Vulnerability due to use of open source content management systems
Indicating vulnerabilities in local website design and hosting, a significant number of websites hosted with internet service provider (ISP) Druknet were hacked or defaced in the past year.
This has included the government’s online portal (www.bhutan.gov.bt) being hacked or defaced at least thrice this year alone, along with the websites of several government agencies, private firms, and even financial institutions.
Druknet systems manager, Dawa Sonam, attributed this to the use of open source content management systems (CMS) by web designers in Bhutan.
“Content management systems, like WordPress or Joomla, require to be updated constantly with security patches, and to be customised to prevent website defacement,” he said. “However, most such websites hosted with us are designed with default configurations and hardly updated, which results in defacement.”
As of yesterday evening, the website of the Journalist newspaper was at least one Druknet website that remained defaced.
A local web designer, who requested anonymity, acknowledged that, while customers must ensure their software is up-to-date and patched, Druknet should also assist in securing websites and assume some responsibility.
The web designer said that Druknet, as the host, can use software to help customers detect intrusions, notify them about malware, or to check if customers are using the latest version of their software, among others.
“Currently, Druknet does not seem to use any technology to monitor their customers’ websites,” the web designer said.
Dawa Sonam said there were currently two measures in place to address hackings.
He pointed out that Druknet was “constantly scanning for vulnerable, compromised websites”. “Once found, compromised websites are suspended, and the webmaster of that particular website is informed to clean it,” he said.
He also pointed out that Druknet assisted webmasters to clean their websites.
“A third measure, the ISP is currently pursuing, is the formation of a security team, dedicated to solely combat hacking,” Dawa Sonam said, although he did not specify when this team would be operational.
Department of information technology and telecom (DITT) director, Phuntsho Tobgay, said, while they were aware of the problem, it was a challenge to provide security, given the current environment.
Today, government agencies have their own data servers.
“Security service can’t be provided efficiently or guaranteed, with all these dis-aggregated servers and database across the government,” he said.
As of yesterday evening, a few government websites, for one, the trade department’s, included hidden links within their source codes pointing to sites that included pornography.
While the government does have an information management and security policy in place, it is yet to form a dedicated team that will be responsible to address or respond to security-related issues and needs.
The government plans to form this team only in the next plan.
Information technology department officials said if the Bhutan Information, Communications and Media bill was adopted without amendments by a new government next year, this team could be upgraded to a dedicated agency or department.
Phuntsho Tobgay said the government did not have such a team today, because it lacked resources and technical collaboration.
These shortcomings have now been solved with the World Bank providing financial assistance, and a Malaysian company being identified to help form the team in the 11th plan.
Besides the planned computer incidence response team, the government will also gradually consolidate data servers across the government into one centralised data server, also in the next plan.
“This is expected to not only improve security coverage but also increase efficiency within the government,” information technology officials said.
No comments:
Post a Comment