Web site attacks 'show up lack of awareness'
Two attacks within 24 hours on a popular government Web site had exposed security weaknesses and officials' lack of awareness of computer hacking, lawmakers said yesterday.
The interactive home page, offering investment advice and traffic details, was still suspended last night pending a full-scale review of ways to strengthen protection.
First defaced on Saturday at 3.30pm, the Interactive Government Services Directory resumed at 2am on Sunday but was again attacked and suspended at 3pm the same day. Messages left on the site on Saturday read 'own3d by the Crows' and 'hacked by O Analista'. On Sunday, hackers posted an obscene message followed by 'Hackers for Justice!' Director of Information Technology Services Lau Kam-hung told legislators yesterday he was unsure whether the hackers were local or from overseas.
The Web site was an independent trial project managed by private operators, he said. 'The site is constantly being updated as part of the trial and therefore it is not yet in a state which is meeting the security requirement of other government Web sites.' The service was resumed on Sunday after officials fixed the loophole as advised by the operator, Mr Lau said. 'We have been given advice from the contractor on the reason why it was hacked and we resumed the services after plugging the loophole with tests.' Lawmakers at the information technology and broadcasting panel said they were concerned at the intrusion. Sin Chung-kai, who represents the IT sector in Legco, said officials never participated in international conferences on hacking. 'It shows that the Government's awareness is still insufficient,' said the Democrat legislator.
Chan Kwok-keung of the Federation of Trade Unions said: 'The repeated hackings are an open challenge to the Government. Is there any way to prevent intrusion?' Deputy Secretary for Information Technology and Broadcasting Alan Siu Yu-bun said the central system was safeguarded by tight security. 'There may be new skills beyond our knowledge. We are closely monitoring the world trend to strengthen the protection of our system,' he said.
The Security Bureau has set up an interdepartmental working group on computer crime and will map out proposals later this year, Mr Siu said. The main Government servers are protected by 'firewalls' and 'gateways', security programs designed to repel hackers. Hackers failed in two earlier attempts to infiltrate the central Government computers, in January and last June. A computer science professor at the Hong Kong University of Science and Technology said it was not uncommon for service-oriented Web sites to have little protection against hackers. 'Gateways and firewalls are a bottleneck and, many times, if you want to provide fast service and you have no sensitive information on a site, then companies will put their Web pages outside the wall,' Professor Samuel Chanson said.
'It all depends on what you keep on the server,' he said. 'This was a site with no sensitive information. But you see one of the consequences of not having much protection is that now this server is down and the public cannot view the site.' Professor Chanson said there was a happy medium between fast access with little protection and a slow access with an impenetrable firewall. 'The best and most secure way is to put a DMZ into the network,' he said.
This 'demilitarised zone' places fast-access Web pages behind one firewall, while sensitive files exist behind another, more impregnable gateway. 'That might be a viable solution for this problem,' he said. 'It looks as if [the Government] should protect its servers a little bit better.' Graphic: BHACKXGET