Local Servers Easy Targets: Lack of Security Makes Government Sites Vulnerable
2nd January 2001 (The Star)

Kuala Lumpur, Mon: Local computer servers still lack basic system and Internet application security, making them prone to hacking.

Malaysian Computer Emergency Response Team (MyCert) project head Raja Azrina Raja Othman said most prone are government and educational institution websites, followed by private companies.

Many cases of intrusion do not involve web defacing but using them as launch pads to "hit" other servers.

MyCert, formed in 1997, provides a point of reference for the local Internet community to deal with computer security incidents and methods of prevention.

The latest case involved the hacking of the Parliament website discovered on Saturday.

The hacker, who called himself "Topeira", had replaced the website at www.parlimen.gov.my with some foreign words and a Brazilian address of the rock group Garbage.

The hacker, if traced, can be prosecuted under the Computer Crime Act 1997, enforced on June 1 last year, which has effect also outside the country.

Thus, the offender can be charged with unauthorised access to the system and fined up to RM50,000 or jailed up to five years or both.

Commenting on the hacking of the Parliament website, Prime Minister Datuk Seri Dr Mahathir Mohamad said the government will try to tighten its computer security but there will still be some doubts.

"People who are very highly skilled in this area can always break the code or system," he said after attending the People's Progressive Party's New Year open house at PWTC today.

He described the hackers as very clever people" who wrongly apply their skills and intelligence.

He said the hacker or hackers, who called themselves "Topeira", had used their knowledge to fight against "the very principle that they are supposed to champion".

He said such people get angry over censorship but have no qualms about blocking out information which is not theirs.

In a way, he added, theya are trying to censo r other people's news.

According to the abuse statistics at MyCert website, the number of hack threats has dropped nearly half for the first 11 months of last year compared with last year.

From January to November last year, there were 177 hack threats, compared with 317 for the same period in 1999.

There were also fewer cases of forgery (from 17 in 1999 to three last year) and intrusion (from 62 to 39) of Malaysian websites. Raja Azrina said MyCert cannot ascertain whether this is a true reflectionof network security.

Other factors could include non-reporting to avoid publicity and web developers being unaware of such attacks.

"Such conclusions were made due to quite a number of incidents involving MyCert alerting the victioms on their system's vulnerabilities," she said.

She said there will always be the threats to computers, and MyCert can work only to mitigate and manage the risk, rather than eliminate threats.

"Hacking will be prevalent and made simple unti developes and product owners design prodeucts with inbuilt security," said Raja Azrina.

On local e-commerce business sites, she said there is still roomfor improvement in security measures.

"There sould tighten the securityof their applications, especially to avoid scripting exploits and must do away with reusable passwords in order to improve application authentication," she said.

She added that the general profile of hackers is a mix of students, school drop-outs and disgruntled former employees.