First published: 23rd March 2012
Police are investigating cyber attacks on the Chinese Gold and Silver Society, which operates Hong Kong's biggest commodities trading floor, and their traders.
Exchange chief executive Haywood Cheung Tak-hay said that eight members suffered serious attacks over the last two weeks. Before then, there were only minor attacks on one or two members. The incidents were reported to the Police on 16 March and included posting false rumours about exchange members being investigated by the Independent Commission Against Corruption (ICAC) and denial of service attachs against online trading systems. The criminals followed up the attacks with extortion demands for HK$100,000. Cheung said that the attacks probably originated from China, Australia and New Zealand.
It is reported that the exchange is installing anti-spam software as a prevention method. The Police emphasised its cooperative efforts with spcialists to counter the rise of similar crimes, with a spokesperson saying, "Given the increase in such cases, the police held many discussions with industry players over the past year. With the co-operation of IT specialists, the police enabled e-commerce entities to increase their ability to counter cyberattacks."
In an Editorial on the attacks, local English-language newspaper the South China Morning Post expressed its opinion of the attackers:
But when it comes to internet security, nothing is more dangerous than complacency. Perhaps, for that reason, while hackers are criminals, they should also be thanked. If it were not for their dogged determination to break through security barriers, whether for the thrill or the challenge, to vandalise or to steal data, they at least highlight vulnerabilities that have been overlooked. It is for this reason that some firms hire hackers to seek out failings so that websites can be as watertight as possible.
Yui Kee's chief consultant hit out at the newspaper's attitude, "I think it is deplorable that a respected newspaper is advising hiring known criminals for their criminal knowledge. How is this different to paying the extortion? There are people who specialise in breaking into systems that have never committed a crime, sometimes they are called Penetration Testers, or White Hat Hackers, or Ethical Hackers, but they need a broader range of skills than a criminal hacker. A criminal hacker merely needs to find a single hole in the defences to make a successful attack, and some know less than that, merely being 'script kiddies' that can run tools created by more skilled people. A diligent penetration tester will try to find every possible hole in the target's defences, identifying them so that they can be fixed. If you are burgled, do you buy new locks from your burglar?"
Note: It is not possible to provide a permanent link to the South Morning China Post articles referred here because the paper's website uses temporary links and has a paywall. The news item was headlined, "Hackers bombard gold exchange" and the editorial was, "Complacency puts websites in danger", both published on 23 March 2012.