Exclusive, IT Expert Onno W Purbo Reminds Hacked PDNS Can Be Used for Crime
When the PDNS (Temporary National Data Center) was hacked, the Indonesian nation's data sovereignty was actually torn apart. According to IT expert Ir. Onno W Purbo, M.Eng, PhD, what has been hacked will not recover as before. What can be done now is to be careful if PDNS, which contains hundreds of millions of personal data from Indonesian residents, is used for crime.
***
Indonesia was shocked by the breakdown of PDNS on June 20 2024 in the morning. At that time, the Immigration Service, which uses data for immigration services almost 24 hours a day, was the first to detect any irregularities. Initially this was considered an ordinary disturbance, but Ariandi Putra, as spokesperson for the National Cyber and Crypto Agency (BSSN), confirmed that at that time there had been a hacker attack known as Brain Chiper Ransome type malware which is the latest derivative of Locbit 3.0.
Uniquely, the hacker who initially demanded a ransom of 8 million US dollars or the equivalent of IDR 131 billion suddenly changed his mind by handing over the hacked PDNS password for free. The question arises, what's with all this? Is it common for hackers to give up and apologize? "It's not common, because hackers are evil by nature. Usually asks for a ransom. If I were the government, it would not rush to use the passwords he handed over. "The problem is that this could be a trap," said the man whose full name is Onno Widodo Purbo.
What you need to be careful about with PDNS, which contains hundreds of millions of personal data from Indonesian residents, continued Onno W Purbo, is that this data can be used for crimes by hackers. "Personal data contained in PDNS could one day be used by hackers to commit crimes. He has hundreds of millions of Indonesian people's personal data, you know. Armed with existing data, he can make an online loan. Once the money is received, the person whose data is used will be billed. "This is very scary," he said to Edy Suherli, Bambang Eros, and Irfan Medianto from VOI who met him in the Kemayoran area, Central Jakarta, not long ago. Here is the full excerpt.
Our PDNS was hacked, can the data that has been stolen be returned to normal?
You can't, it's very difficult. Our PDNS was attacked by ransomware. The latest news that we all know is that one of the hackers has handed over the PDNS password.
There are hackers who are kind enough to hand over passwords, is this common?
It's not common, because hackers are evil by nature. Usually they ask for a ransom. If I were the government, it would not rush to use the passwords he handed over. Because this could be a trap. This must be tested first and not immediately applied to the problematic server because it could destroy everything. You have to have a copy first, so you have two servers. The password provided is used on the second server.
Initially the hacker asked for a ransom of 8 million US Dollars or IDR 131 billion, but suddenly changed by providing a free password. What the reason behind all of this?
I can't read hackers' minds. The question is, is it the same hacker who hacks as the hacker who provides the password? Not necessarily. I can't guarantee that the hacker who gave you the password is the same as the one who hacked. It could be that someone pretends to be a hacker, then tells the government to clean up and make improvements. Things like this are strange in the world of hackers.
What can be done with the condition of our PDNS which has been hacked?
What is called ransomware, once it gets into a computer, it not only messes up the data, but also duplicates the data. Even if you give a password, it's useless, because the hacker already has a copy of the data. This personal data could one day be used by hackers to commit crimes. He has hundreds of millions of Indonesian people's personal data, to make online loans. Once the money is received, the person who should pay is the person whose data is used. This is terrible.
The government is still calm, especially after the password was allegedly handed over by hackers, what do you think?
In fact, the government and the DPR have created a Personal Data Protection Law. In one of the articles it says that if there is a breach of personal data, the person responsible for that data must provide a report to the person whose data was lost, so to each person whose data was hacked. There must be a report on what data was lost, where it was lost and how it was lost. In the case of PDNS being hacked, do people get a report from the government, in this case the Ministry of Communication and Information? If there is no report, the government has violated the law they made themselves.
I received information that the Personal Data Protection Law was created because a member of the council was upset that his data at one of the banks had been hacked. Well, now that our PDNS has also been hacked, this law should be able to be used.
You mean there's momentum now?
Yes, that is so. Those who make it, they are also the ones who should carry it out. The current situation is that our data has been lost, the government has failed to secure public data. The public, private sector and others must now carry out multiple layers of security. The problem is that the hacked data can be used for authentication, if it is related to online shops or loans. Now there must be an additional checking mechanism, it cannot just be with KTP and NIK. The problem is that the data has been leaked.
So far, banks often ask for the name of the biological mother, does that mean there has to be another check?
Yes, you can do it like that, but you have to ask another question. The thing is, I teach cyber security courses on campus. Because of that teaching, I also have to teach how hackers work. The goal is to provide security. If it's just the name of the biological mother, people can trace it, especially as Indonesians like to share family photos on social media. That's why don't share family photos on social media, these photos can be misused.
Even though the keywords were provided by hackers, said IT expert Onno W Purbo, the personal data of hundreds of millions of Indonesian citizens had already been taken. This is very worrying. (Photo Bambang Eros, DI Raga Granada VOI)
If we look closely at the PDN procurement proposal, it is very ideal, the level of security is high and layered, but in reality our PDNS was breached, what do you think is wrong?
If it is simplified, they are not following the correct procedure. Looking at the world of cyber security, there are four components. First, technology. I am sure the technology in our PDN/PDNS is good. Second, procedures. This nation is the best at making procedures. Just search on the internet, copy it, and modify it into a law or regulation. Third, physical. The servers are placed in a safe and secure place. They have also done this. But fourthly, regarding humans (HR), this is what is often overlooked. In fact, human resources are the key to everything. In the current case of PDNS being broken, I got a report from a friend; How can you not get bored if you click on things like porn or online gambling sites? Well, the virus is on those sites. Which entered ransomware, which attacked him everywhere.
After opening a porn or gambling site, is it not locked again?
The virus that is currently hacking PDNS is the latest, advanced variant. They can enter without being tracked by the old anti-virus. Once logged in, the data is scrambled. If the Ministry of Communication and Information says Windows Defender is broken, it's actually wrong. The problem is that Windows Defender cannot detect this latest type of virus.
If this is the case, what is the solution?
Data back-up is the most correct, and you can't have one back-up, you have to have two or three. In the PDNS case, they (Kemenkominfo) admitted that they did not have back-up data. Yes, done. The problem is they say they don't have the budget to back up data. As for funding, I can't comment.
Then regarding human resources, the condition of our human resources who can carry out data security is very small. This is actually very worrying. If we buy tools and technology, we can, but there are only a few who operate them. This is our homework together. Frankly, as a person, I am afraid of our current condition after PDNS collapsed. That's why we have to learn self-defense in cyberspace.
How?
The most basic thing is, don't post carelessly on social media. Then don't be easily curious and click everything. The problem is that from there you can fall into traps or phishing. Hackers use various ways of trapping them, my wife was even hit. She got a short message "You underpaid taxes, there is a Tax Office logo" it turned out it was a trap. Hackers are getting better and better here. I almost got it too, so I got a message about online delivery. When I saw that the link code contained "APK", this was a sign that I didn't enter. If I click, I'm also in a trap. So once again; Be careful.
That's for the people, from the perspective of state officials, what can be done?
Officials should not only be able to buy tools or technology, please think about the human resources who will run the technology. The problem is that what you bought was not a refrigerator. Must be operated with the latest technology. Human resources who can master cyber security cannot be created in a week. It needs to be a long, yearly process. The Ministry of Defense, National Education Department, etc., must allocate budgets to produce human resources who can master cyber security.
PDNS is broken, people say that when it comes to data we are no longer sovereign, do you agree?
Yes, that's actually the case. Sovereignty is actually the mandate of the people. And it turns out it was wasted, our data cannot be protected by the state. What's worse is that they don't want to be responsible for any negligence that occurs. Everything is dodging.
But there was one who withdrew; Semuel Abrijani Pangerapan Director General of Aptics, Ministry of Communication and Information?
Yes, I know that, but actually he is not the one who should be responsible. It was his subordinates who were at fault and I know that person. Although in the end it was Sammy who resigned.
There is a domestic hacker group that tried to break into our PDNS again, apparently they were able to then get it back again. Does that mean it's really vulnerable?
In fact, it's not just PDNS, almost all government websites are vulnerable to being hacked. This condition has been reported by the National Cyber Crypto Agency (BSSN) for years. This morning I was contacted by someone via X, he told me that one of the government sites had crashed again. He said he had contacted the admin but there was no response. Then I directed him to report to BSSN (www.bssn.go.id/gov-csirt). Hacks like this happen often. The government website admin's response is very slow.
Regarding BSSN, they are actually overloaded. There are only a dozen of them who must be secured by the ministries and institutions of this republic. So please understand if they can't act quickly.
Regarding the failed PDNS which could be the new government's homework, what would you say to Prabowo and his staff?
Yes, many people already know the theory, but the implementation is not yet optimal. The collapse of PDNS is a very valuable lesson. This should be an important note so that it can be better in the future.
For a country's cyber defense system, what is best? Is it custom or factory? Overseas or domestic IT company?
I tend to use systems created by the nation's own children. If the technology is made abroad, we cannot audit what is in it. What you need to know is that they often use software to spy on us through the applications they sell and use. I experienced it myself, no need to say what the name of the application is and from which country. When we reformatted it, the software detected that something had been compromised. So be careful with outside software.
There are also applications created by our IT experts, which are not properly appreciated. Finally he sent the goods abroad, gave them a foreign brand, made in the UK, then entered the Indonesian market. That's just the price. Even though it was made by our experts.
Can we embrace hackers?
Yes, there are many red and white hackers, they still love this nation and country. Just like thugs, they are evil, but if we can make them friends, they can help. Likewise with hackers or hackers in cyberspace. There must be a technique to win over these hackers.
When we clashed with the Portuguese, our hackers also attacked. It's not just TNI soldiers who are fighting. When hackers from Australia and other countries mess around, our hackers counterattack. Sometimes the government doesn't know that hackers also defend the red and white.
Regulations in Indonesia are often lagging behind, laws or regulations lag behind technological developments. What can be done to address this gap?
Any regulations can be outpaced by technological developments. Today there are many regulations that have been rendered impracticable. In the Law on Personal Data Protection, if a data leak occurs, within 3 x 24 hours the person responsible for the data must report it to the person who owns the data. In the PDNS case, it has been a month, but there have been no reports to the public about data leaks.
Most of the people who make the regulations are legal people, not technology people. They do not measure existing abilities. If we were technical people we would say 3 x 24 hours is impossible. So the problem is formal legal, while the conditions in the field that make the rules are not known.
What is your message to the new government?
All personnel assigned must carry out their duties well if we want to be successful. Vietnam used to be far below us, but now it is more advanced than us. The communication infrastructure and cyber security are better than what we have. Thailand, today one country has 5G, Indonesia only has 5G in a few places.
Actually, we don't have small funds, but there are those who want to make their own profit. There are those who steal state funds through corruption. In fact, if people's funds are used properly, a lot can be helped.
Onno W Purbo, between Electronics and Aeromodelling
Onno W Purbo was interested in following in the footsteps of the late BJ Habibie in the world of aircraft engineering, but his father advised him to pursue the world of electrical engineering. (Photo Bambang Eros, DI Raga Granada VOI)
Onno W Purbo grew up in two equally interesting worlds. One is the world of electronics and the other is aeromodelling and aircraft manufacturing as done by the late BJ Habibie, whose expertise in the world of aviation was recognized worldwide.
Onno's initial interest in the world of electronics was when he was in junior high school. “At that time I made a flip-flop lamp craft. It's really exciting, I'm starting to get interested in the world of electronics," said the man who was born in Bandung, 17 August 1962.
When he was in high school, Onno started to like aeromodelling. “So my world split apart at that time. I can design my own model airplane until it can fly. On the other hand, I still like electronics. In fact, I even bought a book on how to make a radio transmitter," he said.
Onno was beyond happy when his friend offered him the transmitter material that his older brother had left behind, who was continuing his studies in America. "I made the tube I inherited from it into a radio transmitter," he recalled.
"When I was in third year of high school, I was actually interested in following in Mr. Habibie's footsteps and becoming an expert aircraft manufacturer. But my father directed me to pursue electronics instead. I followed my father's instructions and have continued until now," said Onno, who started learning computer programming by himself.
While studying radio, he thought of combining radio and computers. “At that time, news agencies sent news to their subscribers via radio. While monitoring the broadcast, he heard news of America bombing Libya. "I printed the news and distributed it to Pikiran Rakyat journalists and a number of other media in Bandung," said Onno, who became more serious about pursuing the world of electronics and computers while studying at the ITB Electrical Faculty.
Because of his perseverance, Onno managed to graduate and received the title of best ITB graduate (1989) and received a master's scholarship to study at McMaster University, Canada. He is interested in making lasers for fiber optics. “Meanwhile in my PhD (University of Waterloo, Canada) I was involved in making lasers for satellites. I encourage a lot of friends to make satellites. We have satellites, you know. We managed to solder the satellite ourselves; Palapa A1, Palapa A2, Palapa A3 and Surya 1," he said.
PDNS Hacked Momentum
The PDNS disaster, said IT expert Onno W. Purbo, could be a momentum for the younger generation to learn, so they can help defend the country when hacker attacks occur. (Photo Bambang Eros, DI Raga Granada VOI)
Regarding the hacked PDNS data, according to Onno, it is actually very interesting. This is an opportunity for young people to learn about the world of cyber and information technology. So you can participate in defending the country by helping secure state data from attacks by foreign hackers.
According to Onno, actually many Indonesian children have talent in the world of IT. Malang City is a city that produces many young and potential hackers. “Malang is the center of young Indonesian hackers. The teenagers there are really good at it. "There are Telkom Vocational School, Vocational School 7 and Vocational School 9. Of the three vocational schools, the children from Telkom Vocational School are the best," he said.
The question is why is Malang conducive? "They really like to hang out. And Telkom provides free WiFi facilities, and they use it well, the results are that they are really good at it. "Indeed, it must be facilitated if you want to see them succeed," he said.
For young people who want to learn the internet and its ins and outs, Onno is happy to provide support. “I have a book with a capacity of 1 terabyte. Who wants to learn, I will give it for free. "Please send the hard disk and shipping costs, I will share my book," said Onno, who has produced more than 40 books about IT.
The requirement to pursue the world of information technology must be intention. “After the intention you have to want to read; iqro. "If you want to be good, join the community so that we can get partners who are in the same rhythm," said the recipient of the "ASEAN Outstanding Engineering Achievement Award" from the 1997 ASEAN Federation of Engineering Organizations (AFEO).
Domestic Devices
Onno W Purbo encouraged domestic mobile phone and gadget manufacturers to survive despite repeated attacks from similar products from abroad. The problem is that with more than 270 million people, Indonesia is a promising market. (Photo Bambang Eros, DI Raga Granada VOI)
Onno W Purbo really wants the domestically produced foldable computer and gadget industry to survive. But now everyone has to struggle to face attacks of similar goods from abroad. In fact, Onno said we can be independent if we want. "In the past colonialism was with weapons, now it is through economics," said the man who received the Sabbatical Award from the International Development Research Center (IDRC) Canada in 2003.
Onno is someone who really loves local products, such as cell phones and folding computers, he still uses domestic products. “Sovereignty will occur if we do not depend on foreign products. "If we can use local cellphones, local laptops and local devices, we are sovereign," he said.
Data for 2023, he said, Indonesian residents will spend IDR 23 trillion to buy gadgets. "In fact, if we want to build a factory, we only need IDR 0.5 trillion. Colonization in the current era is not with weapons. But our economy is dominated. "We have more than 270 million people, that is a very potential market," said the Deputy Chancellor of the South Tangerang Institute of Technology.
If we can make it ourselves it's much cheaper. And our money will not go abroad. "I hope that our nation can be independent and self-sufficient in the field of cellphones and gadgets. "We have to love Indonesian products," he continued.
The whole world is capturing the Indonesian market, which has a population of more than 270 million and will soon be 300 million. “Other people come to Indonesia. "Why don't we want to take advantage of this huge market," said Onno, whose profile is included in the book "American Men and Women of Science", R.R.Bowker, New York, United States.
Indeed, said Onno W Purbo, to establish a factory you must create an ecosystem that is related to each other. “So it doesn't stand alone. "From there there will be efficiency so that selling prices can be kept as cheap as possible," he said.
"We have very few human resources who can carry out data security. This condition is very worrying. If we buy equipment and technology, we can, but there are only a few who can operate it. This is our collective homework. Frankly, as an individual, I am afraid of our current condition after PDNS is broken. That's why we have to learn to defend ourselves in the internet world,"