On March 27th, 2019 the Bangladesh Finance Minister announced a successful hacking attempt on ASYCUDA World.
Based on the news report, it appears that due to weak security protocols, external hackers were able to penetrate ASYCUDA World and override decisions made by Customs in the system to allow for the release and clearance of over 30 inter-modal containers into the country.
As a major lapse in border security, this not only raises concerns in Bangladesh, but for every other country using this rudimentary import processing system. While the Finance Minister stated that ASYCUDA World needed to be more protected, ASYCUDA users must face the facts. This system is not designed or built by experts, let alone anyone with expertise in security at application or database layers. If anyone is protecting the weaknesses in ASYCUDA, it’s certainly not the ASYCUDA programme or the United Nations Conference on Trade and Development (UNCTAD). The only thing being strengthened here is a smugglers’ ability to bypass Customs decisions. It also raises significant concerns regarding the system’s ability to protect confidential and proprietary corporate information submitted by traders to Customs Administrations.
Can you imagine what was smuggled into the country in 30 containers in this instance? That could be as much as 900 tonnes of cargo and include any number of threats such as weapons, ammunition, explosives, hazardous materials, narcotics, stowaways and illegal migrants, dual use goods, chemical weapons pre-cursors and much more. The possibilities are endless and disconcerting; especially after the recent attacks in Sri Lanka by terrorists. (Sri Lanka also uses ASYCUDA World). Explosives and other armaments must be smuggled into the country somehow, and these links suggest local law enforcement authorities found stashes of explosives, weapons, and ammunition that likely entered that country illegally:
The following is an overview of the ASYCUDA Clearance Process. In the article referenced, there appears to be a design flaw and an ability in ASYCUDA World -where holds/locked shipments placed by Customs can be released or cleared by paying the maximum duty owed per the Tariff.
In Bangladesh, these 30 containers were identified as suspicious and locked by the Central Intelligence Cell and Customs Intelligence and Investigation Directorate. Beyond the unlawful access to the system, the hackers also knew they would be able to override the locked/holds on these shipments by paying the highest duty rate (25%) in the tariff within the system. That’s an interesting trick and suggests a significant weakness and gap in the ASYCUDA design that became known on a widespread basis.
Does that concern you? It should, because now all criminal organizations involved with smuggling goods have a decent idea on how to trigger releases in the ASYCUDA system to facilitate any type of smuggled good into the country. The fact that these containers were held for further investigation or action by Customs Intelligence suggests a high probability that significant threats / smuggled goods did indeed likely exist in these shipments.
If your country uses ASYCUDA to identify suspect shipments being imported, does it make you feel safe? It shouldn’t. Are you comfortable UNCTAD is addressing this security gap in ASYCUDA World? How many times has this type of event occurred in the past or in other countries?
UNCTAD doesn’t like our series of ASYCUDA Myth Posts. So, they blocked us on Twitter. Oh well; it seems the truth and a little transparency is offensive to some.
Here’s the press release link and full story posted below:
Finance minister AHM Mustafa Kamal on Wednesday said that actions would be taken against people responsible for abusing ASYCUDA World System, a web-based server of National Board of Revenue.
The Automated System for Customs Data server should be more protected, he said in his reaction to reports that outsiders using passwords of retired custom officials illegally released consignments in the past three years. He was talking to reporters after a meeting of the cabinet committee on national purchase at secretariat. Musfata Kamal also said that there should be more than one firewalls to protect the server. None can protect the server erecting fence around it, he said.
Asked whether any committee would be appointed to probe the matter, Mustafa Kamal doubted if anything came out from such committees. Revenue board officials said that a probe committee of the board, three other committees of Customs Intelligence and Investigation Directorate, Central Intelligence Cell and Chattogram Customs House were investigating the matter to find out people responsible for the forgery. According to the findings of the committees, a syndicate of importers, clearing and forwarding agents and customs officials managed to release about 30 containers under 22 import consignments, most of which was locked by Central Intelligence Cell and Customs Intelligence and Investigation Directorate for suspicious misdeclaration.
C&F agents, on behalf of importers, also paid customs duty at the highest rate of 25 per cent to get the goods released, officials said, adding that they identified 14 importers and seven C&F agents behind the forgery. The syndicate has logged in the global web-based Automated System for Customs Data for customs assessment about 4,000 times in the past three years since 2016 using user IDs and passwords of two customs officials who were once posted at the Chattogram Customs House.
The case of logging in the system took place outside of the customs house. The revenue board has asked the committees to submit the report as soon as possible, probe officials said. They said that customs intelligence in January first found that some prohibited consignments of imported goods had been released from Chattogram Customs House. Customs intelligence in June 2018 asked Chattogram Customs House to lock a consignment in the ASYCUDA World System and stop releasing the goods before physical inspection suspecting misdeclaration.
But Customs Intelligence and Investigation Directorate found that the consignment along with some other consignments were released unlocking the system using the user IDs and password of two customs officials — DAM Mohibul Islam and Md Fazlul Haque. The user IDs and passwords of the two officials remained active even after their transfer from the Chattogram Customs House or retirement. They said that either the customs house did not deactivate the user IDs and passwords or the syndicate stolen the user IDs and passwords to take release of the goods.
M/S Chaklader Service and C&F agents Zarar Enterprise of Dhaka and MR Trade International took release of the consignments. Customs intelligence filed a case with Ramna model police station in early January against Zarar Enterprise, Chaklader Service and MR Trade International for the forgery. It also arrested MR Trade International owner Mizanur Rahman Chaklader and another customs official in January for their alleged involvement in the forgery.
‘NBR has taken the matter seriously and customs intelligence and central intelligence cell of NBR are working to detect the individuals responsible and entities for the breaching the system,’ NBR member (tax administration and human resource management) Kalipada Halder said. The forgery has created a threat for the country’s security and tax administration, he said. The committees have already identified some key individuals for their alleged involvement with the incident, he said.
So what’s the solution?
As a short-term measure, we recommend that all Customs Agencies that are using ASYCUDA urgently speak with their ASYCUDA technical representative and request them to implement the following measures as per best practice:
Phase 1 – Within the next month:
Audit the ASYCUDA user logs and implement functionality that automatically de-activates stale user accounts.
Put automatic controls are in place to limit malfeasance to one location in the event that a Customs officers account is hijacked.
Implement functionality that enforces strong password security. At a minimum this should;
o Enforce passwords being composed of a combination of letters, numbers and special characters, with a minimum of 8 characters, and no common words, or portions, found in dictionaries;
o Implement automatically enforced password updates, with account deactivation if the password not updated;
Audit the configuration of your ASYCUDA business units including server and client-side functional configuration. This determines what a role can release a shipment, re-route to Green, release from standby queue etc.
Audit the list of users and business units, and map these to your organizational structure and Customs Officers’ specific roles and responsibilities.
o Remove any stale business units, ensure that the number of ‘ADMIN’ users is minimised, and that the ADMIN role has not been temporarily provided to a user to work around a previous operational issue.
o Ensure that strict segregation of duties is enforced.
· Ensure that ASYCUDA is configured so that the latest versions of the JAVA client can be used.
o Many instances of ASYCUDA only support JAVA version 6, which was de-supported by Oracle when it reached end-of-life in November 2012 and has many known security vulnerabilities
Utilize a JAVA ‘Code Signing Certificate’, so the Java client for the application can be run in a more secure mode
Phase 2 – Within the next three months:
Select one of the following options based on your organisations pre-existing infrastructure and IT services:
Option 1 - If your agency has already deployed a directory services infrastructure such as Microsoft Active Directory or similar; integrate ASYCUDA with your Directory Service so that you can implement ‘Single-Sign-On’ across your organisation. This enables the creation of centrally-managed user accounts and password security policy enforcement.
This is universally regarded as more efficient and less error-prone.
Option 2 – Implement ‘Multi-Factor Authentication’. https://en.wikipedia.org/wiki/Multi-factor_authentication.
o Inexpensive options such as security tokens or fingerprint scanners are effective even if internet connectivity at a checkpoint is poor.
o Multi-Factor Authentication has been an industry standard since at least 2005.
This story should act as a wake-up call for all ASYCUDA member states. There are many millions of dollars of Government funds running through an often internet accessible system whose security is only as strong as it’s weakest link. Some of the measures above can be completed right now by your agency to reduce the risk of hacking; other measures will require the support of UNCTAD.
It is time for member states to put pressure on UNCTAD to resolve some of the inherent security weaknesses in ASYCUDA. If they can’t provide you with the assistance you need in a timely fashion; please contact us and we will do our best to help. Visit: www.ttekglobal.com
Stay tuned for our next blog in our series, “the ASYCUDA Myth” Part 7….