[ISN] Thai hackers can escape through legal loopholes

InfoSec News isn at c4i.org
Wed Nov 16 02:18:19 EST 2005


http://www.bangkokpost.com/Database/16Nov2005_data83.php

DON SAMBANDARAKSA 
16 November 2005

Thai law still does not recognise the ``stealing'' of data, allowing
cyber criminals go unpunished when caught, according to Rom Hiranpruk,
assistant president of the National Science and Technology Development
Agency (NSTDA). He also noted that it was a misconception that most
cybercrime is carried out by someone on the outside attacking an
organisation's systems. In fact, two-thirds of security incidents come
from internal sources, he said.

Dr Rom was speaking at a press event to announce the 5th Annual Cyber
Defence Initiative Conference 2005 (CDIC 2005), which will be held at
the Bangkok Convention Centre, Sofitel Central Ladprao on 23-24
November.

The event is jointly hosted by Software Park Thailand, the National
Intelligence Agency, the Thai Webmaster Association and security
specialists ACIS Professional Centre.

Dr Rom used the example of a high-profile case a few years back
regarding TrueType fonts, which was only accepted by the courts at all
because TrueType fonts have some programming logic in them. This was
deemed by the courts as being a computer program _ something which was
protected by law.

He also said that Thailand was sorely lacking in a national security
infrastructure, most notably a certificate authority (CA) for digital
signatures. Without the passage of cyber laws, there is no business
case for any commercial CA operators. Without CAs, banks and financial
institutions that should now be relying on digital signatures will not
be able to expand or interact with confidence.

Mr Somya Patanaworapan from the National Intelligence Agency told the
media that information warfare was now a major threat to the stability
of the country. Misinformation from organizations such as PULO had to
be filtered out to protect the public, he claimed.

``The only way to control them is to keep tabs on their leaders,''
Somya explained, noting that when you close down one web site another
derivative will pop up.

For instance, the latest variant of PULO is the Pattana-Malayu Human
Rights Organization (PMHRO), which tries to conceal damaging
separatist talk amid human rights rhetoric.

Somya said that the Internet was only one small channel of
disseminating information _ PMHRO regularly distributes video CDs
throughout the south to spread its message.

Meanwhile, Police Colonel Yanaphon Youngyuen, director of the
Department of Special Investigation's Hi-Tech Crime Bureau, also noted
that most crime was in fact internal, and that there were few laws in
place to prosecute.

He also explained how real cyber-crime was quite different from the
popularised image of the ``hacker geek'' stereotype. A lot of cyber
crime dealt in information _ pimping, girlfriend-for-rent and spam
spoofing _ or where a competitor sends out commercials in a rival's
name so that their email is eventually blacklisted.

Yanaphon spoke of one case where an engineer moved from Orange to DTAC
and then to AIS, leaving back doors in the computer systems as he
moved. The person then used this to gather insider information for
project bidding.

Prinya Hom-Anek, from ACIS, a leading local security consultant and
trainer, said that there was a growing need to keep information as
forensic evidence due to the passage of the Sarbanes-Oxley Act in the
US. Any company dealing with US partners automatically needs to
comply. All four experts will be speaking at the two-day CDIC 2005.

Details: www.acisonline.net/cdic2005





More information about the ISN mailing list