Only 50% of securities companies’ websites patched: BKIS

08:31' 14/06/2007 (GMT+7)

VietNamNet Bridge – Director of the Bach Khoa Internetwork Security Centre (BKIS) Nguyen Tu Quang has rung the alarm bell over the low level of security of websites run by stock companies. Security holes found on 12 securities companies’ websites What would you say about the security of websites and transaction systems of stock companies and stock market management agencies? Earlier in April we announced a report which said that security holes could be found on 12 out of 22 securities websites which can be targets for hackers. We then gave the warning that if the errors were not fixed immediately, hackers could take control over the websites at any time, causing bad consequences: they can access the websites and change the results of securities transactions, change the securities indexes and insert false information. However, our warnings have been ignored: only a half of the websites we mentioned before have been fixed. We have sent another document to the State Securities Commission (SSC) to repeat the possible damages if the websites are not fixed. In the document, we have identified the names of the websites which have fixed and which have not fixed errors. Could you tell us more about the possible consequences? We call this a systematic error, which means enterprises do not pay appropriate attention to network security, and errors may have occurred in many points of the system. For example, when installing software into a system, enterprises do not ask the producer to guarantee that the code is secure. Enterprises also do not hire independent consultants or verify software before use. The biggest problem of securities companies lies in the websites. Hackers may penetrate the websites and then access other systems, taking advantage of the holes to change information about investors’ accounts or give false information. The most risky problem is that we cannot precisely and quickly determine which companies hackers are attacking, because hackers are wise enough not to bring down the website, they are better keeping the websites to attack through the holes. Currently, securities transactions are carried out in the morning only and through many different levels. However, the transactions will be conducted via networks. How important will be network security then? The more the transaction system is convenient, the more risks may appear. It would be safer if transactions were carried out at fixed hours and through many levels. However, this would inconvenience investors. If the mentioned errors cannot be fixed, it will be very dangerous for transactions once the real-time order matching scheme is applied. Investors will also find it difficult to know which websites are safe, and which are not. How will we punish hackers in case of a network security break-down? We still lack a completed legal framework on this issue. Hackers now are just fined for their hacking activities. As far as I know, the Ministries of Justice and Public Security are trying to amend the laws to heavily discipline hackers. What should securities companies do in this context? They should be aware that it is not costly to make investment in network security. With the equipment securities companies have nowadays, they will not have to buy anything more. I think SSC should recommend securities companies get a certificate of network security. The certificate will show investors which companies to trust. In the long term, I think SSC should require network security from stock companies, considering the conditions the companies must have to be eligible to provide securities services. (*) In Vietnam, when making transactions via networks or phones, investors must commit to accept risks. In case troubles related to networks occur, securities companies do not take any responsibility for clients’ losses. (Source: VNE)