Sunday Focus: Curbing attacks on websites
By Yeang Soo Ching
14th January 2001 (NSTPI)

SOME have malicious intent, some to prove their IT skills, others are fuelled by political vengeance, anger and other emotions.

These are the original computer hackers or hacktivists as they are now known, people who are skilled, precise and out to do a lot of damage by hacking into computer systems.

Of course, hacking activities are not the exclusive domain of people skilled in computer technology; they have now been joined by people who know next to nothing about computers and yet can hack into websites. Even schoolboys are able to do.

Why? Because they can download programmes at a click which are spying tools.

Newspaper records show that in early 1999, a Chinese railway's computer system was hacked.

In December 1998, two brothers robbed a bank in China by using its computer to transfer US$31,000 (RM117,800) into their accounts. They were sentenced to death for their crime.

In the US in September 1999, a 19-year-old from Wisconsin was charged with hacking into a Pentagon computer and tampering with its communications system.

He was also charged with illegally accessing a US army web page and modifying its contents. America's computer woes did not end there.

In February last year, a wave of Internet vandalism hit the US, prompting its Government to order a review of its defence computer networks. And in the recent US elections, both the Republican and Democratic sites were defaced, with anit-Bush and anti-Gore sentiments expressed.

Right in our own backyard, two major websites were hacked last month.

One was the Parliament website at www.parlimen.gov.my and the other was Universiti Teknologi Mara's website at www.utm.my.

The hacking wiped out all information on the Parliament website and replaced the homepage with words in a foreign language.

The hacker of the Parliament website identified himself as Topeira while the UTM website hacker/hackers claimed to be from the skOrpiOn Crew.

Computer vandalism is not new in this country. A local newspaper report of a rise in the hacking of Malaysian websites put the figure at 28 cases in 1998 and 47 in the first eight months of 1999.

Under section 5 of the Computer Crimes Act 1997, hacking is illegal in Malaysia. If convicted, the offender can be fined up to RM100,000 or jailed up to seven years, or both.

According to MyCERT project head Raja Azrina Raja Othman, it will not be difficult to track down the hacker of the Parliament website.

Leads which have been closely monitored prove that the hacking was done merely for fun and the hacker, believed to be a foreigner, has a list of servers which he has defaced.

Raja Azrina laments the fact that Malaysian organisations tend to see security as an area which only a selected few can specialise in. Local servers have poor security features, and because of this, are vulnerable to attacks.

"Computer technology has always been perceived as a specialised area that only those in the line of computer security would need to have a grip on. However, we would like to correct that perception.

"Organisations need to realise that security is very much the responsibility of all levels of IT implementers, including, but not limited to, system and application developers, system integrators, and network and system administrators," she asserts.

Should such people be unfit to carry out the task effectively, they need to be trained.

"Anyone working in the computer industry will appreciate the sheer velocity of change and evolution.

"However, end user products, that is, PC and network devices, need improved security and some day product developers will realise that computer security is an important element that is a standard requirement, not an optional accessory or luxury," Raja Azrina opines.

MyCERT has had to deal with recurring incidents of attacks in the past due to the fact that system administrators fail to clean systems of implanted backdoors.

"We understand the issue of having to re-install the operating system, and of investigating logs. However, these are necessary to ensure your hosts are secured," she says.

According to her, in any hacking incident, recovery is possible if dealt with care. The period of recovery depends on the resources available.

Having the following mechanisms in place would speed up recovery: incident response procedures, recovery procedures, backed-up data, standby unit for replacement and full control and access to the network.

In handling incidents involving intrusions, there are two options with regard to methods of response, according to Raja Azrina.

One is to disconnect and prosecute, which basically means disconnecting the target host from the network, analysing the traces for possible prosecution and recovering the services immediately through machine replacement.

The second option is to continue to track the intruder, by allowing the intruder to continuously use the system, in which the important data is already being backed up and the system compromised is a decoy.

Access will continue until the administrators manage to identify the perpetrator.

These would be the immediate measures to take, but in the long run, maintenance of security features should be a priority.

As Raja Azrina points out, network equipment, although self-running, requires monitoring and maintenance, not only for performance but also for security reasons.

Various measures can be implemented in a consistent way, she adds, but they are often neglected due to misconception of priorities or just plain ignorance.

"Computer security needs to be applied at all levels of network and application implementation, including planning, risk assessment, design, audit, testing and maintenance.

"Policy and procedures must be applied and measured for effectiveness. Monitoring of network and system activities is the key to detecting anomalies that may be due to security breach."

One common security software used in computer network is the firewall protection, which is a type of network perimeter defence.

While this may protect the network from external threats, it does not help in deterring internal threats, says Raja Azrina.

There are two types of firewall, one which functions like a packet filter, and one that functions like a proxy.

Depending on the needs of the network, any one of these two types of firewall, when applied correctly, can be effective in deterring external threats.

However, there are attacks that can bypass the firewall, since firewalls may not be intelligent enough to block attacks that seem like genuine traffic request.

Is hacking common? Is it sane?

Raja Azrina answers in the affirmative. She feels the local media must correct the terminology used for hackers versus crackers.

"Hackers are defined as individuals who have strong interest in the workings of a computer. They have a certain code of ethics; they don't damage systems or data. They are good programmers and their activities are productive and creative.

"Crackers, on the other hand, are definitely not bound by any ethics. They break into systems with malicious intent or for profit, and destroy data and system. Crackers rarely write their own programme. They rely on tools made available by others. Another term for them is script kiddies. Their efforts are destructive in nature.

"However, even among the hackers there are now emerging those without ethics. They are termed the black hat hackers. The ethical ones are termed white hat hackers," she elaborates.

As to why hacking occurs, Raja Azrina offers various internal as well as external factors which may lead to this cyber crime.

Internal factors:

• Lack of control and poor management in computer administration.
• Lack of knowledge and exposure in aspects of computer security.
• Low priority given by top management, for example, lack of top level security policies that are communicated and executed effectively.
• Poor or haphazard computer network and system design that is unsafe, ill- equipped with security components, and misconfigured systems and application.
• Outdated software and lack of maintenance.

External factors:

• Free exploit tools or programmes available over the Internet.
• Vulnerable computer systems and application.
• Motivation, from peers and others, to establish status quo or for monetary gains.
• Lack of ethics and professionalism among budding technologists.

These days, cracking has been made simple, especially so when user-friendly (point and click) cracking tools were made available in 1999, and till today, such releases have not stopped.

Raja Azrina bemoans the fact that these tools which were released by some black hat hackers and claimed to be tools for system administrators to maintain their remote systems, have actually turned out to be effective spying tools. Even people with little knowledge of computers are thus able to crack systems.

Web servers, mail servers and domain name servers are prime targets of attacks, reason being these services need to be publicly accessible in order to function.

It is, therefore, a challenge to protect these servers from penetration, but it is not impossible to do that.

"It is not so much of expertise but of procedures that are undefined or not adhered to," Raja Azrina claims.

For example, human error in maintenance causing exposure or loophole, and other reasons that sometimes appear unimportant and so are dismissed unnecessarily.

"In large organisations especially, such quality of security must be controlled and communicated to all levels of implementation. That on its own can be a challenge."

In tracking hackers, care must be given to preservation of evidence to ensure no tampering or loss.

There are various ways of tracking a cracker or hacker, but off-times a hacker would have done a better job of removing his traces than a cracker.

As we depend more and more on technology to carry out critical tasks, security should be at the forefront of network requirements in order to build the element of trust and faith in information and communication technology (ICT), Raja Azrina concludes.

A sentiment shared by Butt Wai Choon, managing director of Microsoft (Malaysia) Sdn Bhd, who thinks that solutions to these challenges cannot be driven by one single group.

Rather, the future lies in how IT vendors, Government and academic groups come together to arm customers with the technologies, tools and standards necessary for assuring trust and secure computing in the digital age.

"Hacking is a deplorable act of industrial espionage, costing time and money to rectify.

"With the Internet becoming more ubiquitous, it has opened up vast potential vulnerable sites and increased the rampancy of computer and website hacking. Security and privacy remains an industry-wide problem," he says.

In Butt's opinion, apart from security measures, ongoing close monitoring or maintenance is crucial to ensure that security or anti-virus software is constantly updated to upkeep the protective function at all times.