Easy Targets for Hackers
5th April 2001 (NST)

Samsuddin: Poor Measures Leave Agencies' Websites Vulnerable

KUALA LUMPUR, Thurs. - Despite the global paranoia on Internet security and vigilance against malicious computer hackers, Government websites are "dead easy" targets, underscored by 89 attacks on 60 agencies in the past 25 months.

Chief Secretary to the Government Tan Sri Samsudin Osman admits as much.

"Truly, there are threats we still face _ like data loss, sabotage, data corruption and web vandalism," he told a Public Sector ICT security seminar today.

While the extent of the hacking was evident, the Chief Secretary in his speech did not elaborate on the damage or how much data had been stolen or used for an ulterior motive.

He told a Press conference later there was no case yet of an agency totally losing its data.

However, Samsudin felt that the easy hacking was mainly due to carelessness and weaknesses in preventive efforts.

The hacking of the 60 Government websites took place between Feb 1, 1999 and Tuesday.

Some of the key websites attacked belong to the Immigration Department, Social Security Organisation, Treasury, Selangor and Terengganu Governments and Public Works Department.

The names of these agencies were included in a website attrition list in Samsudin's speech. However, it did not include the Road Transport Department, whose site was vandalised last month by a hacker who police believe is a student.

Also in the list were 29 websites operated by private entities such as Hong Leong, Malaysia Airlines, MidValley Megamall, SkyTel, Garden School, Multimedia University, Mines and MSN Dollars.

Statistics compiled by what Samsudin referred to as "independent sources" showed that these websites were frequently attacked by hackers who left behind a very vulnerable security system.

Samsudin said he had directed all Government departments and agencies to upgrade their computer security system to safeguard vast amounts of valuable information.

"...if breached, this can cause serious damage to the integrity of the Government," he said.

One of the directives is an ICT Security Incident Reporting Mechanism circular outlining a standard operating procedure of reporting breach of security or other attacks that include denial of services, new vulnerabilities, false identity breaches, vandalism or system disruptions.

The directive is handled by the Government Computer Emergency Response Team operating under the Malaysian Administrative Modernisation and Management Planning Unit.

In line with the circular, a Mampu preventive measure called Programme Security Posture Assessment has been instituted to audit and appraise websites for infrastructure strength.

Samsudin also reminded Government agencies to provide comprehensive and updated information which met the surfer's expectations.

"Every homepage must be easily accessed," he said. "If it cannot be accessed, it is as if the office is closed."

His compelling reminder to heads of departments?

"I ask that you visit your homepages as a routine task to assess its quality."

Samsudin said he took comfort from the fact that hacking also affected major websites operated by Microsoft, the US' National Aeronautical and Space Administration (Nasa), Pacific Bell and the University of California.

He also noted that malicious attacks also affected popular commercial sites such as Yahoo!, Amazon and e-Bay.

But Samsudin said despite a "need to know", confidentiality arrangement practised by most websites, hackers can create programmes to breach the computer system.

"Computer systems do not recognise friend or foe," he said. "The computer will comply with anyone as long as the right codes are used.