Conversations with the creators of We Have Your Data
It was the biggest government data breach the Philippines had ever seen, but up until two days ago, only the most committed tech enthusiasts had any access to the stolen motherlode.
Then quite suddenly, the entire Internet could visit a simple search page called "We Have Your Data" (WHYD) and look up the personal information of some 55 million citizens, a number which rivals that of Facebook as the most comprehensive list of Filipino persons online.
When the Commission on Elections (Comelec) website was hacked by Anonymous Philippines on March 27th, its landing page was defaced and replaced with a call for increased security amongst vote-counting machines. It also sported a rather dire warning that the notorious hacker group “did not forgive” and “did not forget.”
Although the site itself was restored later that same day, the real consequences of the hack wouldn’t be felt until Lulzsec Pilipinas, another hacktivist group, claimed to have gained access to the actual database of voter information that Comelec has maintained over the years.
As I write this, that same 76.4 gigabyte database is downloading to my home computer. (As reported by many others, I was also receiving parts of the archive from an IP address inside Malacañang.)
It’s been running all night – the Philippines isn’t exactly known for its blazing fast Internet speeds – but the fact that I got the link for it from a Facebook chat is troubling in and of itself.
The only thing more troubling is that, as of April 21, there was now also a website that I could visit if I wanted to search the database directly, without any additional effort or technical knowhow.
A gap in security
I corresponded with one of the individuals responsible for WHYD on the evening of the website’s release, and over a series of brief emails, I began to piece together how exactly this hack was made possible.
It’s important to mention, however, that although WHYD uses the raw data made public by Lulzsec Pilipinas, the individuals who built the website are not directly associated with that group.
LB: Given the magnitude of the data that has now become available, what are the ways that a malicious entity might remix this information?
WHYD: We doubt if the leaked data is useful for criminals. There are almost no passport numbers in the leaked data.
TrendMicro, in their own report, claims that 1.3 million passport numbers were found in the raw data, although the WHYD website does not appear to list any of them. In fact, it appears that there is a lot more information in the raw database than is published and searchable on WHYD.
LB: What kind of encryption did they use? I’d like to be able to get into the details of the failure of the technology.
WHYD: They used standard RSA/Rijndael. It’s unbreakable when used properly. Their fault was encrypting data which we could guess or at least, find.
There’s this saying in the tech industry that your chain of security is only as good as its weakest link.
The WHYD representative explained step-by-step how encryption was used inconsistently across the Comelec database, with a few portions of it stored in the clear, i.e., without any encryption at all.
These unencrypted portions, which included first and last names, allowed them to essentially perform millions of simple find-and-replace operations to match unencrypted data with encrypted data, thus unlocking most of the information without having even technically broken RSA.
LB: What steps should the Comelec or any other government agency take to prevent further breaches from occurring? What would you say was the Comelec’s biggest mistake with their security (apart from making the whole voter database accessible via public internet)?
WHYD: Find some real developers, not those $1/hour codemonkeys. The Comelec database was extremely badly designed. We still don’t understand how could it work in a real world. Their awful choices allowed us to break the encryption without even having the decryption keys.
The new Philippine Yellow Pages
I imagine that the website is probably starting to buckle under the stress of a few hundred thousand worried netizens looking themselves up to see how bad the damage is, like witnesses to their own collective car crash. (Editor's note: The site has been taken down as of this publication)
I spent a lot of time on WeHaveYourData.com searching for family and friends.
In truth I wasn’t sure what I would do if I found my information or my family’s information on there. The quality of the profiles are terribly inconsistent: some were just names, birthdays, and an outdated address, while others included even parents’ names and locations.
I found old flames, old business contacts, high school bullies I’d like to blackmail, etc., etc. They were all in there.
In all honesty though, I would’ve gotten more useful information out of a Google search.
LB: In other countries, the public phone book has much of the same information as what is listed in this database, with the exception of the birthday of the given person. How would you assess the severity of this breach?
WHYD: Facebook shows most of the data. We have just combined it in a single place.
Are non-voters also searchable?
A few people have come forward to report that they have never registered with the Comelec, and yet still found their identities listed amongst those that did. It’s not clear why that is, but it implies that the voter database maintained by Comelec might not be 100% composed of just registered voters.
We confirmed that the non-registered citizens’ names were present in both the raw database shared by Lulzsec Pilipinas as well as the publicly-accessible WHYD website. (We couldn’t take for granted that the two sources were one in the same, as there’s no way to verify that the latter hadn’t been merged with other data.) And sure enough, the names were there, mixed in with all the rest.
It’s certainly puzzling, and worthy of further investigation.
LB: Do you think that what you’re doing at We Have Your Data is illegal? Unethical?
WHYD: We had to make this website to attract public attention to this leak. Government must protect data better and citizens should be aware that their data has leaked to prevent more leaks.
On the morning of April 22nd, the makers of WHYD stated on their Twitter account that they were auctioning the website off to the highest bidder, and then quickly deleted the tweet a few hours later.
We are not selling anything. Our member was not authorized ton write previous tweet(deleted now).— WeHaveYourData (@WeHaveYourData) April 22, 2016
Thanks to all the friends and colleagues that contributed their expertise and/or personal information to the research for this piece.