You got hacked!
With government websites being hacked into over and over again and nearly 2,000 private websites hacked in a span of 10 years, cyber crime is on an alarming rise in Nepal.
Yet no IT expert this scribe met for this report seems to be able to pinpoint where the fault lies and how the hackers gain access and are only tackling the issue on the basis of guesswork and hunches.
Also the lack of proper government policies concerning cyber crime adds to the already dwindling situation. Given the condition, cyber threat in Nepal looms large.
A recent case was the website of National Academy of Science and Technology (NAST). Though they have recovered their data and the problem has been taken care of, the threat of another attack that looms over them and countless other government websites is a source of constant worry for the authorities concerned.
It started in 2001 when a government website was hacked but nothing concrete was done to put an end to it at that instant; the result of which is the ever evolving cyber crime in the country today.
Gyanendra Kumar Mishra, Senior Engineer at Mercantile Communications Pvt. Ltd, a leading Internet service provider (ISP) in Nepal, is of the view that most of the hackings in recent times have been due to some security lapses from the users’ side.
“When someone hosts a website through our company or any company, they have to be given 100% access that will allow them to make whatever changes they want in their page. While we make sure our server is secure, the reason some websites have been hacked are because the users have violated their security terms and haven’t been careful with their information,” says Mishra, adding that first and foremost, the server where web hosting has been done needs to have a strong security system. But, after that, it’s all in the user’s hands.
But Ramila Pant, promotion division chief at NAST, disagrees with Mishra and points out that the security lapse when their website was hacked was not their doing. So, as the users and the service providers take turns blaming each other, the question as to where the fault lies still remains to be addressed.
Hacking is a punishable offence where the offender can be fined anywhere between Rs 50,000 and 200,000, or can be sentenced up to three years in jail, or both, depending on the severity of the crime.
However, it a difficult task to track down hackers as their basic modus operandi is to keep changing computers and hence changing their locations. Also the fact that a complaint has to be filed within 35 days of the hacking, or else a case can’t even be lodged in the first place, makes tackling the issue all the more difficult.
“The law itself is flawed when it comes to cyber crime. Sometimes when cases are filed after 35 days of hacking incidents, the court will refuse to even register the crimes,” says Binod Singh, spokesperson at Nepal Police.
Singh is of the opinion that Internet crime is on the rise mainly because of lack of awareness in the general public.
They are not very conscious about information leakage or protection.
“I think websites are being hacked mainly because of lack of proper security measures from the users’ side. People are very careless with their information,” says Singh.
He also mentions that the reason for government websites being hacked time and again is because the state lacks trained manpower to curb it.
However, a while back, even the Nepal Police’s own server seemed to be under threat. But due to timely intervention from their IT expert, it could be nipped in the bud. But that has clearly not been the case where government websites are concerned.
Illustration: Sworup Nhasiju
Government websites that were hacked include the official websites of the Ministry of Finance, Ministry of Science and Technology, Supreme Court, and Nepal Telecommunications Authority.
The government has failed to take adequate security measures despite repeated attacks. The weakness of Nepali websites is that they are running the sites without carrying out a security audit which would detect loopholes in the sites and thus prevent them from being hacked.
Until now, only the website of the Ministry of Law and Justice has been audited by the Office of the Controller of Certification (OCC) under the Ministry of Science and Technology.
Rajan Raj Pant, controller of the OCC, says that they have not received complaints about the hacking problem till now and that the concerned parties claim to be tackling it themselves. But without a security audit, he fails to understand how.
“Hackers can take over a website when there are loopholes in the website itself or when there’s security negligence in the encryption process that allows them to steal sensitive information and thus hack a site,” says Pant, adding that an audit before putting up websites online is crucial in detecting any security vulnerability in the website and subsequently preventing it from being hacked.
Pant also somewhat holds a similar opinion as that of Singh’s and agrees that it may more often than not, be the users’ fault that their websites are being hacked.
However, Pant and Singh both are hesitant to say with absolute certainty that it is the users’ fault and contradict their viewpoint by adding that sometimes the web security could have been compromised too, or there can have been some problem in the encryption process that made it easy for the hackers to take over a site.
Amidst such confusing statements by experts in the field, the cause of worry for the general public lies in the fact that there seems to be no concrete measures underway to tackle the issue. While the government is preparing to form an Information Technology Emergency Response Team (ITERT) under the Ministry of Science and Technology to test and audit websites before putting them up on Internet, the authorities concerned themselves are skeptical about its effectiveness.
In such a scenario, how do we protect ourselves and safeguard our online information? The government itself is in a quandary, and with a flawed legal system when it comes to cyber crime, there seems to be no respite as of now.
Online dos and don’ts
With the growing trend of staying connected no matter where you are, Wi-Fi hotspots have become a rage and many of you have probably been using it to access Internet to do some web browsing, email checking, chatting or online shopping while on the run.
Wi-Fi hotspot is an access point set up in public areas for people to join the network and access Internet. It’s easy to connect to the hotspot but the downside of it is that it’s immensely insecure.
There’s no encryption setup in most hotspots in order to simplify the connecting process and that means all your network traffic is exposed in the wireless network. A hacker can simply capture the traffic by using traffic-capturing tools that are easily downloadable on the Internet.
Your personal data, credit/debit card numbers, account numbers, online payment accounts and other sensitive information will then be at the hackers’ disposal.
You should steer away from connecting your notebook or mobile device to any available public Wi-Fi hotspot without taking prior adequate safety measures.
Rabin Dahal, system engineer at Subisu, one of the leading Internet Service Providers in Nepal, mentions that people aren’t very aware about online security and think that running anti-virus software will take care of all their web security needs.
“What people don’t realize it that when they are online, especially in an unsecured network, they are vulnerable to hacks and data sniffing despite active anti-virus software,” says Dahal.
Dahal suggests staying away from open networks as far as possible and using SSL-based sites when you log in on certain sites.
“In simple terms, an SSL (Secure Sockets Layer)-based site is when you see ‘https’ instead of ‘http’ and it’s more secure simply because all that you enter is encrypted while being sent to the main server, making it difficult for anyone to steal the information you enter.”
Apart from that simple technique, ensuring there is a proper firewall functioning on your computer, using secure browsers, not updating your software when prompted to while on an open network, and disabling remote log in should be some security measures one needs to take seriously to safeguard themselves from a hack.
But the best solution would definitely be to avoid open Wi-Fi networks, and if you absolutely must use them, then be sure to take the necessary precautions.