The recent hacking of the prime minister’s website set off alarm bells among the government’s security watchdogs, but there are hundreds of well-trained hackers lurking in cyberspace ready to strike ill-prepared local networks.
And while Yingluck Shinawatra suffered little more than a few derogatory comments being posted about her, professional hackers are reaping huge financial rewards estimated to cost consumers worldwide over US$100 billion (2.9 trillion baht) annually. Prinya Hom-anake, founder of ACIS Professional Centre, an IT security training company, said such attacks are more common than many might believe.
A total of 2,960 local websites were hacked from September 2012 to last January, of which 1,250 were government sites, he said.
”Hacking nowadays is pervasive, particularly as automated hacking tools make it simple,” Mr Prinya said.
A local hacker said hundreds of people in Thailand in recent years have undergone technical training in cyber security.
”There’s no doubt that among the people who have studied computers and network security, some act as hackers, both for good and bad,” he said.
The hacker community, which traces its roots back to the start of the computer age, differentiates among hackers based on experience, expertise and intent. ”White hat hackers”, for instance, break into security systems for testing on behalf of government agencies or computer security companies.
On the other side are ”black hat hackers”, who will penetrate computer systems out of malice or for personal gain, either on their own or at the behest of other parties.
The popular stereotype of a hacker is an isolated, introverted computer geek whose life is spent primarily in front of computer monitors and hardware while immersed in a virtual world.
”It’s not so far from the truth,” said one hacker who refused to be identified.
He said, however, collaboration among hackers was commonplace, with many affiliated with specific online groups or social communities.
A hacker takes pride in finding new ”exploits” (ways to compromise systems), which then are disseminated quickly among peers to maximise gains before the loophole is closed by the target.
”Sometimes you work in pairs, and sometimes you work as part of a large collective,” he said.
One of the most prominent hacking groups goes by the name Anonymous, a collective of hackers from around the world that in recent years has claimed responsibility for cyber attacks against targets such as the Church of Scientology, the Recording Industry Association of America, the US Copyright Office and even online payment provider Paypal.
Mr Prinya, who describes himself as a white hat hacker and teaches hacking techniques to corporate clients to help them guard against cyberattacks, said there are two major underground hacker groups operating in Thailand, both with hundreds of followers.
The ”Unlimited Hack Team” was founded by Cambodian hackers and has since grown to include several hundred Thais, while the other group is called ”Stephack” and is led by four to five key leaders, with hundreds of followers.
Among the hundreds of websites hacked by the Unlimited Hack Team was Channel 3, which saw its website hacked with a banner asking, ”Where is my Nua Mek?”, after the television station decided to abruptly terminate the popular serial Nua Mek 2.CYBERSTRIKE ON PM’S OFFICE
Pol Maj Gen Pisit Paoin, head of the Technology Crime Suppression Division, said on Tuesday that the Unlimited Hack Team and another group, StepHack, were suspected in the attack on the PM’s Office website.
Last Sunday, Narongrit Suksarn, known online by the handle Lek Window 98se, reported to police investigators after being named as a suspect in the attack. Mr Narongrit, 29, denied any responsibility, but said he may have been smeared by Unlimited Hack after he left the hacking group.
According to the Technology Crime Suppression Division, Mr Narongrit had hacked into the PM’s Office website three days before the actual attack. Pol Maj Gen Pisit said he was suspected of sharing information about the PM’s Office computer system with other hackers, which was then used to carry out the actual attack smearing Ms Yingluck. Other members of the Unlimited Hack Team would be called in for questioning, said Pol Maj Gen Pisit, and the technology crime division has also asked its Cambodian counterparts for help in investigating other members of the group.
Mr Prinya, who has in the past collaborated with state agencies in investigating cyberattacks, said Lek Window 98se was an experienced hacker who certainly has the skills to have accomplished the attack.
He said hackers delight in testing their knowledge and skills against web or system administrators.
Within the underground hacking community, exploits are seen as badges of honour, and the two main local hacking groups compete against each other in hack attacks, no different than players in a video game. Both also earn money and gain followers by offering ”hacking” courses, post tips on vulnerabilities specific to certain websites or computer systems and even offer their services for hire to conduct denial of service attacks to shut access to websites of targets.
”The members of these underground hacking groups range from high school or college students to young workers in their mid-20s,” Mr Prinya said.
Hacking once was the province of computer specialists with technical understanding of programming languages and computer networks. Many were not motivated by malicious intent or the prospect of financial gain, but rather sought to test their own skills and knowledge against the security of a computer system or network, which in the early days of computing were run almost universally by academic institutions or research labs.
But the exponential growth in computing since the development of personal computers in the 1980s and the world wide web in the 1990s has raised the rewards of hacking to an entirely different level. Last week, authorities in New York announced that a group of cyberthieves were able to steal $45 million from ATM machines in 27 countries, including Thailand, by hacking into a database of prepaid debit cards to remove withdrawal limits set by banks. Over 20 suspects were arrested locally in connection with the scam, from Bulgaria, Bangladesh and Eastern Europe, said Pol Maj Gen Pisit.
Symantec, a leading computer security company, estimated in 2012 that cybercrime costs consumers $110 billion per year, including outright fraud, theft and the cost of prevention.
Local banks say the use of ”phishing” scams have increased locally with the growth of internet and mobile banking. In a typical scam, a user will receive an innocuous email or text message purportedly from their local bank asking them for their account number and password. Once inputed, it can be a matter of just seconds before your entire bank account is emptied.
A simple Google search for hacking tools can lead to any number of software programmes that can be used to break security on mobile phones, crack passwords or bypass copyright restrictions on software, e-books or movies. With a bit more research, or by joining any number of online hacking forums, an amateur hacker can quickly learn how to break in to a website or computer server.
Mr Prinya said there are hundreds of sophisticated, automated hacking tools available that allow neophytes to attack hundreds of websites within minutes.
But while these programmes may work against poorly maintained or misconfigured systems, successful attacks against more hardened targets are still mostly led by professional hackers skilled in programming languages such as Perl, Python, Ruby and PHP.
Mr Prinya said there are 10 popular techniques often used by hackers, with the most popular one, known as SQL injection, being the technique used to hack the PM’s Office. Hackers will also use anonymity tools and pre-paid phones to disguise or hide their identity and prevent authorities from tracing the source of an attack.
”Thai government websites are very weak, from a security perspective. Their vulnerability makes them easy to hack and so they are an attractive target,” he said.
Most government websites are designed through outsourcing contracts, with little testing of security and vulnerabilities.
”The government needs to change its mindset regarding information security. Websites, applications and systems need to be designed with security in mind,” Mr Prinya said.
He suggested that an agency be established with responsibility over information security. Authorities also need to have a ”cyber army” capable of defending _ or initiating _ cyber attacks against the country’s enemies, similar to agencies in the US, China, South Korea and other countries. ”And Thailand definitely needs to build up its security expertise. Otherwise the government will never be able to catch hackers, even the amateurs,” Mr Prinya said.