A Summary Of The “Cyberattack” and The Data Leak In Bulgaria
This text is a translation of an article by cybersecurity expert and CEO of LogSentienl Bozhidar Bozhanov in his own blog. With his consent, we’ve translated the piece so it’s accessible for a broader audience.
There were a lot of talks and talks about “NAPLeaks”. I managed to get into the cacophony with a few telephone interviews and one TV. But in such a format, even longer, it can not expose everything in a structured and systematic way. That’s why I’ll try here.
The incident
A week ago, a link to an archive with 11 GB data from the National Revenue Agency (NRA) databases., was sent to media via email in a free Russian email service. There was a way to get the data, but for a number of reasons I have not looked at them and analyzed them yet – one is that I had a lot of other work and the other – that they are secret data, protected by law and I have no good reason to break this secret.
According to information provided by the people who looked at the data, there are the EGNs (personal numbers of Bulgarian citizens), three names and insurance income of millions of citizens, ID cards, tax returns, civil contracts, as well as data from other institutions – the Employment Agency, Customs Agency, etc. There is data about foreign legal entities, and curious data such as, for example, a file called QneQnev.
Is the leakage of this information is fatal? No. Is this a big problem? Definitely. If it was not, the tax and insurance information would not have a special status (and the NRA would often use the secret of this information as an argument not to exchange data with other institutions).
Data of almost all Bulgarian citizens were exposed and this is a huge problem, no matter that some political figures try to downplay it.
How?
There is no official information on how the breach occurred, but in some places, there is a rumor that it was through an SQL injection. That sounds plausible, so I’ll comment on it. SQL injections are among the simplest vulnerabilities – the hacker inserts specially prepared text into a given field and gets control over the database because the developer has not “cleaned” the input data (and does not use the “prepared statements”). For example, if we want to use the login form, we can assume that the user name and password verification would look like this: SELECT * FROM users WHERE username = {params.username} AND password = {transform (params.password)} . (transform, because passwords should never be kept clear).
This is a pseudo-code that shows the user input parameters are “stuck” for a query that is executed to the base. Well, if the hacker, instead of a username completes another valid request in the field, it will be executed. For example, after entering, the query would look like this: SELECT * FROM users WHERE username = 1; CREATE PROCEDURE exfiltrate …; -AND password = … The created procedure can be any code that crawls all databases and their tables and sends them to a specified IP address.
In the moment when the hacker can perform a random, selected application to the database, it’s over. And the detection of this vulnerability is trivial, even manually, and there are enough tools to scan and automatically detect such vulnerabilities. Any organization with more than 10 people must regularly check for the vulnerability of their systems to prevent at least the most trivial attacks.
Why?
This is a complex question. “Because someone in the NRA is inadequate or at best negligent” is the simple answer, but it is not enough. “Because the administration is not given market IT salaries” is the answer that Minister Goranov gave, and he is partly correct but is superficial. Since I was dealing with the long-term resolution of this problem three years ago, I will share a more in-depth reflection.
The positions in the administration are scheduled in the so-called Classification of posts in the administration. By 2016 there were no IT posts (IT staff were hired on common expert positions). We then proposed an amendment to the classifier so that we include IT positions at the maximum possible pay levels for that experience. This, of course, is still well below market wages, but it is a step.
At the same time, with the amendments to the E-Governance Act, we did two things. The less important thing was that we created an option for the State Agency for Electronic Governance to set up a program to attract private sector experts to help the state’s IT services in the short term. Something I did then, but on a scale. Something similar to the US 18F / USDS. This, it is superfluous to say, is not happening for a 3rd year.
The more important was the implementation by the law of the State Enterprise “Unified System Operator”. Its idea is to be able to deliver market IT salaries by providing certain services to the state administration – technical assignments, project control, tests, incl. for vulnerabilities, managing infrastructure maintenance, consulting key projects, urgent “patchwork” issues, and more. This plant is also blocked for the third year and does not happen. The executive power and Goranov, incl. seemed to realize the need for such a thing after the Commercial Register collapsed last year, but the enlightenment was obviously short-lived. And we have not figured it out – BRZ (Austria) and GDS (Great Britain) are one of the examples of similar structures in Europe.
Having cadres is a very important condition, but it is not the only one. Another aspect is public procurement and the companies that execute them. The results there are seldom good for many reasons I have discussed in a separate article.
Information security
The reasons for the low level of information security are the human factor, which is a consequence of political inadequacy. Still, there is a way to make things a little better even with just properly structured rules. We have introduced a number of requirements for information security, including amendments to the e-government regulations. job template for all new projects. This template explicitly talks about information security and SQL injection and XSS vulnerabilities, so projects created on this template are deliberately tested for such vulnerabilities, and their presence is a failure to contract. By the way, at that time the NRA was against certain texts because they internally wrote some systems and some of the requirements did not apply to them.
The vulnerability itself is a problem, but why, after the hacker has gained control over a database, he could then drain so many others? My assumption is that the user with whom the web application used the database had full rights over all the databases on that server. This is a terrible practice
Leakage, however, does not mean that all NRA systems are so “drilled”. Hackers always attack the weakest link in the system. That’s why information security is a tricky thing (I’ve talked about this more than once) and it’s not a one-time effort. It takes a number of measures and constant attention to many details. The risk has never been eliminated at 100%, as evidenced by daily breach in respected private companies. But a state institution has no right to allow for simple breaches (and for prevention).
GDPR
Yes, the business spent a lot to be in line with the GDPR and suddenly state authority proved to be the most unprepared. This leaves a bad taste in the mouth, and all the discontent is understandable. Apart from information security, there is another aspect of the GDPR, which we have to pay attention to – the principle of minimizing data. In other words, the NRA should process only the data they need and keep them only as much as they need (which is another principle – that of a containment constraint).
At the NRA, and not only, we observe the opposite – everyday copies of data from other administrations are made and they are kept forever. I have always been against this practice because, in addition to the risks of leakage of data, it also creates a number of other risks – of outdated data. In electronic management, there are the so-called “Primary registers”. They are the only up-to-date and accurate source of data, and checks must be made in real-time, not on copies. This practice should be gradually reduced and stopped by being replaced by the direct exchange of data between administrations. Exchange, which, among other things, leaves a trace – who, when what data is read and for whom. In accordance with the GDPR accountability principle.
Whether the CPDP will impose a fine on the NRA or not, I do not know. Whether it makes sense to transfer some public funds between the institutions (and finally – again in the budget account) – I do not know either. But for sure, the NRA had to notify the CPDP in due time, and should, therefore, inform the citizens about the leakage. For this purpose, the NRA prepares an application where everyone can check if data has expired, which is good.
The problem with data protection is large in the world. Everyday data from any company is running. This is not an excuse for the NRA’s simple errors but puts things in perspective. A GDPR is an attempt to reduce the risk of this happening. Of course, GDPR can not stop the data leak due to negligence. Its purpose is to make such leaks less likely and less effective through a range of measures and, more importantly, through a few basic principles that all those involved in building and operating software are aware of. For the time being, it is unclear whether it manages to reduce this risk.
The measures?
What measures can be taken at this stage? Short-term: stop the vulnerable service (already done), complete security audit of all systems not only in the Ministry of Finance system but across the country. Verification of whether all the information systems are included in the audit of the State Agency for Electronic Management and their consistent automated vulnerability check.
The mid-term training is to train all IT security and data protection officers and familiarize themselves with applicable regulations, not only as members and sub-paragraphs but also behind what is behind it. Certification of all primary and secondary disposers under ISO 27001 (Information Security Standard).
And long-term measures necessarily involve capacity building, which I think is finally going through the establishment of the State Enterprise “Unified System Operator”. It will not be a panacea and will certainly have its own problems to solve, but it is essential.
What I generally recommend anyone to do, whether the data can be used directly for abuse or not – to activate bank traffic notifications as well as batch movements in the Commercial and Property Register. Only with an IDN or even with an ID no one can take you money, property or company, but it’s better to insure yourself because the fraudsters are inventive.
The communication
The official communication can be divided into two parts – on the one hand, the experts of the NRA, headed by the piano Rossen Bachvarov, and on the other hand all the others.
The communication from the NRA was adequate. They quickly explained the problem, explained its scope, explained why it had happened and what measures were taken. In such situations, you do so – you say the facts without sacrificing them because it does not help.
The communication from the political figures (minister, deputies, prime minister) has come to the heights of inadequacy, which I can summarize as “well, why is that such a big deal”, “the Russians hacked us because we by aircrafts from the US,” “no electronic services, there no leaks” and “oh this hacker is such a wizard”. None of these messages help in any way, except perhaps among the party cores that are already in the disputes at the table.
The hacker
Hacker was first Russian, then turned out to be Bulgarian. First, the fact that the hacker claims to be some does not mean absolutely anything. Anyone can register Yandex mail and claim whatever they want.
Whether the captured native is the perpetrator will decide the court. The CCBMO has to gather evidence and to follow unambiguously that he is the perpetrator. Whether the file containing its name is real or not – we can not say. There are many variants in which it is real. And those who are not.
If he was not the real hacker, maybe the real would write a letter that denies he was captured. But it must be from the same email address (and there is still no guarantee that it has not given the password to another). An online forum check indicates that potentially inciting comments disappear, probably someone else has access to his accounts.
Whether the hacker is a “wizard”, however, is fairly clear – he is not. SQL injection misuse can be done by almost everyone. If he allowed being discovered, he has not covered the traces well.
It is interesting to investigate the archive of all quirks – the remaining metadata of files, files left behind, such as the name of the hacker, the headers of the sent letters, the scripts and logs of the seized equipment, the logs of the NRA servers. Everything that the CCBM has to do, and which ultimately depends on the verdict. At this stage, the man is not innocent, and lastly, by verifying the Code of Criminal Procedure, sentences are not pronounced on the Internet.
Conclusion
In conclusion, we have a lot to learn from this incident. About information security, data protection, political adequacy and long-term reforms, the failure of which leads to expected effects. Such an incident was inevitable in the level of competence in the administration. By this I do not say that there are no competent people there, but just that they are few and can not heat up anywhere. I, for example, have towed systems while I was in the Council of Ministers, but my focus was rather on formulating solutions to systemic problems. Because I will shake a system, and three others will be drilled.
For such accidents, someone should be politically responsible. But each incident is a consequence of someone’s action or inaction.
However, we need to keep in mind that the institutions will continue to process our data. Maybe they will be more careful about what they collect and why they collect it, but they will not disappear. And we have to figure out how to “assemble” some basic trust in them. This is mainly the work of the institutions – through the measures they take and through their talk. But it is also the task of the experts who comment on the topic. No one has the benefit of a complete ruin of trust, no matter how scandalous a breach is.
However, the incident is very serious and this time the political leaders have to understand that there are systemic problems to solve, which can not be swept under the rug after the accident. Patchwork is suitable for a short period of time, at some point a whole replacement is necessary.