NBI-arrests-hacker-of-comelec-website

[clickerz]

Sayang lang yun talent ni kuya kung ginamit sa tamang paraan edi sana wala sa ngayon sa kalagayan niya, syempre gigipitin siya ng mga NBI sa paglilitis at madaming katanungan ang tatanungin sa kanya.

kung may talent cia bat cya nahuli? pwera n lng kung magbrowse cya eh lantaran. di nia tinatago ung ip nia, tsaka sabi sa balita smartphone ung ginamit pang hack sa comelec website

Magaling talaga yong bata.Makita mo dun sa link na Hall of Famer sya sa Facebook at Microsoft noong 2014 sa paghahanap ng mga bug sa mga site nila.

Microsoft  Security Researcher Acknowledgments

Facebook Security Hall of Fame

[darkmagician]

Sayang lang yun talent ni kuya kung ginamit sa tamang paraan edi sana wala sa ngayon sa kalagayan niya, syempre gigipitin siya ng mga NBI sa paglilitis at madaming katanungan ang tatanungin sa kanya.

kung may talent cia bat cya nahuli? pwera n lng kung magbrowse cya eh lantaran. di nia tinatago ung ip nia, tsaka sabi sa balita smartphone ung ginamit pang hack sa comelec website

Magaling talaga yong bata.Makita mo dun sa link na Hall of Famer sya sa Facebook at Microsoft noong 2014 sa paghahanap ng mga bug sa mga site nila.

Microsoft  Security Researcher Acknowledgments

Facebook Security Hall of Fame

Wow magaling naman talaga si kuya kaso nga lang malas niya lang. Ngayon ko lang nakita ito na may vouch pala ang facebook sa mga users na nakakahanap ng bug sa site nila.

Natawa ako sa isang post sa facebook na self proclaim na hacker at ang gamit niya daw ay cheat engine (nakalimutan ko na yun version), laughtrip.

gamit ko yan nun cheat engine sa laro kong plants vs zombie gnagawa kong unlimited ung araw ko hehe, ibig sabihin nun hacker n din ako kc nakahack ako gmit ang cheat engine

[bitwarrior]

Eto naman ang masasabi ng isang International Web Security Expert about the Comeleak Scandal:

http://www.gmanetwork.com/news/story/563633/scitech/technology/int-l-web-security-expert-slams-comelec-for-slow-acknowledgment-of-data-hack

Int'l web security expert slams Comelec for slow acknowledgment of data hack -

An international expert on online security on Friday scored the Commission on Elections for its slow action over data leaked by hackers online.
"Part of the problem is that Comelec are still not acknowledging the problem," said Troy Hunt, the creator of haveibeenpwnd.com, a website that allows people to check if their online accounts have been breached.

Hunt described the Comelec response as irresponsible, adding, "All they need to do is to compare the data in the breach with that in the source system. That's a three hour job, not a three week one."
On Thursday, hackers released a website allowing people to search through the leaked data. While the website has inaccessible since Friday morning, Hunt notes that the data is impossible to remove from the internet.

"There's an analogy which says. 'Trying to remove information from the internet is like trying to remove pee from a swimming pool'" said Hunt, noting that the data is currently being passed around through file sharing applications and is still accessible to the public.

How big is the breach?

With the website down and a large number of the population unaware of what private information is now available online, people are left to wonder how the leak affects them.
Hunt says that the situation is "certainly very serious, in terms of the volume of data and the nature of the data itself."
"The risks include impersonation, identity theft, spam, and other risks that exploit information that should be private now being made public," he said.
What makes the leak more problematic is the sheer volume of records.
"Fifty-five million is a huge number for any data breach, but when it's more than 50% of a nation's population then that's an incident that affects a serious portion of the country," Hunt said.
"The data released is spread across many different tables and databases so it's important to note that not everybody has been exposed in the same way — it's worse for some people than others."

For example, if a voter's passport information was part of the leak, a change in passport may be necessary. Less sensitive information like height or weight, Hunt said, may still make people feel uncomfortable as it is personal information they may not wish to publicly share.
When asked if the information leaked can be used to access bank accounts or credit cards, he said, "Indirectly, it's very possible."
"The data attributes that were leaked are often used for identity verification; if I know someone's name, address, birth date, and passport information then I have a significant portion of the information requested by a bank when requesting financial information," he explained.

Comelec still in denial

Hunt said that without knowing what personal information was made available publicly because of the leak, it would be difficult to figure out how to protect yourself against identity theft and other threats.
"(Ordinary citizens should) pressure Comelec to acknowledge the breach is legitimate. They're still in denial and whilst that's the case, it'll be hard to move forward," Hunt said.
"Next, there should be a collective demand to provide impacted citizens with exactly what was compromised about each individual. People deserve to know their exposure.
"Finally, there should be a very clear commitment on the measures they'll take to defend against sort of attack in the future.
"Also worth noting—often after a breach, those responsible for losing the data provide free identity theft services to victims, usually by subscribing them to existing commercial services. This is a case where that could be quite valuable."

Security shortcomings

Hunt said that based on direct observation of how the site works and a video of the purported attackers breaking into the system, there were obvious security shortcomings.
"Questions need to be asked of whoever built this service in the first place, including what they've now changed to ensure it doesn't happen again," he said.
"There was also definitely no formal security review of the website as these were very obvious flaws. For a government site of this nature, you'd expect to see proper review."
Asked to describe how easy it was to take the information from the Comelec, Hunt responded, "Exceptionally easy. The video I saw showed a SQL injection risk being exploited. This is the biggest—and one of the most well known—risks we have on the web today. It's also one of the easiest to exploit and we often see children using it to compromise websites."
If the same practices have been applied to other government websites, Hunt said that the same risks would likely be present.
A formal review of these sites does cost money and so does other security devices, but Hunt noted: "The secure software development patterns that would have prevented this are free."

"It costs no more to write code that is resilient to this form of attack than code that is vulnerable, the difference is simply the competency of the software developers," Hunt added.

[fireneo]

para sakin hindi siya dapat makulong eh, why not ask him to help na lang para maimprove ang site..baka mas marami pa siya alam para maging secured ang website eh kasi kung kaya niyang pasukin yun, natural alam niya rin kung ano ang kulang sa website kaya nakaya niyang ihack

[arcanaaerobics]

para sakin hindi siya dapat makulong eh, why not ask him to help na lang para maimprove ang site..baka mas marami pa siya alam para maging secured ang website eh kasi kung kaya niyang pasukin yun, natural alam niya rin kung ano ang kulang sa website kaya nakaya niyang ihack

Iwan ko nga lang king bakit hindi naiisip ng NBI na kinuha nalang si kuya as their programmer, yun nabalitaan ko naleak yun info sa comelec dali dali ko na nagchange sa mga accounts, nakakatakot kung totoo man na naleak yun info mo at pwedeng ito gamitin sa crimen.

[diegz]

para sakin hindi siya dapat makulong eh, why not ask him to help na lang para maimprove ang site..baka mas marami pa siya alam para maging secured ang website eh kasi kung kaya niyang pasukin yun, natural alam niya rin kung ano ang kulang sa website kaya nakaya niyang ihack

Iwan ko nga lang king bakit hindi naiisip ng NBI na kinuha nalang si kuya as their programmer, yun nabalitaan ko naleak yun info sa comelec dali dali ko na nagchange sa mga accounts, nakakatakot kung totoo man na naleak yun info mo at pwedeng ito gamitin sa crimen.

Hindi siya pwede kunin ng NBI kasi nga nag violate siya sa cyber crime law...maliban na lang if magiging witness siya against sa iba pang perpetrators na kasama niya mapapababa ang sentensya niya pag nagkataon...Pero come to think of it, NBI has a very good agents kasi nahanap pa din siya, why not comelec get one that is as good as them?

[Dabs]

If the kid did deface the site, medyo mali lang ang style.

May nakilala ako dati, and "defacement" ng front facing websites na ginawa nya is simple a one liner na maliit sa bottom, to prove that he did hack the server.

He then taught the admins how to secure the site, with the request that he maintain the one liner as recognition.

So dati "hacked by Dabs" naging "protected by Dabs" or parang ganun.


As for the actual leakage, hinanap ko mga ibang tao kilala ko, nandun. Ako, wala. Pero voter naman ako. hehe. Notice na yung ibang names are still encrypted or mukang base64, so medyo mas mahirap basahin.

[benedictonathan]

Aanhin naman niya kaya ang anumang impormasyong makukuha niya sa COMELEC website?

[bonski]

Aanhin naman niya kaya ang anumang impormasyong makukuha niya sa COMELEC website?

Pwede niyang ibenta yung mga impormasyon na nakuha niya at base sa nabasa kong comment pwede nilang ipa auction yun sa mga iba pang mga gumagawa ng illegal na bagay. Delikado yun kasi pwede nilang gamitin yung mga pangalan dun sa mga pang sscam, atm fraud at iba pang mga bagay na hindi mo akalain na baka pati pangalan mo magamit nila sa illegal activities.

[clickerz]

If the kid did deface the site, medyo mali lang ang style.

May nakilala ako dati, and "defacement" ng front facing websites na ginawa nya is simple a one liner na maliit sa bottom, to prove that he did hack the server.

He then taught the admins how to secure the site, with the request that he maintain the one liner as recognition.

So dati "hacked by Dabs" naging "protected by Dabs" or parang ganun.


As for the actual leakage, hinanap ko mga ibang tao kilala ko, nandun. Ako, wala. Pero voter naman ako. hehe. Notice na yung ibang names are still encrypted or mukang base64, so medyo mas mahirap basahin.

Marami nga ang ganun sir at mahal ang bayad sa kanila sa mga Site Penetration Testers. I penetrate mo ang isang site at magbigay ka ng mga recommendations paani ito ma protektahan.Alam ko marami ding site owners na nagbibigy ng bounty kapag na hack mo ang sytem nila.

[arseaboy]

If the kid did deface the site, medyo mali lang ang style.

May nakilala ako dati, and "defacement" ng front facing websites na ginawa nya is simple a one liner na maliit sa bottom, to prove that he did hack the server.

He then taught the admins how to secure the site, with the request that he maintain the one liner as recognition.

So dati "hacked by Dabs" naging "protected by Dabs" or parang ganun.


As for the actual leakage, hinanap ko mga ibang tao kilala ko, nandun. Ako, wala. Pero voter naman ako. hehe. Notice na yung ibang names are still encrypted or mukang base64, so medyo mas mahirap basahin.

Marami nga ang ganun sir at mahal ang bayad sa kanila sa mga Site Penetration Testers. I penetrate mo ang isang site at magbigay ka ng mga recommendations paani ito ma protektahan.Alam ko marami ding site owners na nagbibigy ng bounty kapag na hack mo ang sytem nila.

ganyan ba trabaho mo fafz? narinig ko nga rin yung ganitong offer parang susubukan mong sirain or pasukin ung security ng isang site then pag aaralan nila kung pano mo nagawa or hihingin nila sayo ung data kung ano ung ginamit mong script, pero sa case nito ngayon parang hindi nman makatotohanan parang merong naglalaro sa likod ng comelec para lang masabing may ginagawa sila. anlapit na ng election malalaman natin to pag tapos na.

[boyptc]

If the kid did deface the site, medyo mali lang ang style.

May nakilala ako dati, and "defacement" ng front facing websites na ginawa nya is simple a one liner na maliit sa bottom, to prove that he did hack the server.

He then taught the admins how to secure the site, with the request that he maintain the one liner as recognition.

So dati "hacked by Dabs" naging "protected by Dabs" or parang ganun.


As for the actual leakage, hinanap ko mga ibang tao kilala ko, nandun. Ako, wala. Pero voter naman ako. hehe. Notice na yung ibang names are still encrypted or mukang base64, so medyo mas mahirap basahin.

Marami nga ang ganun sir at mahal ang bayad sa kanila sa mga Site Penetration Testers. I penetrate mo ang isang site at magbigay ka ng mga recommendations paani ito ma protektahan.Alam ko marami ding site owners na nagbibigy ng bounty kapag na hack mo ang sytem nila.

White hat hackers ata tawag  dyan chief sa mga penetration testers. At doon sa mga nagbibigay ng bounty para ma hack mo yung system nila may nabasa akong ganyan dati yung apple ata yun or google magbibigay daw ng $1,000,000 dapat na hack mo yung system / site nila.

[155UE]

If the kid did deface the site, medyo mali lang ang style.

May nakilala ako dati, and "defacement" ng front facing websites na ginawa nya is simple a one liner na maliit sa bottom, to prove that he did hack the server.

He then taught the admins how to secure the site, with the request that he maintain the one liner as recognition.

So dati "hacked by Dabs" naging "protected by Dabs" or parang ganun.


As for the actual leakage, hinanap ko mga ibang tao kilala ko, nandun. Ako, wala. Pero voter naman ako. hehe. Notice na yung ibang names are still encrypted or mukang base64, so medyo mas mahirap basahin.

Marami nga ang ganun sir at mahal ang bayad sa kanila sa mga Site Penetration Testers. I penetrate mo ang isang site at magbigay ka ng mga recommendations paani ito ma protektahan.Alam ko marami ding site owners na nagbibigy ng bounty kapag na hack mo ang sytem nila.

White hat hackers ata tawag  dyan chief sa mga penetration testers. At doon sa mga nagbibigay ng bounty para ma hack mo yung system nila may nabasa akong ganyan dati yung apple ata yun or google magbibigay daw ng $1,000,000 dapat na hack mo yung system / site nila.

yes white hack hackers yung tawag sa mga hackers na pumapasok sa site for security check at black hat hackers naman yung mga pumapasok sa site pra mag nakaw or mag manipulate ng datas

[elobizph]

If the kid did deface the site, medyo mali lang ang style.

May nakilala ako dati, and "defacement" ng front facing websites na ginawa nya is simple a one liner na maliit sa bottom, to prove that he did hack the server.

He then taught the admins how to secure the site, with the request that he maintain the one liner as recognition.

So dati "hacked by Dabs" naging "protected by Dabs" or parang ganun.


As for the actual leakage, hinanap ko mga ibang tao kilala ko, nandun. Ako, wala. Pero voter naman ako. hehe. Notice na yung ibang names are still encrypted or mukang base64, so medyo mas mahirap basahin.

Marami nga ang ganun sir at mahal ang bayad sa kanila sa mga Site Penetration Testers. I penetrate mo ang isang site at magbigay ka ng mga recommendations paani ito ma protektahan.Alam ko marami ding site owners na nagbibigy ng bounty kapag na hack mo ang sytem nila.

White hat hackers ata tawag  dyan chief sa mga penetration testers. At doon sa mga nagbibigay ng bounty para ma hack mo yung system nila may nabasa akong ganyan dati yung apple ata yun or google magbibigay daw ng $1,000,000 dapat na hack mo yung system / site nila.

yes white hack hackers yung tawag sa mga hackers na pumapasok sa site for security check at black hat hackers naman yung mga pumapasok sa site pra mag nakaw or mag manipulate ng datas

at greyhat hackers naman ung undecided minsan ngiging white hat cla minsan nman ngiging blackhat cla.

[boyptc]

yes white hack hackers yung tawag sa mga hackers na pumapasok sa site for security check at black hat hackers naman yung mga pumapasok sa site pra mag nakaw or mag manipulate ng datas

at greyhat hackers naman ung undecided minsan ngiging white hat cla minsan nman ngiging blackhat cla.

ako mga chief wala ako sa mga yan straw hat ako mga chief hehe. Malaki kasi kinikita nila sa paghahack katulad ng nangyari sa bangko ng bangladesh pero mas maganda kung maging white hat hacker ka talaga nakatulong ka na sa security ng company may sahod ka pa.

[mjdelima]

Parang hinire lang yung hinuli nila para may ipalabas na nahuli kuno.

Magkano kaya binayad sa kanya?

Tablet lang daw ginamit sa pang hahack eh, at may learn to hack lang na nakita sa phone niya, siya na kagad ang nag deface sa comelec? Haha parang may mali, ni wala pa ngang narecover sa pc nya na matiba na ebidensya na sya nga ang nag deface

[jossiel]

Parang hinire lang yung hinuli nila para may ipalabas na nahuli kuno.

Magkano kaya binayad sa kanya?

Tablet lang daw ginamit sa pang hahack eh, at may learn to hack lang na nakita sa phone niya, siya na kagad ang nag deface sa comelec? Haha parang may mali, ni wala pa ngang narecover sa pc nya na matiba na ebidensya na sya nga ang nag deface

totoong hacker yun chief at nachambahan talaga siya na nahuli siguro may naglaglag sa kanya kasi nag post yung anon ph sa page nila na sa paligid nila may nanlalaglag sa kanila yung mga kakilala nila na nakakachat daw nila sa fb ang mga posibleng nanghulog kay biteng chief

[elobizph]

Parang hinire lang yung hinuli nila para may ipalabas na nahuli kuno.

Magkano kaya binayad sa kanya?

Tablet lang daw ginamit sa pang hahack eh, at may learn to hack lang na nakita sa phone niya, siya na kagad ang nag deface sa comelec? Haha parang may mali, ni wala pa ngang narecover sa pc nya na matiba na ebidensya na sya nga ang nag deface

totoong hacker yun chief at nachambahan talaga siya na nahuli siguro may naglaglag sa kanya kasi nag post yung anon ph sa page nila na sa paligid nila may nanlalaglag sa kanila yung mga kakilala nila na nakakachat daw nila sa fb ang mga posibleng nanghulog kay biteng chief

kung ganun pla eh dpat ikaw nlng ung gunawa ng sarili mong plan kung kya mo nman at kung anon ka nkahide ung ip mo kpg ggwa ka ng ganyan at kpg mgpopost ka sa fb dapat fake details ung mga nasa profile mo khit nkhide yan kpg ngsumbong cla kay fb iinvestigate ung account mo kya dapat hidden lhat ng details mo at fake dapat.

[Noctis Connor]

Script kiddie defaced lang naman nagawa nya st iddos ang website,  accessible na ang website ng comelec hehe.

Script Kiddie? Haayy, basta pinoy napaka judgemental lalo kung walang alam sa tao. Tigan mo tong mga link para malaman mo sinasabi mo. :3

Dropbox, Yahoo and Twitter:
https://hackerone.com/paulbits

Facebook:
https://facebook.com/whitehat/thanks

Microsoft:
https://technet.microsoft.com/en-us/security/cc308575.aspx

PinoyHackNews:
https://www.pinoyhacknews.com/security

[mjdelima]

Parang hinire lang yung hinuli nila para may ipalabas na nahuli kuno.

Magkano kaya binayad sa kanya?

Tablet lang daw ginamit sa pang hahack eh, at may learn to hack lang na nakita sa phone niya, siya na kagad ang nag deface sa comelec? Haha parang may mali, ni wala pa ngang narecover sa pc nya na matiba na ebidensya na sya nga ang nag deface

totoong hacker yun chief at nachambahan talaga siya na nahuli siguro may naglaglag sa kanya kasi nag post yung anon ph sa page nila na sa paligid nila may nanlalaglag sa kanila yung mga kakilala nila na nakakachat daw nila sa fb ang mga posibleng nanghulog kay biteng chief

Ibig sabihin may nakapasok sa kanila na bayadan,
Kung nilaglag nga siya, kahit anong tago pa niya sa IP nya, di na kelangan itrace dahil sinumbong na kagad. Hayayaaay

Sigurado mas maghihigpit na sila ngayun dahil dyan