Reflections: Husin Jazri, NISER

The trend towards mobile access of information using a personal digital assistant/smart phone type device will further push the thin client concept to a higher level. -- Husin Jazri, director of National ICT Security and Emergency Response Centre, Ministry of Science Technology and Innovation, Malaysia
Written by Staff , Contributor
CIO 1-on-1 Q. Which emerging technology was over-hyped in 2005, and why?
It is difficult to assess the success or failure of new emerging technologies since they are new, what more to assess it within a year. It may be that the benefits of a new emerging technology have not been fully explained to potential users, so this does not mean the technology is a failure. A technology may become a failure when another new emerging technology replaces it.

Husin Jazri, director of National ICT Security and Emergency Response Centre, Ministry of Science Technology and Innovation, Malaysia, hopes tech vendors will consider security at the start of the product design life cycle

Technologies like Bluetooth have not really picked up this year, but this is no indication they have completely failed. Nevertheless, wireless technologies and applications are on the rise and will continue to do so in the next year.

What were the top three security issues in 2005?
They were:

  1. Fraud, mainly phishing activities. As of October 2005, we [NISER] received a total of 116 reports on fraud activities compared to 106 reports in 2004, of which about 80 percent represented phishing activities. Phishing activities became an issue in 2005 due to a number of reasons. Firstly, the free availability of tools/techniques on the Internet, which can be used to launch the activity, easily and quickly. Secondly, the availability of many poorly secured and vulnerable machines around the globe, which has become a target to phishers that can be used to to set up phishing sites. Thirdly, poor awareness among Internet users on phishing threats.
  2. Intrusion, mainly Web defacements of private and government Web sites. A total of 456 reports were received on intrusion as of October 2005, with a majority involving Web defacements. This is due to Web sites running on machines that were not properly secured and proper patches/fixes/upgrades were not applied to the machine. Freely available tools/techniques on the Internet that can be used to deface Web sites was also another contributing factor to this issue.
  3. Hacking threats. We observed an increasing number of reports on hacking threats which includes port scannings that look for open ports that can be exploited. Other types of hacking threats that we observed were vulnerability scannings which looked for vulnerable machines that could be compromised. We received a total of 74 reports on hacking threats as of October 2005. Port scannings were carried out due to the release of new exploits to the Internet, which gave attackers a chance to scan/look for vulnerable machines that can be exploited.

Q. What will be the top three technology trends/issues in 2006?
The first is fraud, mainly phishing activities, which will be an issue in 2006. This is due to three reasons. One, the increase in new phishing trends that will emerge in 2006. There will be more sophisticated techniques such as blended social engineering, technical subterfuge attack, automated systems based on trojaning schemes, session hijacking systems and Trojan-type phishing systems. Two, we expect an increase in Internet banking, which means banking customers will increasingly become attractive targets to phishers; and three, high motivation among attackers for illegal financial gain is on the rise.

Besides phishing, other types of fraud such as credit card fraud and other Internet scams will be a threat in 2006 as well.

Besides phishing, other types of fraud such as credit card fraud and other Internet scams will be a threat in 2006 as well.

Wireless based threats will also be an issue in 2006, where privacy information transmitted will be intercepted illegally at hotspots centers and other related installations of wireless communication. This is due to two main reasons. One, many wireless devices are not configured securely by default, but instead designed more for ease of use. As a result, default installation of WLAN (wireless local area network) technology can be highly unsecured, which can allow an attacker to compromise a wireless host or network. The other reason is that many wireless hotspots do not use encryption in protecting the data transmitted over the network. This is the case particularly for e-mail services where passwords are not encrypted and, when sent over the wireless network at a hotspot, is very prone to intercept.

We also expect to see intrusions, mainly Web defacements, and unpatched and poorly secured Web servers. This is due to more exploits being discovered related to Web servers/applications and the increasing number of sophisticated tools available freely on the Internet that can be used to deface poorly secured websites in a short time.

Q. What do you wish to see from tech vendors in 2006?
I would like to see technology vendors consider security from the beginning of the design life cycle, and to make the technology less complex. No matter how sophisticated a technology can be, it will be less effective if the security aspect is neglected.

I also would like to see technology vendors come up with quick and effective patches/fixes once an exploit/vulnerability is discovered, in other sense to reduce as much possible the time gap between the discovery of an exploit/vulnerability and finding of a patch/fix for the exploit.

Last but not least, I would like more secure applications being developed for mobile devices and in securing wireless communication.

Editorial standards