Ever since the mid-1990’s, when Sir Tim Berners Lee popularized it, the Internet has become indispensable to day-to-day living. It began then, a mere network – APARTNET – but is today, the World Wide Web – home to millions of web pages offering a plethora of information and services.
In time to come, computerized systems, restricted today to mobile and other communication devices will increasingly infiltrate otherwise mundane objects, cementing the coming of age of the ‘Internet of Things’.
Bearing these technological changes in mind, we look at what is happening at a micro-level in Sri Lanka. Not too long ago, a 17-year-old made headlines for hacking the official website of the President of Sri Lanka.
A New Zealand resident of Sri Lankan origin is currently in Sri Lankan custody for impersonating the Inspector General of Police on Facebook. Last week, Finance Minister Ravi Karunanayake distanced himself from Facebook and Twitter accounts purporting to be his.
In all of these cases, Sri Lanka turned to CERT – the Computer Emergency Readiness Team, which, together with the Cyber Crimes Division of the Police, is tasked with unraveling cases relating the digital sphere, such as these.
Daily News Online caught up with Roshan Chandraguptha, the Principal Information Security Engineer at CERT, also known as the National Centre of Cyber Security, to find out more about what the CERT does, and how.
Q: What is CERT?
A: CERT is an institution that works with information security in mind. We ensure the security of information exchanged through computer networks and the World Wide Web.
Q: Describe your operational structure.
A: Can we solve all the problems that occur within computer networks with just 11 people? This is a question that crops up all the time. To make things easier, to be more effective, we have adopted a method that many other countries have implemented – and that is to categorize computer networks by sector, or industry.
For instance, the networking systems and software used by Bank A, Bank B and Bank C are similar, so the problems that crop up within the banking system, although unique to the industry, are not dissimilar to each other.
When we look to categorize computer networks by industry, it becomes easier to identify problems and look for solutions to them.
For this reason we have set up an arm called ‘Financial CERT’. Similarly, we can set up ‘Telecom CERT’, to look into problems faced by the Telecom Industry and ‘Education CERT’ for to help school children and university students tackle problems relating to computer networks used within the education field and the Internet.
Q: What process does CERT follow when investigating a complaint?
A: Well, when you look at the name, CERT was initially, the ‘Computer Emergency Response Team’. That later changed to ‘Computer Emergency Readiness Team’ – which is to be prepared to face any eventual computer emergency related problems.
Our responsibilities are threefold: 1. We offer ‘Responsive Services’ –we respond to people dealing with problems faced on computer networks or the Internet. This is our primary responsibility. 2.’Awareness’, where we educated the public on how to use computer networks and navigate the Internet safely, and 3. ‘Consultancy Services’, where, from the inception, we advise people on how best to set up a secure computer network.
How we deal with a complaint, depends on the nature of the complaint – and it must be remembered that all we can offer is technological solutions.
Take a website for instance, let’s say there has been a breach of security – someone had illegally entered the website and changed data, posted other pictures. In cases like this, we conduct a ‘Vulnerability Assessment’, when we assess the vulnerability of a website, identity flaws in security and advise the interested party of how to rectify the situation.
That is how we deal with the technological aspect. On the legal side of the spectrum, if the complainant wants is to trace the perpetrator, we advise them to use legal mechanisms to do so – that is, to make a complaint with the Police and have the Police cyber crimes division trace the culprit and deliver a verdict on his decided by the law..
One other thing must be mentioned here – given the nature of computer networks and the Internet, and attack to a website could come locally, or internationally. In the case on international attacks, Sri Lanka has received full membership into two bodies – ‘AP-CERT’, that is Asia Pacific – CERT, and ‘FIRST’, which is the ‘Forum of Incident Response Security Team’. Through our membership with these bodies we are able to exchange information and knowledge on how best to proceed in cases outside the geographical boundaries of Sri Lanka.
Q: The recent hack on the President’s website: What happened there?
A: It’s like this. To host a website you need 1. Server, 2. An Operating System on which to run the site and 3.Various software with which to build the site – all of these areas need to be secure, or someone can infiltrate it from outside.
Then, when creating a website, there are data entry forms – if these are not secure, the site is also vulnerable to entry from outside. Even if all this criteria is met, there is the username/password entry point – if a user’s password is not strong enough, even if the other 4 key areas are secure, a person can infiltrate a website from outside.
The other thing you need to understand, is the nature of software– with software, what is secure today is not necessarily secure tomorrow. Someone, from somewhere across the world, can have, in one night, figured out how to breach the security of a website – with software it is necessary to conduct frequent assessments to ensure security. These are the areas through which an incident of that nature could have taken place.
Q: What intervention did CERT make in this regard?
A: Our intervention was from a purely technological standpoint: we conducted an assessment, and advised the relevant information security officers on how to secure the site, and how to prevent such attacks in the future.
Q: What cases are reported the most to CERT?
A: Until about 2010, we mostly looked into issue relating to information networks and how we could solve them. After about 2010 social networks began to popularize. Ever since then, the most number of cases we have received have been about fake Facebook profiles.
The thing about Facebook is that they already provide solutions to these problems. But people are not aware of these solutions. In many cases, people will ask a friend to create a Facebook account for them – they don’t know how to do it themselves Beyond basic navigation, they don’t know anything about Facebook and its security and settings.
A lot of problems on Facebook can be dealt with if people were more vigilant and aware of the network.
Q: Is CERT legally empowered or an only an investigative body?
A: What we offer is technical assistance only. If the security of your site has been compromised, or your Facebook account hacked, we can tell you how to secure your account or recover your profile. We cannot take legal action, because we are not a law enforcement agency.
Q: Are children safe on the Internet?
A: That’s a good question. The thing about the Internet is that it is open to the world – that means you have access to both the good and the bad in the world. A social platform contains all the kinds of people you meet in society – cheats, people who harass other people and people who harm children – are among these people.
Now in real life, we give our kids safety instructions: When they go to school, we say ‘go only in this van’, or ‘wait for your father or mother to pick you up’. We tell them, ‘don’t go anywhere with any unknown person’, ‘don’t talk to strangers’, ‘don’t give out information’, ‘don’t tell people how you come, how you go’….Things like that.
In the same way, before you release children onto the Internet, or give them access to the Internet, they need safety instructions. Because it is the same people you meet in the real world that you meet on the Internet. In the real world, interactions are limited to a geographical space. But with the Internet there are no such boundaries. So it is very important to remain vigilant about your child’s activities on the Internet.
Actually, about 5 years ago, having identified the importance of this area, CERT –together with the Education Ministry – initiated several island wide workshops for children and schoolteachers, to teach them how to navigate the Internet safely.
Q: Do CERT officers undergo specialized training?
A: Well, as explained before, we are members of AP-CERT, or Asia Pacific CERT. As a result of this, we attend a yearly conference, where we discuss the technological problems faced by different countries and come up with solutions for them. Two of our officers attend this conference every year.
In addition to that, we attend FIRST (Forum of Incidence Response Team) which is a five-day conference and workshop with the participation of CERT bodies from across the world and we exchange information and knowledge with these bodies to enhance our work.
In addition to all of this, in Sri Lanka, we conduct a yearly conference – this will be our 9th year. We conduct a ‘Hacking Challenge’ alongside the conference, where within a simulated and constructed environment, information security officers are invited to defend a website against hackers. We also conduct a quiz for university students to test their knowledge of information security.
Q: Is hacking on the increase in Sri Lanka?
A: What we need to understand is what the word ‘hacking’ means – Hacking is unauthorized access to a website or network. Under the Computer Crimes Act in Sri Lanka, this is a punishable offence.
On the other hand, hacking is necessary to test the security of a site – it is only once we try to hack into a website that we can see the loopholes and work towards securing them. So it depends on the person and the intention with which they hack.
Information Security officers hack into websites having obtained prior permission, and with the intent to test the security of the site. But someone else may not bother to ask for permission, and may simply hack the site, ‘for fun’ or to test his skills – if he is student of information technology – or to tell his friends ‘see what I did’ – he has no real-world understanding of the consequences of his actions.
Q: What are the obstacles faced by CERT?
A: The obstacles faced by CERT are the same as anywhere else in the world. Maintaining some form of control over the World Wide Web is a big challenge, because of the vast nature of the Internet.
For instance, it is possible for someone to hack a website in Sri Lanka, from outside the country – and in such cases it is hard to trace the perpetrator. Similarly, laws relating to computer crime are not the same the world over. So it’s difficult to enforce the law. These are the problems we face.
Q: What major threats have you identified as possible in the future because of the Internet?
A: One is the ‘Internet of Things’; that is, when ‘things’ begin to operate on computer systems, like vehicles, ships, airlines etc. – if we don’t know how to protect the security of these computer systems they become vulnerable to compromise and theft – because someone else can take control of them.
The other thing is misinformation. If we don’t know how to differentiate between right information and wrong information, we could be in serious trouble. For instance, we know the world is round. But someone may set up website ‘proving’ that the world is flat. Your child may get on the Internet to do his homework and find this website telling him the world is flat and he may believe it.
So it’s important that people learn to differentiate between correct information and misinformation on the Internet..
Q: Can CERT help recover explicit content that has leaked onto the Internet?
A: In cases like these, CERT can’t block the website that is publishing leaked explicit content. We can only request that web administrators remove that content, and very often web administrators comply.
But what is more important is to prevent such thing from happening in the first place. We teach during our workshops also, that the best way to protect your privacy is to not put yourself, or someone else, in a compromising position, in the first place – if you can avoid taking explicit photos, or content, that is the best thing
But let’s say you decide to go with it anyway? You now have that content on your mobile phone. You next back it up on your laptop. Then for further safekeeping, you email it to yourself. So now this explicit content is in three places, and is in danger of being leaked from any of these three places.
One thing you can do is, if you are forced to give your laptop or mobile phone for repair and are worried about the content on it, is to give it to a reputed place – this will ensure that to some degree your privacy will not be compromised.
Now if you are a person, who has found some explicit content belonging to someone else, and are in a position to release it onto the Internet, you should ask yourself, ‘what if this content was about my sister, or friend, or relative? – Will I still leak this content?’
And if you are a person thinking about sharing this sort of content, you need to ask yourself the same question –‘would I share this, if it a were a picture, or a video, of my sister, of friend, or relative?’ We need to always bear in mind, the ‘ethical use’ of information.