Spam storm

12.04.2005
Von Stefan Hammond

The summer monsoons have yet to sweep over Hong Kong, yet CWHK is already deluged-with information dished out by IT security firms. Like Dickens"s Little Dorrit, the cornucopia of info from vendors, government entities and analysts comes thudding on our desks with monotonous regularity. When it comes to IT security info, we are getting überspammed.

The Hong Kong government knows that spam is affecting productivity for HK enterprises and SMEs, and plans legislation. Yet the speed of cyberspace means spammers play hare to governmental tortoises-and this situation isn"t limited to Hong Kong by any means.

Spam is evil, inane, and worldwide. But everyone knows this already. Devising a workable solution is the problem.

The security continuum

Appropriate security doesn"t follow a set pattern, because the level of security you choose is determined by your needs. If you force all your employees to use randomly generated 10-character passwords and change them daily, you"ve eliminated a potential weak spot. But you"ve also annoyed your employees and made life much more difficult for your tech support department.

Security in the IT arena is a continuum. Imagine a line with "ease-of-use" on one side and "secure use" on the other. Essentially, you choose your preferred spot on that line. All security is imperfect, and proper security strategies always include factors like physical security and user education. There is no panacea.

"Black hat" spam

Appropriate security doesn"t follow a set pattern, because the level of security required is often specific to the task at hand. But just as e-mail has become essential to the enterprise, spam has infiltrated that space of effective communication. And just as "white hat" hackers (benign computer-jockeys) were joined by "black hat" hackers looking to cause damage, so relatively benign spam has been augmented by dangerous unsolicited e-mail.

The biggest danger is phishing: embedded links within e-mails that lead to Web sites designed to con Netizens out of privileged information. Other e-mail nasties include attachments loaded with worms and viruses. We know we sound like a broken record, but firms need to educate their employees not to click on unexpected attachments, and never to click on links embedded in e-mail.

Hunting your money

The Web site of the Hong Kong Monetary Authority (HKMA), reports a total of 29 fraudulent Web sites in 2004. But from January 5 through February 25 of 2005, a total of six additional bogus Web sites were named on the HKMA"s site. The reported sites were all spoofing financial institutions, with the aim of prying sensitive information such as account numbers and passwords.

"E-mail is a mission-critical tool for enterprises," said Rob Pregnell, senior product marketing manager, Asia Pacific, secure content management solutions, Symantec. "Spam and phishing attacks threaten its viability."

Government steps

A press release issued by the HKSAR"s Commerce, Industry and Technology Bureau (CITB) in February 2005 detailed a governmental antispam campaign built around the acronym "STEPS". John Tsang, secretary for commerce, industry and technology, outlined the scheme during a luncheon meeting organized by six ICT organizations. Mr Tsang said spamming was a problem that had affected almost everyone in Hong Kong.

The global nature of the Internet has changed the face of both spam and cybercrime. Tsang said that his bureau planned to sign a multilateral antispam MOU in concert with other countries.

Pregnell noted that regional domains can play a part in security strategies. "Say an unwanted e-mail arrives with an unsubscribe-option," he said. "With an .au domain, I"m more likely to follow through as I feel more confident that a company with an Australian domain will actually honor that request, rather than just add me to more spam lists."

"This MOU will facilitate co-operation among Asia-Pacific signatories on many fronts in tackling the spam problem," declared Tsang. "We will continue to develop international partnerships and play a leading role in the fight against spam," he said.

The Hong Kong government rep said that the proposed legislation would "prevent Hong Kong from becoming a safe haven sheltering illicit spammers."

"We have an open mind on the exact form and content of the legislation," said Tsang, "but the key is to strike the right balance between the need to discourage spamming and to enable legitimate e-marketing activities to develop properly."

"Our aim is to work out a legislative framework which is largely acceptable to different stakeholders before we proceed to draft the legislation," said Tsang. "We will engage representative stakeholder groups over the next few months for detailed and pragmatic discussions."

"We intend to introduce the full draft legislation into the Legislative Council some time next year," Tsang concluded.

Different phish species

"Spear phishing is the next growth area in Internet fraud," said Andy Lake, director of partners for MessageLabs, Asia Pacific. Lake said that this latest wrinkle in cybercrime eschewed "the traditional approach of casting large nets far and wide" in favor of "a new trend with phishers sending more targeted e-mails to businesses, designed to appear as though they were sent by another member of staff at the same organization, typically from the IT or HR departments."

"Spear phishing is designed to bamboozle unsuspecting "colleagues" into revealing information that will give the perpetrator access into secure areas of corporate networks, such as usernames and passwords," said Lake. "Not only are the individual"s details potentially compromised, it can also lead to theft of intellectual property and other sensitive corporate information."

Senior savvy

So which group of Netizens is more susceptible to spam-delivered scams: switched-on cyberkiddies or senior citizens? Pregnell: "A Symantec survey of 1,000 Internet users in various age-groups (18-29,30-49, 50-64, and 65 and older), revealed that seniors are the most spam-savvy online demographic compared to other age groups."

Pregnell broke down the savvy seniors" e-mail habits: "When asked whether or not they have clicked on a link in an unsolicited e-mail to get more information, those who said they had included 38 percent of Internet users between the ages of 18 and 29, 34 percent between the ages of 30 and 49, 38 percent between the ages of 50 and 64, but only 23 percent ages 65 and older."

And, "when asked whether or not they have responded to an e-mail offer, but later found it was phony or fraudulent, those who said yes included 21 percent in the 18-29 ages group, 19 percent in the 30-49 ages group, 19 percent in the 50-64 ages group, but only 13 percent of seniors."

Perhaps it makes sense. After all, our elders have seen more monsoons than we.

-IDG staff contributed to this story