Hong Kong systems administrators were warned yesterday to implement stronger security measures and prepare for a new generation of viruses and automated hacking tools. A United States-based hacker known as Rain Forest Puppy, or RFP, was speaking yesterday on the final day of Hack 2002, a security conference held at the Hong Kong Convention Centre. He demonstrated in about half an hour how he used a Web browser to hack into a corporate Web site. For the demonstration, he used software employed by a US medical college to allow patients to access their own records over the Internet, although the site he hacked was one built specifically for the demonstration. The key to averting such attacks was to devote more time to preventive measures, preferably before vulnerabilities are publicised by researchers or vendors, he said. 'From the most secure thing on the Internet to complete trash, it can happen overnight. Overly paranoid security configurations can actually help you more than patches,' he said. His suggestions include reducing the amount of information put into Web page headers and error messages. Microsoft's Internet Information Server (IIS) Web server was labelled by RFP as being highly vulnerable to attack, although he added the open source Apache Web server has its own flaws, especially if used with its default configuration. 'There's only 10 [software modules] you need to make the server work. It comes with 30, you only need 10,' he said. Code Red, one of last year's most damaging viruses, attacked a long-known vulnerability in the IIS server, and administrators who had already changed the program had no problems. 'The only people who had problems were lazy admins,' he said. Security programs such as Bastille and Titan could help automate the process of turning off unneeded functions, he said. Other software, such as ITS4, Flawfinder, Rats and FrontEnd Plus can look for security flaws in C++, Python, Perl, PHP and Java code. Many of these programs are available for free over the Internet. But administrators must manually review every potential flaw. 'At least it makes you aware of what could be a problem,' RFP said. Foundstone chief information officer Gary Bahadur said the increased use of code reviews, especially by financial companies, was encouraging. 'We're doing more and more although I don't think it's anywhere near where it should be.' Both speakers recommended testing sites on proxy servers before giving them to a company's Web server. RFP said he was concerned about the silence of well-known hackers since late last year and the relative lack of Code Red-style attacks. 'It's all really scary. The good attackers are going underground now. They're not even sharing anymore.' The silence could mean the next major attack will take administrators by surprise, in its seriousness and techniques. He saw the potential for more automated attacks and for the time between a vulnerability report and the production of a virus that exploits it to shorten. This lag-time has become as little as three days. 'I foresee that being 24 hours, so having proper patching procedures and having proper response systems is crucial,' he said. So far this year, the most active viruses on the Web have been the Klez and Frethem families of viruses, which are prolific but carry relatively weak payloads. Professional Information Security Association chairman Leung Siu-cheong said the biggest problem in Hong Kong so far this year had been the Klez virus, which forwards itself by choosing e-mail addresses at random from infected computers. This disguises the origin of the viruses and means many infected users never realise their machines have the virus. 'Klez is a special kind of virus. It is not very damaging but it is very intelligent in exploiting the weakness of humans,' Mr Leung said. He expected that as China established more business and communications links with the rest of the world, computer viruses from there would become a problem in Hong Kong and other places. 'Now China is an importer of viruses. In the future they may be an exporter,' he said.