Gateway to cyber-hell

PUBLISHED : Wednesday, 31 January, 2001, 12:00am
UPDATED : Wednesday, 31 January, 2001, 12:00am

IT'S THE PLAGUE of the Information Age, a blight on bits and bytes: the computer virus, with some 50,000 forms of artificial life wreaking genuine havoc. E-mail servers have been clogged worldwide, ATM machines disabled, millions of personal computers corrupted and colonised with corporate losses in the billions.

When the potent 'ILOVEYOU' germinated from the Philippines in May, it was Hong Kong that provided the global point-of-entry as its multi-national financial sector, which was among the first to report infections, served as an international contagion junction.

'Investment banks were hit first - they weren't scanning incoming e-mails,' says Joseph Sweeney, research director of Gartner Group, a global market-research firm. 'It went from their computers' address books straight to New York. It was absolutely amazing to watch. You could track every single piece of mail a company sent and track it to their trading partner, who sent it to their trading partner and so on.'

A recent Productivity Council survey of 3,000 local companies revealed that viruses are the most common type of computer complaint and one in five companies have reported damage.

Despite this and the ILOVEYOU experience, Hong Kong's business concerns still appear in need of a virtual vaccine.

'More than 90 per cent of small-to-medium businesses [which are generally regarded as comprising 90 per cent of all Hong Kong enterprises] don't have advanced computer security systems,' says Roy Ko Wai-tak, the Productivity Council's chief IT consultant.

Paul Jackson, a senior police inspector in charge of the Crime Prevention Bureau's Computer Security Unit, says: 'It's a pretty extensive problem - ask any company in Hong Kong.'

Further compounding the dilemma is that an estimated 40 per cent of those businesses use pirated software, rendering their systems largely incapable of updating anti-virus software, says Ricci Leong Sze-chung, a security expert with Hewlett-Packard Consulting.

The origins of most viruses tend to remain mysteries. Hong Kong, however, has a history of home-grown cyber-terrorists. In 1995, a virus-creating collective emerged. Monitored by the police and computer security experts, the makers of 'malware' went from writing primitive, simple viruses to complex, polymorphic varieties in just one year, says Allan Dyer, chief consultant with Yui Kee Computing. 'Then it seems they got bored and gave up,' says Dyer.

'That's not an uncommon pattern for people - almost exclusively males - in their late teens or early 20s, an age where they are technically, if not ethically, developed.'

A few years later, in 1997, a local manufacturing business was infected by a 'new virus that was not seen before or since', says Dyer, an anti-virus researcher for conservation Web site, that is referenced by governments worldwide. The text-heading on the virus read: 'Revenge is my only goal.'

'The only explanation is that an ex-employee did it,' he says, adding that a number of PC's were rendered unusable for a day.

In 1998, a virus titled 'Autostart 9803' targeted Macintosh computers but caused minimal damage as it limited itself to mainly publishing and production houses.

'It was first reported in Hong Kong and said to have started here but I think it was created in Shenzhen - though I have no proof,' says Dyer.

Last May, a 16-year-old secondary school student from Tin Shui Wai in Yuen Long was suspected of unleashing a bug that threatened the 90 million ICQ users when he encouraged them to go to his Web site with the message: 'Form Four students, I wish you good luck.' Upon deleting the message, hundreds of Form Four victims alone reported that all information on their hard disks had been wiped out and received mocking 'Congratulations' on the monitor.

Hong Kong has been hardest hit by the same viruses that have contaminated the rest of the world. For example, 'CIH', a virus created by a student in Taiwan in June, 1998, may not have affected as many people as ILOVEYOU but it was more damaging, causing the greatest local damage to date, Dyer says.

CIH, alias Spacefiller or Chernobyl, was designed to infiltrate computers and lay dormant until its yearly activation date, April 26 (the anniversary of the Chernobyl nuclear disaster in Russia), at which point it would overwrite most of the hard drive and render the computer unusable.

On that fateful day in 1999, a Hong Kong Internet service provider reported to Dyer's company that thousands of PC's were infected and some 15 companies in need of aid, he says. 'The calls I got were just the tip of the iceberg.' Yet local companies suffered needlessly as anti-CIH software had been available for 10 months, he says.

There are no official estimates on the extent of damage caused by viruses like CIH, Melissa or ILOVEYOU, partly because determinants like downtime are unquantifiable, and also because of the 'embarrassment factor'. 'No company wants to advertise the fact they've been incompetent,' says Jackson. Subsequently most incidents go unreported.

Says Sweeney: 'It kills the business and kills confidence in the business. Only management can put a finger on that. ILOVEYOU literally shut the whole system of one financial institution for three days.

'How many millions upon millions of trade was lost? We're talking serious money.'

In the Productivity Council's survey, one company confided it had suffered HK$1.4 million in damage with data lost and programs corrupted to the point where both hardware and software had to be replaced. The average incident results in a few thousand dollars in damage and three PC's affected.

Local companies have failed to safeguard their systems because managers treat computer security as a cost instead of a competitive weapon and many IT departments lack technical expertise, consultants say.

In a survey of Asia-Pacific companies last year by international security consultancy Pinkerton, computer crime was the No 1 concern. It's a statistic not lost on the Hong Kong Government which next month will instigate the Computer Emergency Response Team (CERT), to be allocated $10.7 million over three years. The establishment of CERT, though, highlights the Government's retarded response to computer security issues. The US formed a CERT in 1988, Japan in 1996, Singapore in 1997. 'I think we're the last first-world country to not have one,' says Jackson.

Additionally, the Government is trying to tighten computer-crime laws. The Security Bureau has proposed legislation - for which public comment has been extended until the end of next month - that would see computer-crime convictions brought in line with other deception offences, increasing the maximum penalty of five years' jail to 14 years.

It's a laudable effort, but Jackson for one wants to see more consideration given for a study of the legality of hacking tools that are readily available in Hong Kong and on the Internet. Devices like port scanners, for instance, enable a user to scan computer systems for vulnerability, the cyber-equivalent of 'casing the joint', he says.

It's estimated that up to six new viruses are generated each day, but probably more threatening is the evolution of their efficacy. One of the first recognised viruses, Jerusalem, in 1990, took three years to become the world's most prevalent bug; in 1995 Concept took four months; in 1999 Melissa took four days; in 2000 ILOVEYOU took five hours - the damage increasing exponentially with each.

Computer security experts predict that the world has yet to see a virus designed to its fullest potential, one capable of extortion, information warfare, industrial sabotage. Sweeney envisages a stealth virus that will infiltrate companies and send trade secrets and proprietary information back to its creator; in fact, 'blind cc' technology as it is known already exists. 'Imagine if a competitor could buy all your e-mails,' he says.

'This is the next-generation virus. It won't be simply disruptive, it will have a major economic impact.'

Dyer has already encountered such a scenario in Hong Kong. A disgruntled employee encrypted important company files, rendering them inaccessible. Then, like a digital fuse, he programmed the files to corrupt on a certain date. Fortunately, his program failed, but a success could have opened further criminal avenues. 'If done right it opens up the possibility for blackmail. 'For a fee I can give you the encryption code',' Dyer explains.

For deviant young aspirants of computer fluency, virus-writing is regarded as core curriculum in learning programming languages. In general, the cyberpunks' underground, with its warped morality, attributes a sense of nobility to such attempts at cultural jihad.

By 2002, it is expected that more than 200 million infected files will enter corporate networks, Sweeney says. As well, personal laptops, digital assistants and even mobile phones are becoming targets. 'We're never going to stop some 16-year-old from writing something stupid that they think is funny. Melissa and ILOVEYOU were warnings. The next one will be fire and brimstone.'