the root of the location where FCKEDITOR is installed with “/././” command and the result is the listed content of the folder. After this the upload manager of FCKEDITOR is ready to do rest for bad guys who can easy install some SHELL or other BACKDOOR tool on this web server finding a proper directory with “write” permission.
How secure is Public Revenue Office of Republic of Macedonia?
At 16.02.2012 the Public Revenue Office of RM announced the new way of TAX statement from Internet http://etax.ujp.gov.mk so like all other government services which are not very well secured is this service secure? Can I publish my tax statement in protected manner?
Are the confidentiality, integrity and availability of my information very well secure?
This was the first question that is coming to the mind of a lot of citizens of RM. I will tell you my expression and research about this service. First of all the service is on Linux platform with Apache Tomcat 6.0.35 version with JAVA application. The choice is good! But the problem here is that the web server is not well configured. The “expert” inside “ ” who configured this server is not well educated or he simple forgot to change the default username and password of the “apache tomcat web application manager” that actually can drive us inside the server with FULL access of every single operation of the server.
So I am asking the question? How can be so unsecured and so simple the one of the most important servers of the Republic of Macedonia? How they expect from me to publish my TAX statement in this unprotected service? Why they didn’t make tests before publish the service and why they didn’t make a penetration and ethical hacking tests? What if someone is sniffing the information’s or he is publishing fake information’s? Who will take a responsibility for this incident? So I hope that they will correct this security issues ASAP.
How secure is the Web page of Ministry of Interior at Republic of Macedonia?
The web site of the Ministry of Interior is suffering from FCKEDITOR exploit that I published on my early article. To detect that is very easy because the web site is build with “Web Architect” from company Login Systems. So attacker can gain a FULL access of the web site of the Ministry of Interior with one single click. And if someone hacks the Ministry of Interior’s web site, they will point the application and not themselves like a problem. So every body will blame the “Web Architect” at this case because they have an exploit, not the Ministry! So here comes the true about this case?
Why Ministry of Interior is not performing a quarterly penetration and audit tests? Why they chose the application without any security standard like: ISO/IEC 270034-‐1:2011 Information technology — Security techniques — Application security. So basically they have a responsibilities for making a wrong decision. There is a lot of Government and Private companies are using a exploited ‘Web Architect” CMS from Login Systems or a standalone FSCKEDITOR so I will publish some of them now here with hope that they will fix this threat ASAP:
Sparkasse BANK: http://www.sparkasse.mk
State Faculty for Law: http://www.pf.ukim.edu.mk
This is the result from Google off course there is a lot off more with this treat but maybe other security friends will search for them, so like you can see there is a lot off government and private companies with this threat, and I hope they will act ASAP to fix this information security breach.
Senad Aruc (Security Consultant) ISMS,SIEM,Ethical Hacking,Forensics