Saturday, November 28, 2015   

Online enemy within

Monday, March 27, 2006


The biggest threats to computer users are not hackers but their own ignorance, complacency or carelessness, writes Doug Crets

While the popular image of a computer villain is a geeky teenage hacker in his bedroom cracking Pentagon supercomputers or writing computer viruses, the worst enemies of online privacy and security for most computer users are their own complacency, ignorance or carelessness, consultants say.

Security today is mostly about protecting the consumers from themselves. And the most dangerous piece of equipment they use could be the search engine on their personal computer.

Because most online surfers live with a false sense of security that they alone are the ones that are using their computer or mobile phone, many are unaware that everything they do on that computer or phone can be seen, read or heard - and not just by seasoned hackers, but regular users like themselves.

Popular search engine Google is one of the locksmiths that opens these doors.

Almost anything a hacker wants to corrupt through a computer, he can find on Google, the world's largest search engine. The tools are clearly available on public Web pages that describe a technique called "googlehacking."

Using only a few search instructions, or "strings," any user can pinpoint files that their original uploaders or viewers believe to be private.

Using the help of three Internet security technicians, The Standard conducted a string of searches over the course of three days using Google.

I gained access to private security cameras around the world, Web pages of code that can be used to unlock company Web sites, audit reports and reports marked "for internal use only."

Most important, nothing The Standard did during these tests was illegal - all the information is publicly available and searchable through Google.

In one search string, I found programming files for True Light Girls' College, in Kowloon, in a cache file in Google. A hacker could work through these files and penetrate the system at the school.

The source codes for the Hong Kong Boy Scout's Web pages are also online.

There should be no "tree" that allows a hacker to crawl through code and into the actual Web site, says Anthony Lai, who runs OWASP, the Open Web Application Security Project in Hong Kong, a voluntary and nonprofit workshop for security technicians.

I watched as Lai found backup files for the undergraduate admissions directory for Hong Kong University.

Security consultants reason why documents are left online in Hong Kong and why little is done to protect the institutions that put them there - or leave them there by mistake.

In local programming and developer culture, deadlines take precedent over top security protocol, says one developer and consultant.

"It becomes part of the culture. It becomes about making deadlines, creating functions [for software programs]. Security gets put into the background," says James Tsao, who a few years ago set up his own consulting firm after worrying about the level of security on IT projects in local businesses.

Local businesses, he said, don't want consultants who can tighten up their Web security. They want to "throw money at the problem" or "buy a box and set it up," Tsao says.

"Companies outsource their responsibilities," says Lai, of international software firms which provide them with firewall technology but sometimes do not work to cater the software to internal hacking threats.

Technicians, argue Lai and Tsao, should turn to open source and do viable "penetration tests" online, to judge just how secure are a company's Web site or networks.

But they are also quick to say that no company will do that, because they don't want to lose brand image by showing their vulnerabilities.

Businesses in Hong Kong spend most of their money on a security technician, Tsao says, because "it's easy to throw money at a problem."

"I have him [the technician] to grab and to hold onto, to yell at. It's the comfort level of blaming someone," he says.

Competition drives improvements in security and identity management for the local Internet consumer, but changes in US technology law and the flattening of the tech boom here mean some companies fall behind in security, say tech experts.

This reactive approach to security means that companies that do business online may not be aggressive enough in heading off criminal activity or identity theft.

Companies face a choice, say security consultants.

They can outsource to security companies and put their transactions and networks in the hands of outsiders, lowering their costs and sometimes laying off people who have good reason to want to keep their jobs. Or, they stay in-house, a technique that could lead to laxity, considering that Hong Kong has no formal non-commercial standardization system for security consultants, says Dale Johnstone, principal consultant in information security governance and risk management at PCCW.

Lai agrees: "There are no rules on how to be qualified as a security professional [in Hong Kong]. Not like [those for] an accountant."

Companies generally rely on international vendors to bring solutions to their online transaction engines, or even to their entire network.

Some techs are arguing for one.

The Sarbanes-Oxley Act, passed in 2002, has a section on best practices for Internet security in America.

Since American companies are now legally bound to follow best practices, tech watchers in Hong Kong notice that the United States is consistently driving the pushing of standards in Hong Kong. The government here is not.

And since not much is homegrown in terms of developing security protocols or good clean programming, say consultants, most businesses turn to "out of the box" solutions.

"Hong Kong is a very loose place, in terms of government pushing standards," Johnstone says.

If a current standard in the world market says that a business should separate and control elements of its internal network in order to monitor it and to protect it, says Johnstone, many small firms might decide against it to save money and to preserve staff numbers.

That mentality, or even a slight increase in security, using only minimal modifications to the software program or patch to ensure security could be dangerous, Tsao says.

"[A hacker] will do something to a Web site to see how it reacts. They are not [looking for] big holes that are glaring," he says.

"They can work out a coordinated way to hack a site to get deeper and deeper."

Tsao warns people using internal Web cameras or Web-based applications set up by their company to be guarded when using Google.

When installing Google tool bar, for instance, don't just click go and next. That non-custom download will send whatever Web site a user searches for to Google for indexing.

Even Web applications that have passwords on them can be used to infringe privacy and to steal data.

A competent hacker, well-versed in programming language, can read an error message, pinpoint the security gap and in a few moments gain access.

This is possible in Hong Kong, says Tsao.

"One of the reasons is the lack of awareness," Tsao says.

"What people are seeing now are only the facts of laxity.

"They are probably not aware of the causes of the laxity," he says.

© 2015 The Standard, The Standard Newspapers Publishing Ltd.
Contact Us | About Us | Newsfeeds | Subscriptions | Print Ad. | Online Ad. | Street Pts


Home | Top News | Local | Business | China | ViewPoint | CityTalk | World | Sports | People | Central Station | Spree | Features

The Standard

Trademark and Copyright Notice: Copyright 2015, The Standard Newspaper Publishing Ltd., and its related entities. All rights reserved.  Use in whole or part of this site's content is prohibited.   Use of this Web site assumes acceptance of the
Terms of Use, Privacy Policy Statement and Copyright Policy.  Please also read our Ethics Statement.