March 14, 2016

80 million dollars was robbed from a bank in Bangladesh through purely electronic means. In the aftermath, it has been said that the Philippines must also take "cyber threats" seriously. I couldn't agree more. But do we really understand the level of that seriousness? Do we actually understand how severe the state of the Philippine ICT infrastructure really is? It just might be worse than you thought.

The news of the Bangladesh bank hacking, where the hackers were able to steal 80 million dollars (but failed to complete their heist due to a typo), has been heavily in the news for the past couple of days. Obviously this has been noticed in the Philippines since the stolen money was (unfortunately) routed to the Philippines and a local high profile businessman and one of the major banks linked to what was happening. And since it's election season, it has of course been noted by politicians. Notably, Senator Ralph Recto indeed made a public statement and has presented the incident as proof that the Philippines must take "cyber threats" seriously. Again, I couldn't agree more. But I also feel from the wordings of the associated press communications that there is still a fundamental misunderstanding or non-acceptance of how severe the state of the Philippine ICT infrastructure really is. In the following, I offer a glimpse of how bad it actually is in real life:

A couple of weeks ago, my Globe DSL line at home stopped working. One day, without warning, we simply couldn't use the Internet anymore. Not that the line was down: In fact there was a connection, but the immediate symptom was that whatever website we tried to access, we were always routed to an error page of Globe, telling us to call them. Actually, all outgoing TCP ports were blocked aside from 80 and 443, and port 80 was consistently rerouted. Port 443 (HTTPS) actually worked, so we had limited Internet access through HTTPS only (although extremely slow). Incidentally, this happened at a time when I noticed that my Globe wireless data (2G / 3G / LTE) also became completely unusable. Not that it had ever worked well, but now I couldn't load anything at all. I'm used to retrying three times to load a page, but now even 30 minutes of retrying wouldn't help (I am persistent because I NEED Internet for business). So being a Globe customer, no Internet of any kind was available. Not wired, not wireless.

So I tried to call the customer hotline using the cellular network (which was still working to some degree). The call kept getting cut. But being persistent, I was able to work my way through the IVR system. I noted that access to customer support was rerouted to an infinite loop. Once it's time for the system to connect you to a human agent, it throws you back to the beginning of the process. I went through it a few times. It was consistent. Intentional or accidental? Oh well, I figured: I'll press a different number in the IVR flow to talk to a sales representative instead of customer support. That worked perfectly, and immediately I was connected to a sales agent. Interesting. The sales agent then was kind enough to forward my call to support. Most probably there was a lot of incoming support calls.

I got to talk to two different people, both with different excuses, and despite hard pressing them to explain what was happening and why (because they both clearly expressed familiarity with the exact symptoms I was describing), neither was able to provide any signs of having any actual knowledge on the matter. They seemed to understand that to fix the problem, they'll "reset" things, but never really understand why stuff like this happens. Ultimately, an engineer was sent to my home. And he blamed the problem on the quality on my inside wiring.

Really, a TCP/IP level configuration issue (port routing) on the Globe network is a problem that I would need to fix with the physical cabling inside the house? This would be either simply incompetence or bad attitude / intent (or both) on the side of the engineer. Either way, we had some "serious" discussions with the engineer. He never admitted any fault or the existence of any problem. But then silently fixed the problem (apparently by "resetting" something) without admitting to ever doing anything. So the DSL kind of works now, but continues to be extremely slow (somewhere between super slow and useless during the day, a little bit better during the night .. Same as what I have observed in certain provincial networks). And whatever the engineer may have "reset", it appears that neither he nor anyone else has any idea (or interest in) what the real cause of the problem was, and how the same could be prevented in the future.

Also, to this day, Globe wireless 2G, 3G and LTE Internet are useless. Loading any web page will consistently fail. Repeatedly. Recently, our SMS sending and receiving has gone on and off, and the Globe wireless signal has significantly reduced. One of our SIM cards stopped working almost completely. Much of the time, we have had no Globe cellphone signal at all, whichever part of the country we have been in (and we have gone around to different provinces, islands and regions during the past week). Apparently the network in Bacolod works better than in Alabang. But overall, it seems like there are massive internal issues within the overall Globe network (?).

So one might think: Maybe it's a problem with Globe Telecom? So once I got to my office, where we have a PLDT DSL line, I decided to compare and make a quick investigation there as well. I noticed that while the PLDT connection sort of works, it's also extremely slow. My wireless access point seemed to be crashing under some kind of heavy load that is not coming from inside the office network. I was reported by some employees that their home PLDT DSL lines were also down. One of the companies we work with that is very close to PLDT reports consistent and recurring Internet downtime. I got news that another one of our clients (a major company that is also critical to the overall functionality of the country, but in a different way) had an email system crash, and the emails were reverted a few months backwards. Either a backup restoration or a system time malfunction, I would guess from just the sound of it. At the same time, we witnessed our cellphone clocks being moved randomly backwards by the cellular network.

Very strange symptoms all around. It all felt like something terrible was happening.

When I ultimately finally got to access Google search, I saw at the top of the news the articles about "China having taken another island from the Philippines". I can only speculate if there was a connection between the news and the incidents I was observing. Or maybe it's election related?

But simply for the sake of considering it, I asked myself: What if somebody wanted to mess up the Internet infrastructure of the country in order to cause confusion and chaos? How easy would it be and what would one need to do? What if that was already happening? So I did some investigating.

The results are .. Disturbing.

I quickly found out that my Globe DSL modem has internal configuration interfaces (the web based one is obvious, but there are more ..) that are fully open for access, and equipped with default passwords that are VERY easy to guess. Any person or any software on any computer within the network can reconfigure and mess with the DSL modem to their heart's content (maybe they're externally accessible as well, I couldn't tell since the line is so down so often). And that's without any hacking at all. The usernames and passwords are EXTREMELY easy to guess (I will refrain from posting the exact details here, but these are really at the top of the list of the "most commonly guessed credentials", including all time favorites such as "1234" ,"user" and "admin").

So back to the office. PLDT should be better, we hope? But it isn't. In fact, it's much worse. Fundamentally, it's the same thing: The PLDT DSL modems are fully accessible and configurable. But verifiably, this works from both within corporate networks and through the public Internet. Yes, once you know the public IP address of a PLDT DSL modem, you can reconfigure it, shut it down, restart, etc., remotely over the Internet. Unfortunately this works with a lot of company networks in the Philippines. The usernames and passwords for the web based interfaces are again EXTREMELY guessable, and if you run out of inspiration, they are also very googlable (obviously, since this is so very elementary, many people before me have figured out the same, and there are forums that contain lists of the commonly used credentials, none of which are very complicated). On some PLDT DSL modem models, they have been kind enough to PRE-FILL the password field so that to gain access, all you need to do is press enter! Seriously. And as with Globe, the web based interface is OBVIOUS, but not the only available point of access. For crying out loud, many of these things have TELNET based administration interfaces, some of them without any authentication at all! All this is obviously very very accessible for unauthorized access.

Having discovered this, I would want to change the password or otherwise fix this for myself so that at least my own network will be secured. But I can't. There's not even a feature for changing the administrator password. Or closing external access to the configuration interface. Nothing. The only thing I can do is to unplug the modem. But then what? I could actually build my own DSL modem from my own custom equipment and my own software, but I have actual work to do (which is the reason why I'm trying to outsource telco operations in the first place), and from the perspective of the country overall, how many can really do that?

Then I go to a public WiFi hotspot. And a coffee shop that offers Internet access. Within a few minutes, I can have administrative access to switches on the network, wireless access points, etc., and as a side product, apparently the internal SQL databases of the coffee shop system and other things. All fully open and accessible on the network, mostly using (again) very easy to guess passwords, or otherwise default credentials that are retrievable from the websites of the manufacturers of the equipment.

And again, this is EXTREMELY SUPERFICIAL. There is no hacking involved, even. This is just having everything wide open, like inviting people in to mess things up. This is on a far more elementary level before even starting to consider the fact that most of these devices seem to be using software that appears to be from the 1990s (seriously), which would have numerous known security vulnerabilities that surely haven't been patched, and never will be. But this is still on a level that is way simpler than that. We're not even there yet. Everything is just open.

So just as a purely theoretical thought play, I asked myself: What if I was a representative of (using Ralph Recto's words) "countries we are not so friendly with", what could I do to cause harm to the Philippines? Just off the top of my head, I could easily do something like the following:

- Get a few junior script kiddies to scan the known public IP address space of PLDT and come up with a database of all accessible DSL modem IP addresses.

- Run them through with default passwords and mark successes to the database. For any failed attempts, run a dictionary attack on username and password, most probably successful. I'd expect at least 95% coverage.

- Have the same junior script kiddies make a simple script that will go through the entire database and shut down each of the DSL lines.

- Create a big red button that says "Shut down the Philippines" that, once pressed, will run the script, and consequently shut down all the PLDT DSL lines in the Philippines.

That is something that a junior script kiddie can do. Imagine what a group of professional hackers would be able to accomplish.

That big red button most certainly already exists. In multiple different implementations.

Given the symptoms we are experiencing, one of those buttons may well have been pressed.

Unfortunately this is something that can't be fixed with legislation. This is rooted in the bad culture and deep ignorance that runs our networks. We will need to fix each and every piece of network equipment out there (the DSL modems are just a representative sample: This includes switches, routers, WiFi access points, everything). With understanding and competence. And the sooner we start, the sooner we can start talking about real security.

Share this article: