New tactics to defeat cyber criminals

PUBLISHED : Tuesday, 15 March, 2011, 12:00am
UPDATED : Tuesday, 15 March, 2011, 12:00am

Mobile communication devices, social networks and online financial transactions have made life more convenient for individuals and businesses, but they have also added new avenues for cyber attacks.

As criminals step up their efforts to target smartphones and computer systems with hidden malware, Hong Kong's Computer Emergency Response Team (CERT) has been changing tactics to combat a new breed of threats.

'Gone are the days when we were simply watching out for viruses that could delete files or disrupt hard drives,' says Roy Ko, principal CERTconsultant at the Hong Kong Productivity Council. 'These days we conduct proactive network monitoring to detect malicious malware capable of bypassing security software.'

Malware are programmes often embedded in Spam e-mail attachments and websites capable of searching for passwords or relaying data or personal and corporate information to a third party.

The latest report by McAfee Labs found that within the top 100 daily search results, 51 per cent led to malicious sites and, on average, each of these contaminated pages contained more than five malicious links. Hong Kong is one of the most spammed places on the planet.

Ko says CERT activities include following up on incidents detected globally by government departments and other internet protection resources.

The response team scans the internet for Hong Kong websites that have become unknowingly infected by malware.

'In many cases, the companies we contact have no idea their website has been compromised,' Ko says.

'It can be difficult to detect malware that in the past may have been discovered by something as simple as a system running slower than usual.'

He says without careful use, mobile devices and smart phones can be significantly more vulnerable than desktop computers.

With mobile devices expected to overtake PC usage as the main form of Web browsing by 2013, Ko expects attacks to focus on new types of devices.

'Mobile devices are becoming attractive targets,' he says. 'There are not too many tools available to protect mobile devices. With the rush to bring new products to the market, mobile devices, the software they use and add-on applications are rarely designed with security as a priority.

'Awareness from the general public concerning the risks they take when using mobile devices is very low.

'We tend to forget there are bad guys as well as good guys that use the internet.

'Therefore, we should do as much as possible to protect our personal and business information.'

He says there are different types and levels of protection solutions available, ranging from free, online systems to sophisticated cloud-based systems that scan every e-mail and provide up-to-the-second protection from emerging threats.

Ko says online 'social engineering' is another area where CERT expects to see cyber criminals step up activities.

'The basic goals of social engineering are the same as implanting malware. The aim is to gain unauthorised access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network.'

He says the number of people using Facebook and Twitter has skyrocketed and, naturally, the social networking sites have become magnets for hacker attacks and sparked other types of privacy concerns.

No one is immune, as hackers gained control of more than 30 Twitter accounts of famous people, including those of United States President Barack Obama, entertainer Britney Spears and Fox News. One way in which hackers have been known to obtain personal details and passwords is through an online form appearing to have been sent from a bank or the System Administrator, Ko says.

When a system is unlawfully accessed, Ko says that situation is often made worse when the same password is used to protect multiple accounts and business details.

Reacting to the growing threat of internet crime and to help raise awareness, CERT, the Office of the Government Chief Information Officer and Hong Kong Police Force organise seminars on cyber security attacks and mitigation.

'We try to provide information and educate businesses and the public about internet security, but it still rests with the user if they choose to click on a link or ignore it. My advice is always to take a second to think before clicking,' Ko says.