Hong Kong a sitting duck for online crime

PUBLISHED : Sunday, 10 April, 2011, 12:00am
UPDATED : Sunday, 10 April, 2011, 12:00am


Hong Kong's reputation as a finance and e-commerce hub and its proximity to the mainland make the city an attractive target for online crime, say security firms who specialise in preventing such crimes.

Greg Burns, vice-president of marketing at Prolexic, one of the earliest companies in the world to deal in distributed denial-of-service (DDoS) protection, said online attacks were increasingly moving into the mainstream and targeting businesses such as financial institutions and e-commerce sites, where DDoS attacks were usually part of a larger effort to collect sensitive banking and credit card information.

The attacks work by flooding websites or servers with more data then they can handle, leaving them unable to respond to legitimate requests.

The attacks are launched from networks of infected computers - known as 'botnets' - that can be situated and controlled from anywhere around the globe.

According to a report recently released by Prolexic, the company saw DDoS attacks on e-commerce sites rise 200 per cent last year.

Despite this rise, DDoS attacks on local businesses were going largely unreported, said Sean Lord, vice-president of sales at Nexusguard, a local anti-DDoS security firm.

In a global survey of information technology professionals released in February, 60 per cent of respondents admitted they did not refer DDoS attacks to the authorities.

The report, conducted by Arbor Networks, a leading network security and research firm, cited a lack of faith in the ability of law enforcement to successfully prosecute online crime as one of the main reasons for not reporting attacks. As one survey respondent noted: 'In the end, [police investigations] go nowhere.'

Hong Kong already suffered from higher-than-average levels of online crime, said Lord and according to police figures, those numbers have been rising rapidly.

There were 1,643 online crimes reported last year, a record number and a 600 per cent rise from reports in 2001, the year the police force's Technology Crimes Division (TCD) was established.

Cases involving unauthorised access to computers, which includes attempts to hack into or hijack computers, have risen 632 per cent since 2008, the last year police were able to provide a detailed breakdown of technology crime statistics.

In an effort to combat the rapidly growing threat of online crime, the division hired 26 additional officers in 2009-2010 and stepped up training. Plans are also under way to upgrade the TCD's computer forensics laboratory.

Police refused to provide the number of arrests made for online crime in Hong Kong.

Worldwide, there has only been a handful of successful prosecutions against DDoS and other botnet operators. Successful prosecution is extremely rare for both legal and technological reasons.

The international and anonymous nature of DDoS attacks meant the people controlling them were often 'three or four layers removed from the actual attack', Burns said.

The attackers were typically located in another country, well outside the jurisdiction of local authorities and were often operating at the request of another party.

'The technology generally doesn't point to who is actually behind the attack,' he said.

This has led, rightly or not, to a poor view of law enforcers' abilities to handle the crime.

Only 14 per cent of respondents from the Arbor Networks survey reported having confidence in the ability of law enforcement to investigate and prosecute DDoS-related crimes. Burns said his company worked with local authorities on an educational level, but would only share 'attack-specific information' at the request of their customers.

Prolexic's annual DDoS Attack Report, published early this year, said the number of attacks per client was 'consistently higher' in Asia than other regions.

It noted that 70 per cent of infected computers identified by Prolexic were located on the mainland.

Team Cymru, a non-profit internet security research firm, reported roughly 2,700 websites running as botnet control servers on the mainland at any given time last year, making the mainland home to the largest concentration of botnets in Asia and one of the largest in the world.

Lord said that the high rate of pirated software in use on the mainland was probably an important factor in the number of infected computers.

Earlier this year, Microsoft chief Steve Ballmer reported his company estimated that 90 per cent of the Microsoft operating systems running on the mainland were pirated copies.

Out-of-date security updates made these systems easy targets for criminals looking to gain access to computers, Lord said.

A police spokesman said police maintained an effective liaison with the mainland and overseas law enforcement agencies, but was unable to provide information on the number or types of requests made to them; claiming that police did not maintain any statistics on cases referred to outside agencies.

Proximity to sprawling networks of infected computers is not Hong Kong's only concern. Many of the city's infrastructure-level network connections are relatively low bandwidth, making them easy to flood with DDoS traffic, according to both Lord and Burns.

These limitations meant anti-DDoS efforts in Hong Kong needed an especially 'advanced strategy and platform to be effective', said Burns. 'There's no easy fix to DDoS. It's like a war game.'

Creating Chaos

1. Attacker sends out commands to servers

2. Servers push out commands to infected computers, known as ?botnets?, telling them to flood target with requests

3. Infected computers receive commands and begin to make repeated requests from the target computer

4. Target is overloaded with requests and can no longer be reached from the internet