BIR to investigate alleged intrusion by local hacker

[ghosthunter]

http://www.inq7.net/inf/2004/apr/17/inf_2-1.htm

THE BUREAU of Internal Revenue (BIR) is investigating an alleged Filipino computer hacker who made an attempt to hack into the tax agency's website.

Although she didn't give additional details about the suspect, Lilia Guillermo, BIR deputy commissioner for information systems, said the hack attempt, which happened three weeks ago, was unsuccessful.



"The hacker entered through our website and tried to access some of the accounts. If the suspect was successful, he could have gotten through our database," Guillermo said.

Guillermo, however, assured that the BIR -- which has been massively modernizing its whole taxation system -- had effective firewalls and tracking applications in place.

On the other hand, Guillermo admitted that there had been several attempts to hack into the BIR website, though all of these were quickly averted even before the hackers got into the back end of the website.

"There were a few instances that we pulled the whole system's plug to avert further extending the attempt. But most attempts never got past the firewalls," Guillermo said.

Guillermo described some of the hackers as students and network administrators from abroad. The latest hacking incident, she said, would be the first local hacking attempt they have encountered.

"We knew that this problem would happen, which is why early into the modernization of the BIR, we installed some firewalls and intrusion detection applications. Luckily not one attack was successful," Guillermo said.

Guillermo added that the agency was already in the second phase of its network protection project, a 40-million-peso program aimed at strengthening the agency's database protection and anti-hacking elements.

The BIR has one of the biggest modernization and computerization programs among government agencies. It received a total of 700 million pesos from the e-Government Fund for half of its programs, which includes the electronic filing and payments system (eFPS) and the e-Tax.

[Chip]

clarification lang
i am part of the EFPS project. I am a developer here in charge of migration and updates. I wont say which company na.
not to offend anyone working in BIR but THIS IS A COVER-UP!

Heres what really happened. Someone attempted to change their password in SQL using an sql statement. the bastard did not know how to include a 'where' clause in his statement and thereby changed the passwords of ALL users into his own. This can be proved by the database logs which list that all passwords were changed within milliseconds of each other which is physically impossible unless using an SQL statement. Furthermore, the logs traced the statement to an IP of a single PC in the BIR office. obviously may nagmamarunong mag oracle and wanted to change their password thru there, wala palang alam sa SQL and ended up changging everyones password.

[rebel]

You call that plain stupidity.

[the_wildthing]

The question now is: how can a regular user have access to the password table in Oracle?

Isn't this accessed by a DBA role, esp in Oracle, where a user can only do is ALTER USER <his own ID> IDENTIFIED BY <new pwd>? Or hindi secure yung setup ng Oracle ng BIR? Or they're not using Oracle? Hmmm...

[Chip]

im not too sure but as best as i can figure out
may mga default users kasi doon that we use for development. now these users have TOTAL access to the DB. these users are known throughout the BIR for testing purposes. the dba must have forgotten to restrict access to these users and one of them used this default ID to access the DB.

the default users username and passwords are : hehehe di ko na sabihin.. baka ma tuluyan na ng hack to hehehe

[FrankDrebin]

Insider?

[Chip]

insider : yes
malicious intent : no
stupidity : hell yes!

[zero]

what can we expect....
government projects are always awarded to the lowest bidder.
with 10-20% commission (SOP) to the head/s of the agency/city/municipality/province.
then pay a whole page ads in newspapers; make info commercials; and huge billboards with their names and faces posted about their projects. as if the money came from their pockets.

[HBOY]

hehehe.. brings back memories of the movie Armageddon....hehe.. yung isang astronaut sinabi about the space shuttle.. "we are strapped in a ship with a thousand moving parts, made by the lowest bidder"..hmm..ehehe..

la lang....:D

[pajerokid]

Teka, what Database server are they using.... diba you cant log on unless may access rights ka?

[otanex]

oo nga eh.. i think it's more on the access rights of the database ... mukhang di na nagpalit ng mga user rights from dev to production server.. he he he...

[pajerokid]

shet... forgot my Admin SQL already.... at least I still know how query hehe.

[FrankDrebin]

hhmmmm...Detective FrankDrebin's self-observation...

An Admin log on to a Users/Newbie's workstation but forgotten to log-off *stupid and irresponsible* and when the User comes to use the PC, he/she discovered that the Admin forgotten to log-off. So the User browsed, tested some menus, tried this and that, experimented and attempted to change his password and priviledges and *boom* the next thing he/she knows he/she pressed the wrong button. *hehehe*

Then the Admin found this "error" in the log, and traced the error in that workstation. "Oh No! Stupid me!", the admin realized his/her mistake and when the uber officials asked him/her what happened to the system, the very responsible Admin reported someone is attempting to hack their system. *to save his ass*

[Chip]

tama ka otanex.. same admin rights and passwords and access level from dev to prod

pero ok din theory ni frank!
possible yon rin. hehehehe

[Chip]

PK

2 yon e. isang oracle 9.01 at isang oracle 9.02

[otanex]

actually FrankDrebin's observation happens most of the time to admins who are not careful to their access rights ... that's why most of the servers are located to "resricted server room" to be able to protect them from physical access from ordinary users. just my 2 cents ;-)

[bardigones]

Originally posted by zero
what can we expect....
government projects are always awarded to the lowest bidder.
with 10-20% commission (SOP) to the head/s of the agency/city/municipality/province.
then pay a whole page ads in newspapers; make info commercials; and huge billboards with their names and faces posted about their projects. as if the money came from their pockets.

hindi naman lahat. meron din mababait (konti lang siguro).

add ko na din: hindi rin lagi lowest bidder ang nanalo. may mga technicalities din yan. madalas, nai-aaward ang bid sa kakilala ng may mataas na position sa agency na bibili....