November 27, 2004 (STAR) By Alma Anonas-Carpio - If you are going online without updated anti-virus software or firewall protection, your data and hard drive are at serious risk of hacking attacks.

This was the sentiment aired by information technology experts at a breakfast forum at the Lumiere Café and Gallery in Makati City this week.

Computer supply shop proprietor Wilson Chua sounded the alarm about hacking anew at the forum – a warning he had already made a year ago. According to him, computer hackers are now becoming more organized and their attacks on websites are systematic and planned. An attack can be annoying as spamming and system flooding with useless data or as serious as data and identity theft.

According to Chua, identity theft is perpetrated when an administrator or a user’s passwords and information are stolen through hacking. With these passwords and data, "the hacker can pose as the administrator or user" and use the victimized computer to hack and deface websites, bog down networks and similarly victimize other computers, or he can sell these data (stolen from the victimized computers) in the underground market to other hackers."

How can these data be used? Multiple hackers can conduct organized, simultaneous attacks on a given target and deface or otherwise hamper the operations of their victim. Data stored in victimized computers can also be used by hackers, including confidential data stored in the computer like credit card information and passwords stored in auto-fill programs that make online form completion easier.

Chua mentioned the recent hacker attack on the Megalink website posted on the Philippine Hackers website (http://www.phackers.org/). When NetWorks checked the site, a group calling itself Internet Security and Warfare (ISAW) posted a picture of the defaced Megalink site with this caption: "The vulnerable server of Megalink (www.megalink.ph) is now offline after ISAW called them about five minutes ago, informing them that it is still wide open. Megalink IT personnel said they did not receive e-mails from ISAW last week."

Such defacement of sites, spamming, Trojan and virus attacks and identity theft, Chua said, are made easy for hackers because users and Internet service providers (ISPs) in the Philippines do not prioritize security features for their computers and data storage devices because such software is often seen as "too expensive."

"We are losing to the hackers because we do not want to spend for the security," Chua said.

Regularly updated anti-virus programs and firewall protection are ISPs’ and users’ first line of defense against hacking and, without these safety mechanisms in place, vulnerable computers could become "zombies" or slave drives through which hackers can attack websites, Internet-connected local access networks and individual computer units.

Zombie computers, in effect, become the "fall guys," or the computers to which the attacks are traced. It is through this manner of camouflage and use of "mirror sites" that hackers avoid detection.

Chua also cited the lack of legislation against computer crimes like hacking. "We do not have laws against computer hacking and such laws would give teeth to efforts to stop (this)," he said.

So far, the only legislation that provides some protection against computer hacking is the e-Commerce Law.

Abe Purugganan, chief of the Task Force for the Security of Critical Infrastructure (TFSCI), said the lack of legislation hampers his agency’s efforts against hacking. He warned of serious consequences if online security in the Philippines is not improved.

Hacking "can reduce the level of (public) confidence" in the security of websites and other computer infrastructure, he warned.

"It is best to ensure that you, as a user, take an active part in safeguarding your computer and data by installing an anti-virus program and firewall protection," Purugganan said.

However, obtaining legislative support for an anti-cyber-crime law is not easy, the forum participants said, because few legislators have a working knowledge and understanding of digital media, information technology and the need to secure data, computer servers and hard drives from hackers.

Lawyers present at the forum also contended that the IT experts pushing for legislation to combat cyber-crime "must also work to understand the law, which was there since the beginning of man’s history."

The general consensus at the end of the forum, however, was that the public and private sectors need to work more closely together and share data and expertise in order to stop hackers from perpetrating organized and more damaging attacks.

"Now that they are more organized, hackers are attacking less often, but with more devastating effects," Purugganan said.

Chua, meanwhile, warned that while active attacks are serious, he and the rest of the IT community are more concerned about "sleepers" or hacked computers and websites that have not been defaced or damaged in any way yet although the hackers have already gained control of the victimized computers and servers.

"The hackers can say they own, say, a thousand computers and sell (password and data control over) these in the underground market, for use in hacking or other computer-assisted crimes," he said. "The really bad thing is that since there is no apparent damage, the companies, users and ISPs that have been attacked and whose computers are already ‘zombied‚" (do) not know that their systems have been compromised."

What the IT community is pushing for, Chua said, is a "full disclosure" of hacking attacks on sites and servers so the users would know. "We, as consumers, have the right to know if our ISP has been hacked," he said.

ISPs, telecommunications companies and other Internet users which have been hacked often choose not to publicize the fact that their servers and systems have been compromised because they are loath to admit that hackers have victimized them. "They are ashamed to publicly admit that" and fear losing their clients’ confidence in the security of their sites and systems, Purugganan said.

Reported by: Sol Jose Vanzi

All rights reserved