In a statement, the ICTO said government Internet managers and systems administrators should review the security of their respective websites, “to ensure that homepage defacements like those that happened several weeks… do not happen in the future.”
The most notable victims of hacking have been the Department of Budget and Management, the University of the Philippines and, most recently, the Philippine Atmospheric, Geophysical and Astronomical Services Administration (Pagasa).
The defacement of Pagasa’s website took place on Wednesday. The site’s homepage was vandalized by hackers “of still undetermined origin,” the ICTO said. The www.pagasa.dost.gov.ph site, which citizens and media organizations alike rely on for weather forecasts, was back online three hours after the attack was discovered.
“The recent defacement of the PAGASA website only illustrates the patent vulnerabilities inherent on some web platforms. We would like to request system administrators of government websites to review their source code for these security flaws,” ICTO executive director Louis Casambre said in a statement.
A common flaw in these sites, he said, was the use of third-party applications or “plug-ins,” or ready-made programs that make it easier for IT managers to add features to a certain site without having to write code.
Casambre said the ICTO has taken “definitive” steps to help other agencies improve their IT security measures to ward off future hacking attempts.
“It is unfortunate however that the Pagasa website was hacked so soon. In light of this new development, we are looking at accelerating our on-going effort,” he said.
In the meantime, Casambre said individual agencies should take steps on their own to help the understaffed and underfunded ICTO.
Like that of Pagasa’s, many government websites are still hosted on in-house servers that may not be equipped with the latest security features, making them easier to hack in to, according to Casambre.
He said hosting of government sites can be out-sourced to third-party IT providers. Outsourcing this service would also be less costly for agencies. He said the Department of Science and Technology’s (DOST) own servers, more secure than other government facilities, could also be used by other agencies.
“As potential high-profile targets for hackers both local and foreign, government system administrators must take the extra effort to ensure that our servers are safe from cyber vandalism,” Science and Technology Secretary Mario G. Montejo said in a statement.