ILOVEYOU, but worse

Imagine, if you will, a complete stranger accessing some of your personal information: your full name, to start with, but also your birthday, your parents’ names, including your mother’s maiden name, then your home address, even your e-mail address or your passport details. You may be using some of this same information as part of your security protocols, for online access to your bank account, perhaps, or to open your computer—and there lies the first danger. This kind of personal information can be used for online fraud, or even identity theft.

Thanks to inadequate protective measures installed or implemented by the Commission on Elections’ information technology department, what looks like the entire database of registered voters in the Philippines has been hacked; this database was posted online mere days after the Comelec website itself was defaced, and it contains the kind of sensitive personal information listed above.

“Mother’s maiden name,” for instance, is an often-used prompt in case you forget your password to, say, your e-mail or social media account.

This is worrying in itself, but could the hacking of the Comelec website and voter database compromise the May 9 vote itself? Can the results of only the second automated presidential election in our history still be worthy of our trust? The election agency has been quick with reassurances, pointing out that the elections would depend on servers different from those hosting the Comelec website. Spokesperson James Jimenez has also focused attention on the successful tests that the vote-counting machines have completed.

And yet the so-called “Comeleak” continues to be a concern.

In the first place, why was the Comelec’s tech department caught flat-footed? One IT expert noted the enormous size of the hacked database, around 350 gigabytes, and wondered how much time it took the hackers to download the entire database, given the Philippines’ less than supersonic internet connection speeds. The expert has a point, and it should be given due consideration by the government agencies now investigating the hacking; if it took days for the entire set of files to be downloaded, why didn’t the Comelec’s tech department notice anything?

Secondly, the information already accessed can be used for fraud or theft. The Comelec has called on the public to be mindful of the consequences of the hacking, and recommended that passwords and addresses be changed. IT experts have also recommended changing the answers to security questions in case of forgotten passwords.

Third, the hacking plants seeds of doubt in the automated election process itself. Despite the firmest reassurances, the public can only take a wait-and-see attitude, alert to the possibility that election results themselves would be hacked.

The Comeleak brings to mind the ILOVEYOU virus of 2000, concocted by two Filipino computer technology students, which wreaked havoc on personal computers throughout the world. It was what was known as a worm, which spread through an e-mail attachment and eventually cost companies and individual users billions of dollars—mainly for disinfecting the computers affected and restoring corrupted files. It became one of the most destructive computer viruses ever, in part because of the filename of the e-mail attachment: ILOVEYOU, compressed together as though by urgency of desire. Millions of people around the world saw the words—and clicked.

The hacking of the Comelec website and the filching of the voter database were done by Filipinos, too, and the damage is again one for the world record books. “With 55 million registered voters in the Philippines, this leak may turn out as one of the biggest government-related data breaches in history,” internet security firm Trend Micro said in a report.

But like the 2000 worm (or “Love Bug”), the hacking may burrow deep into (or borrow deeply from) human psychology. Nothing less than trust in the May 9 vote is at stake.

Read more...