Easy hacking: a result of Lebanon lax web security
With a few clicks, Hussein Hazimeh demonstrates how he can go onto a local company’s website and pay $1 for a $300 product. “Compared with other countries, the major ISPs (Internet service providers) in Lebanon are vulnerable to attacks.
They have weak coding for Web applications,” says the second-year American University of Beirut computer engineering student as he sits at an outdoor cafe with his laptop, sifting through local websites and pointing out their various security flaws.
Now working on a school research project on hacking, Hazimeh started using his skills at the age of 12 to cheat in online games and test the vulnerability of local websites, which he learned through online forums and YouTube videos.
In the past 10 years, he believes that not much has changed in terms of online security in Lebanon. Today, the majority of company websites in Lebanon are hosted overseas for security reasons: The country’s low credit card penetration is in part due to a public perception of low online security for financial transactions; and public sector websites, which had planned to begin e-government at least 10 years ago, have yet to offer such services to their citizens.
Because of this, or perhaps in spite of it, in April the hacker organization Raise Your Voice attacked 16 government websites, replacing the homepages with a caricature of “The people,” an emaciated man in a cloth diaper spoon-feeding “The government,” an overweight man in a suit.
While the message was clearly to show an incompetent and indulgent government role in alleviating poverty, perhaps an inadvertent one was also to show the country’s lack of Internet security at key ministries. Of course, there’s no such thing as total Internet security. But this is even truer in Lebanon than many other countries, experts say.
There are several types of IT security breaches. Hackers can attack the computer system (i.e., laptop, PC, server, smartphone), the website of the victim, or the data sent by the victim over the network. They can then can violate the confidentiality of information and modify or delete information, and in some cases steal money. However, the most high-profile type is when well-known websites are hacked.
“The majority of websites in Lebanon are done by amateurs,” says Haidar Harmanani, a computer science professor at the Lebanese American University.
“In Lebanon, people haven’t realized the importance of web programing and applications. They think anyone can do it. They’re not willing to pay the money for a proper company, so they end up hiring amateurs to do websites.”
These include both government and private sector websites, where he says Web developers tend to be hired on their low bid, rather than their security qualifications. However, one institution that has paid special attention to its online security is the banking sector, the backbone of the Lebanese economy renowned for its customer secrecy.
At IBL (the Intercontinental Bank of Lebanon), IT manager Elie Hlayel says they use two anti-virus systems in place, in addition to a firewall and a twice-a-year Web IT vulnerability assessment from an outside security company. He adds that because of security concerns no Lebanese bank currently allows its customers to transfer money outside the country electronically, although foreign banks such as HSBC in Lebanon are able to do so.
“In Lebanon, we have a security agreement with clients. If we don’t have good security, customers would be vulnerable,” Hlayel explains. “Right now, Lebanon is the only country in the region with [this level of] banking secrecy.” Still, in general, companies, particularly smaller ones, tend to pay the lowest bidder to develop their websites, leaving aside security considerations, say experts.
“If you don’t appreciate the importance of technical know-how behind building a website, there’s no way you could justify paying $5,000 and not $500,” Harmanani says. But that might change soon as more security vulnerabilities are exposed, and as people’s daily lives become more digital. As LAU computer science professor Azzam Mourad notes, with our increasing usage and dependence on technology, including mobile phones that are essentially handheld computers, both the number of attacks and the level of sophistication will rise.
“4G will be like having a computer on your phone. With open communication, there are more threats,” Mourad says. “Everything is now done on the Internet. It used to be that tens of thousands of people could attack. Now millions can.”
With both the public and private sectors likely to continue facing tight budgets for the foreseeable future, and with a low public opinion of the government, we will see more security breaches, say experts. But Harmanani believes there are still things Lebanon can do, including raising awareness through the government and education and through companies doing security audits, as they do in Europe and the U.S.
As for the hacked government websites, “I like it when hackers do that. It sends a strong message about security. In this case there was a nice social message. It shows the frustration of the youth with Lebanese government.”
For now, at least, he’s not too worried about the security breach. “I don’t think there was much data on those [government] websites anyways.”
- Lebanon’s Internet Facilities Group seeks to expand into US market
- Dubai ranked amongst top 8 cities suffering from network attacks, Say Kaspersky Lab at Gitex 2010
- Comguard offers Ethical Hacking to solve region's IT security nightmares
- Oman targeted by Moroccan hackers
- Saudi Arabian banks introduce online banking