Thousands of ‘parasites’ spying on Net surfers

Fearing computer security breaches, local companies have been asking the National ICT Security and Emergency Response Centre (Niser) to audit their network systems, with disturbing results. Niser and other computer security firms have found that computer systems now host thousands of "spy-ware" programs or "parasites", which spy on users' Internet habits and can obtain personal information such as credit card numbers and passwords. One local computer security company found that its 40 clients recorded 5.4 million intrusion attempts in March alone. When contacted by the New Straits Times, the Malaysian Communications and Multimedia Commission said there was a high probability that companies infected with damaging programs like spy-ware could lose vital information and private documents if they failed to take remedial action. MCMC information and network security department head Shamsul Jafni Shafie said they were concerned about the proliferation of spy-ware and its accompanying "ad-ware" programs in Internet-enabled computers today, a phenomenon currently so widespread that the United States is seriously considering drafting anti-spyware laws. "Around 80 per cent of computers in Malaysia are believed to be infected with spy-ware programs. Malaysians are tolerant by nature. When this spy-ware and ad-ware result in pop-ups, unwanted ads and spam in their computers, they just click it away or delete them. To them it is just an annoyance. "But the reality is that these computers have been infected. One could plant software on the computer, get to know whatever is typed and obtain the data. All this is done without the user's knowledge," Shamsul said. The dangers of the rampant spy-ware threat were highlighted last year after the arrest of a prolific computer hacker in New York, who had secretly installed software that collected more than 450 user names and passwords and then transferred people's money into unauthorised accounts. Shamsul said companies and organisations should determine if their networks were safe by a third party as those with unreliable defences could end up losing information to hackers or competitors. Malaysians in general, he said, also had to start looking at privacy issues seriously as more people each year subscribed to high-speed or broadband services such as Streamyx. Shamsul added that security problems with online banking systems last year were not the fault of the banks, but due to the lack of awareness and gullibility of users. "That was caused by ‘phishing' or spoof websites, which are designed to fool people into giving them personal information. None of the local banks' security systems were infiltrated last year," he said. With spy-ware, however, he said that it would be possible for unscrupulous people to obtain users' personal information to log into their online banking accounts, through no fault of the banks. The parasite programs can also allow people overseas to use a computer in Malaysia as a "launch pad" for cyber attacks in other places. "In the UK, investigators tracked down a person from Asia for sending out ‘phishing' e-mails, but they found that his computer was actually being used by someone in San Francisco to send out hundreds of these mails," he said. While there were few consumer complaints on spam, spy-ware or ad-ware locally, many attacks or cyber infiltration go unnoticed or unreported. MCMC only received two complaints about spam in 2003, with the bulk of complaints being on poor Internet connections or the unavailability of broadband services. "I am actually afraid to tell the world that we have very little complaints, because it gives the wrong impression that we are very secure. Because Malaysians have this culture of tolerance and are generally unconcerned with privacy, we will have these problems," Shamsul said. MCMC monitoring and enforcement division general manager Toh Swee Hoe said consumers must know what to do and service their computers as they would their cars. He said anti-spyware and anti-spamming programs were necessary to ensure computers were protected, and more importantly, these programs needed to be "updated religiously".