Panayam kay DICT Spokesperson Asec. Renato 'Aboy' Paraiso kaugnay sa assistance ng DICT sa NBI sa pagsampa ng kaso laban sa mga hacker
Category
🗞
NewsTranscript
00:00Assistant of DICT, National Bureau of Investigation in filing cases against hackers.
00:08We will discuss with Assistant Secretary Renato Aboy Paraiso,
00:13the spokesperson of the Department of Information and Communications Technology or DICT.
00:19Asic Paraiso, good afternoon. Welcome back.
00:22Good afternoon, Asic. Good afternoon, Ma'am Nina.
00:25Yusef, Jonathan, good afternoon.
00:27At the moment, sir, how is your cooperation with the NBI
00:32to file cases against alleged hackers here in the country?
00:37Specifically, what assistance are you providing to them?
00:42Well, the DICT, like before, we are the ones who investigate
00:47whenever there are certain incidents of hacking, whenever there are certain incidents of breach.
00:52We are the first ones to investigate.
00:54This is what we provide to our law enforcement agencies, including the NBI.
00:59At this time, the DICT, being a member of NSHAC, we are the co-chair of NSHAC.
01:05We investigate incidents of hacking that we provide to the NBI.
01:11And they are the ones who build up the cases.
01:13In their case build-up, they were able to identify and surveillance the hackers.
01:19It all led up to the apprehension of these hackers.
01:23Surprisingly, during the inquest proceedings, from what I was told,
01:29they had an extrajudicial confession wherein they pinpointed who the masterminds were.
01:35And they were instructed to do these ventures, Ma'am Nina.
01:42Okay. So, Asek, up to now, how many hackers have we apprehended?
01:47Or even if we haven't apprehended yet, how many cases have we built up and how many have we apprehended?
01:53A lot. There are a lot of incidents of hacking.
01:57Some of them are foreign threat actors.
02:00These are local threat actors.
02:02They are being monitored and surveillanced.
02:04They are also being investigated.
02:06Then, there is a network of people who are in their groups.
02:10This is the latest that the NBI caught.
02:12They finished their case build-up.
02:14They finished their surveillance.
02:16Around five suspects were apprehended for numerous violations,
02:22including the violation of the Anti-Cybercrime Act.
02:25These violations were revised by the Penal Code.
02:27And were these people in jail?
02:29Yes, they were in jail.
02:30It was a pending trial.
02:32So, I think, I just don't know if the unbailable crimes or bailable crimes were caught.
02:39It would all depend.
02:40Because that is how our process is.
02:42DICT investigation, forensic investigation.
02:45After we get our report, we will pass it to the law enforcement.
02:49The law enforcement, once they are caught, they will pass it to our prosecution services.
02:53Okay.
02:54Okay.
02:55Here, in the last incident where you caught the hackers,
03:01this is allegedly the one who works for, can I say it?
03:05They claim that they work for Manila Bulletin.
03:07Yes.
03:08The other one.
03:09Yes.
03:10And there are even surprise allegations.
03:12The NSC is included in the ones who were hacked.
03:14This was in 2019.
03:16We are not yet in the NSC.
03:18We are not yet.
03:19Because it is embarrassing.
03:21Let's just be clear about that.
03:23ADG Joe is not yet there.
03:24Yes.
03:25NSC Anyo is not there.
03:26So, well, okay.
03:29There are very surprising allegations.
03:32What happened here?
03:33They confessed, right?
03:34Yes.
03:35And they gave names.
03:36The names.
03:37Yes.
03:38He is the one who gave the orders.
03:39He has a mastermind.
03:40That's right.
03:41We were also surprised.
03:42When there was an extrajudicial confession,
03:43they taught who allegedly gave the orders to them.
03:46The NBI on their side, they follow up these leads.
03:50So, they issued subpoenas to these personalities.
03:54I think there is one or two more that are not yet mentioned in the media
03:58that we don't want to mention.
03:59Because, again, part of the case build-up is really to survey
04:03those who are included in their extrajudicial confessions.
04:08That's what they are doing.
04:11I am interviewing others there.
04:12Yes.
04:13They are resource persons.
04:14Those who allegedly…
04:15The masterminds?
04:16Well, it's a legend.
04:18Yes.
04:19Really?
04:20Well, maybe this is a test.
04:22They are testing if we can hack.
04:24Maybe they are helping you.
04:26Just to check.
04:28It's true.
04:29It's true that we have activists to help the government.
04:35Yes.
04:36But you have to work with the government.
04:37But if you tell the government, then they'll know.
04:42No.
04:43What I mean is, work with the executive.
04:44Yes.
04:45There is a need for sanctions.
04:46Yes.
04:47There are certain…
04:48And the problem with these activists, if they are unsanctioned,
04:52it's like, we're doing this so you can up your game,
04:56so you can improve the systems of the government,
05:00so you can improve your cybersecurity capability.
05:02But what happens is, they dump information on the dark web
05:05as a proof of life, as a proof of concept,
05:07that they are really hacking.
05:09The problem is, the data that they dump are sensitive.
05:12Sometimes, personal data of our countrymen.
05:15Which is, in itself, a violation of the Data Privacy Act.
05:18So, you know, the difference between sanctioned and unsanctioned.
05:23They can be tested in a safe environment.
05:26Partner, do you know these personalities, these masterminds?
05:30Because you seem to know them.
05:31The one we interviewed.
05:33Actually, they are very well-known in the field of cybersecurity, ICT.
05:38Yes, technology.
05:39Because he is the editor of the ICT division of Manila Bulletin.
05:46Okay. So, he was issued by Sabina?
05:48Yes, by NBI.
05:49And then, he needs to go to the NBI to explain.
05:53Yes. Otherwise, our process in the NBI,
05:58if you don't go, there will be certain presumptions that will be adopted by the NBI.
06:02Right.
06:03Then, they will pass it on to our prosecution services.
06:06Like, if this was not shown to us, this is our presumption because it was not shown,
06:10the allegations will not be refuted in the extrajudicial confession.
06:14Yes.
06:15So, it means that the extrajudicial confession is true.
06:17So, the people are waiting for the results of this.
06:20Yes.
06:21This development is good.
06:22We are also interested if there is participation or not.
06:27What are the defenses that they will put up.
06:29Again, for purposes of giving context to our cyber security atmosphere in our country.
06:36Again, it's hard to fathom or hard to think that you would do this, your hacktivism,
06:43because the allegation is like the scoop, the news.
06:47That's the allegation.
06:48So, that would be very, very irresponsible.
06:51That's the defense.
06:52Yes.
06:53That's the defense.
06:54That's the allegation in the extrajudicial confession.
06:57Allegation.
06:58Allegation.
06:59Okay.
07:00That's what they will say, why are they doing this.
07:03Okay.
07:04So, as extra now, considering that usually the government is in the news,
07:07but they keep telling people that the hacking also happens in the private sector.
07:10Yes.
07:11But they just don't want to admit it there.
07:12Yes.
07:13So, let's talk first about the government hacking.
07:15How safe are we now in terms of protecting our government websites,
07:20government critical infrastructure and all of that?
07:23No.
07:24I always give context.
07:26As I said, in one day, we have 1 million attempts to hack various institutions,
07:31whether it's public or the private sector.
07:33The situation of our cyber security capabilities here in our country,
07:40it's okay, but a lot can be improved, a lot to be desired in our cyber security capabilities.
07:47That's why we went out and signed with our President,
07:51President Ramaldes Marcos, Jr., our National Cyber Security Plan late last year.
07:57So, right now, we're in the process of having it implemented in our various government institutions.
08:02Yes, we have to upgrade the other government agencies,
08:05because until now, the old names of their offices, they're not IT offices yet.
08:12That's right.
08:13They're still data processing.
08:15What our countrymen need to understand is that there are different levels.
08:18For example, our banking institution, BSV, is really a top level because they really need to be protected.
08:22But our other institutions, you're right.
08:25Our term there is Jurassic.
08:27Our systems, our hardware, that needs to be improved.
08:33As well as, our biggest enemy is the brain drain in our ICT and cyber security professionals and experts.
08:41Because here in the government, our salary is low compared to the private sector,
08:49especially if other countries are hiring.
08:53Our countrymen will do well when it comes to ICT.
08:56But they're not here.
08:57They're not here, especially since they're not in the government.
09:01Yes.
09:02So, are you connected to the people you caught today?
09:04Because the news about the Philippine Coast Guard, the PhilHealth,
09:09I mean, are they connected to other government hackings?
09:12Yes.
09:13These five individuals are involved in various incidents of hacking that happened in the past.
09:19I want to echo what Usec Jonathan said.
09:21These hackings happened even in the times when they were still young.
09:26So, the times when we were not yet in the government.
09:29Usec was not yet in NICA.
09:32We were not yet in DICT.
09:34So, now, we're catching up and tracing them because they leave certain footprints.
09:40They leave certain mannerisms in their hackings.
09:45We can attribute to them what happened.
09:47Yes.
09:48Partner, I just have a question from our media partner, Pia Gutierrez of EBS-CBN News.
09:54What is the update on the alleged Jollibee breach?
09:59Why are you laughing, Usec?
10:01Because a while ago, we talked to the head of one of the corporate heads of Jollibee.
10:07This happened on Friday.
10:09We had a report followed up by DICT.
10:13We saw on the dark web that there are data from Jollibee that are already on the dark web.
10:19Oh, your record of orders.
10:21Are my orders there?
10:23The Jolli hotdogs, the chickenjoy that we ordered.
10:27Yes.
10:28It's already on the dark web.
10:29Even the addresses.
10:30The addresses are there.
10:31Oh, yes.
10:32When you order through us, delivery service.
10:34Yes.
10:35Contact numbers and addresses are there.
10:37So, unfortunately, and I'd like to commend our private sector.
10:41They don't have to reach out to DICT.
10:44Because DICT has no mandate.
10:46We don't have regulatory powers over private entities.
10:50They reached out to a private institution.
10:53Just last week, it was highlighted that it's a private sector.
10:56They reached out to DICT.
11:00Earlier this morning, Jollibee reached out to ask for help from DICT.
11:05In fact, last Friday, they made it known to DICT that they already filed a report to NTC, National Privacy Commission.
11:15Because this particular incident involves data breach.
11:17It involves the data of their clients that are already on the dark web.
11:21Whenever there is personal data that's involved, we really need to report to NTC so they can do their investigation.
11:29They have the regulatory power over that.
11:31NTC?
11:32NTC, National Privacy Commission.
11:34Oh, National Privacy Commission.
11:35Yes.
11:36Okay.
11:37Pia Gutierrez has the next question.
11:39What is the DICT doing to further protect consumer data in the Philippines?
11:45Because you said that the addresses and numbers are already on the dark web.
11:49What if someone comes to Jollibee and I didn't order it?
11:52That's okay.
11:53I'm sorry.
11:54I'll have to pay for it.
11:55You'll have to pay for it.
11:56But in DICT, apart from the National Cyber Security Plan, which aims to improve our cyber security posturing and capabilities,
12:04we are also proposing SecureDNS to prevent harmful contents that usually result in scams.
12:13For example, links to their marketplaces.
12:18For people to understand, it's like a firewall.
12:23From the cables that are coming in, SecureDNS will put the DICT so that we can filter the incoming data
12:32and filter out the harmful data and the data that can be used for scams.
12:37We don't have one yet.
12:38We're still proposing it.
12:39When will we be able to implement it?
12:41A lot of it has to do with budgetary constraints.
12:46I'm also the head of the legislative laser division of DICT.
12:55When I talk to our legislators, they're very optimistic.
12:59They're very supportive of DICT.
13:01But again, it's a different animal altogether when it comes to budget hearings.
13:05What are the prioritizations that they should do?
13:09We would submit to the wisdom of Congress.
13:11Yes, as we're talking about scams,
13:13one of the promises of this self-registration is that we'll receive fewer text messages because of scams.
13:22But every day, there might be five or six.
13:25I still receive.
13:27For example, I received BDO.
13:30You need to verify BDO, otherwise your account will be blocked.
13:34Gcash is the same.
13:36So you know that if you click on that link, you'll go to a website that will compromise you.
13:41And there's more.
13:42If you want to borrow money, you can click on the link.
13:45Yes.
13:46Others are desperate.
13:47They'll click on it.
13:48With the registration of the mobile number,
13:50we can't trace those, right?
13:51What are we doing to stop those scams?
13:54First of all, you're right.
13:56The aim of the SIM Registration Act is to remove the aspect of anonymity among scammers.
14:04Correct.
14:05Because that's their strongest tool, their anonymity.
14:08Unfortunately, some have already migrated to other platforms.
14:14Because if you notice, they're using what we call over-the-top services,
14:18like Viber, Messenger, that doesn't require a SIM card registration.
14:23But I still receive texts.
14:24No, I receive texts.
14:25What's saddening is that before, after the SIM card registration,
14:33the unregistered SIM cards were already shut off.
14:36Our countrymen, maybe because of desperation,
14:39they sell their SIM cards.
14:41So when we raid, there are a lot of registered SIM cards.
14:44And we don't complain to our countrymen that there's a shortage in the registration of our SIM cards
14:50because you can register your SIM card using erroneous data.
14:55Maybe our mistake before was to rely on the Telcos.
15:00They're the ones we asked to register our SIM cards.
15:03But because of the SIM Card Registration Act,
15:06we can now, because there's a provision there that there's already an oversight,
15:09there's a supervision,
15:10so we can now exercise oversight over the implementation of the SIM Card Registration Act.
15:15And if there's a shortage, we can revise it or remediate it
15:20or even make remedies to address that shortage.
15:28So simply the SIM Card Registration Act doesn't really work.
15:32And some of the critics before have been saying that already.
15:35It's not going to deter.
15:36They'll just find a way around it.
15:39That's right.
15:40Because again, technology advances so fast that what you do now is
15:46they're already predicting on how ways, like you said, to circumvent,
15:50to go around these particular laws and certain measures that we adopt
15:54to prevent scamming from happening.
15:56So yes, they're migrating to other platforms.
15:59This one is stronger inside.
16:02They're buying and selling SIM cards.
16:05Yes.
16:06I hope, Asek, that we can do something about the scams
16:08because I'm sure there are still many of our countrymen who are still clicking
16:11because they're still receiving text messages coming from these people.
16:16So what is our call to our countrymen regarding this type of scams?
16:20It's still the same.
16:21What we're always reminding our countrymen is to adopt our cybersecurity hygiene
16:27against adopt stronger passwords.
16:30Because Filipinos, Yusef and his mom,
16:32if they want a password, they immediately remember their birthday,
16:35their dog's name, their spouse's name.
16:38So if your data is breached, you already know how to guess.
16:42And this would eventually lead to,
16:44you'll be able to breach and get your passwords in your financial documents.
16:48So adopt stronger passwords.
16:50And we can adopt multi-factor authentication.
16:53That's what will take advantage.
16:55Face recognition.
16:57Biometrics.
16:58Face recognition.
16:59One-time passwords.
17:01That's what we're reminding our countrymen.
17:04And also, what we're reminding them is that if your message has a hyperlink,
17:10don't click on it.
17:13It's already clickable.
17:15But sometimes, it clicks accidentally.
17:17I know someone who was really depressed.
17:19He didn't know how to get his money.
17:21That's right.
17:22So it's hard to do that.
17:24Sometimes, it's an accident.
17:25Yes.
17:26We're also talking to the NTC, which is the regulators of these telecoms.
17:33When it comes to texts, don't let it have a hyperlink.
17:37Yes, if possible.
17:39That's a good suggestion.
17:41Remove the hyperlink.
17:43But the problem is, in other platforms, you can't avoid it.
17:46In Fiverr, Messenger, and so on.
17:48But at least in texts.
17:49At least in texts.
17:50That's better.
17:51So I hope that's good to be considered.
17:54Okay, thank you very much for your time.
17:57I still have a lot of questions to ask.
17:59Just keep me company if possible.
18:01So now, when you're ordering, you'll give your address and name, right?
18:06Do you actually give your real name?
18:08Right?
18:09Yes.
18:10Maybe not anymore.
18:11Right?
18:12Or just the initials or something.
18:13Maybe it won't be delivered to you if it's not your real name.
18:15No.
18:16Then you'll know where Piolo Pascual lives, for example.
18:19I'll go to the Addition Hills that was followed by Grab Rider because they know the address.
18:25That's right.
18:26Yes.
18:27I won't say Grab.
18:28It's just an example.
18:29It's an example.
18:30Okay.
18:31Thank you very much for your time, Assistant Secretary Renato Aboy Paraiso.