Mr. Twig, a South African hacker who seems to have had his heart broken, has decided to profess his love on the website of the Internet Corporation for Assigned Names and Numbers, managing to deface the site as he tries to woo back his lover. But while the young suspect, believed to be based in Cape Town , may evoke some sympathy from the jilted, the extent of damage hackers like him cause to corporations is exorbitant. Mr. Twig has defaced 30 sites over the past two years, and has threatened to attack another 1 000 vulnerable local sites. Two years ago Edgars, the clothing retailer, lost about R1-million in revenue after a computer programmer brought down the systems of more than 600 stores for a day. The good news is that professional hackers involved in industrial espionage in SA are few and far between. The bad news is that anyone who wants to try his or her hand at hacking can load information from the Internet on how to hack into systems and deface websites, and that most companies are often not aware that their systems have been hacked into. At least 147 companies in SA were attacked in June, according to specialist technology company Computer Security and Forensic Solutions. Computer security breaches are growing at an annual rate of 60%, says the company. Hacking has become such a concern that professional services firm Ernst and Young introduced a Counterhack course last year to equip organisations with skills to combat hackers. Mark O'Flaherty, partner in charge of e-security for Ernst and Young's nformation Systems Assurance and Advisory Services, says organisations face a one-in-20 chance of being hacked and the more they understand and know about their network, the better equipped they are to protect it. "Because we believe that hacking is a major threat . . . and because we

have direct access to in-house information and security experts and ex-hackers, our aim is to join forces with corporate South Africa ." He said that once a hacker has compromised a system, he or she will return through installed "back doors" and spread the word to other hackers on how to penetrate the system. What aggravates the problem is the absence of laws against hacking and the defacing of websites, making South African cyber criminals difficult to prosecute. According to Wimpie Britz, the CEO of Computer Security and Forensic Solutions, companies can expect to spend about R10 000 to R100 000 a month on maintaining security. Reversing the defacing of a website could cost a company between R5 000 and R7 000 and may take anything from one day to one week to rectify. Finding a security breach and the plugging of the problem could take anything from one month to beyond one year. On the other hand, hackers could earn anything from R1 000 to over R1-million for information stolen per attack. Britz says hackers are getting cleverer and gaining access to more hacking tools, freely available on the Internet. "What companies do not seem to understand is that once you've done your security, it is an ongoing (operation). It is not something you can do in July and then hope in August you are still going to be secured, because new tools are being developed on a daily basis and new exploits are being developed on a daily basis." He says hackers often use the defacing of a website as a decoy to cover up what they are doing in the system. According to Britz, the most dangerous hacker is the professional, out to steal sensitive information such as company plans or data from large organisations and sell it to competitors or other interested parties. "From about 20 investigations that we get per month involving computer crimes being committed in companies, I would say about five revolve around industrial espionage, where information is stolen and either being used against the company for blackmailing or for financial or personal gain." While defacing a website is an easy attack, stealing information is much more difficult to pull off. Jaco Grobler, senior manager technology risk services at

PricewaterhouseCoopers, says company losses due to hacking are not always tangible; but a company's reputation may suffer, and lost customer confidence "could cost millions in lost turnover".

"Just investigating a security incident can cost many times the actual financial loss. Introducing appropriate controls after an incident will also cost a lot of money," says Grobler.

Blackmailing by hackers is also becoming a big problem as hackers may start threatening prospeGlenn Kieser, manager of Infrastructure Consulting at Microsoft SA, says that the hacking industry in SA is not as huge as hacking in the US .

However, hackers still cause extensive damage to businesses if they manage to get hold of sensitive information. "If a hacker sends (companies) . . . a list of files on their servers, theyctive clients into buying their service must assume that the hacker has had access to more files," he said. Microsoft itself has not escaped the clutches of hackers. In October a hacker gained access to some of the company's confidential source codes. The South African government has also not escaped the scourge. Amanda Blom, website manager at the State Information Technology Agency, says government websites have been hacked, but that the "design of websites limited damage to embarrassment and the time required to correct" the defaced website. Kieser also warns that hacking is moving away from a simple prank to what is considered a serious crime.

"Hacking is turning very quickly from cult status, where people are revered and gain status, to where governments are passing legislation declaring hackers terrorists."



				An e-security expert says SA organisations face a one-in-20 chance of falling victim to cybercriminals, writes Lynne Rippenaar

			Mr. Twig, a South African hacker who seems to have had his heart broken, has decided to profess his love on the website of the Internet Corporation for Assigned Names and Numbers, managing to deface the site as he tries to woo back his lover. But while the young suspect, believed to be based in Cape Town , may evoke some sympathy from the jilted, the extent of damage hackers like him cause to corporations is exorbitant. Mr. Twig has defaced 30 sites over the past two years, and has threatened to attack another 1 000 vulnerable local sites. Two years ago Edgars, the clothing retailer, lost about R1-million in revenue after a computer programmer brought down the systems of more than 600 stores for a day. The good news is that professional hackers involved in industrial espionage in SA are few and far between. The bad news is that anyone who wants to try his or her hand at hacking can load information from the Internet on how to hack into systems and deface websites, and that most companies are often not aware that their systems have been hacked into. At least 147 companies in SA were attacked in June, according to specialist technology company Computer Security and Forensic Solutions. Computer security breaches are growing at an annual rate of 60%, says the company. Hacking has become such a concern that professional services firm Ernst and Young introduced a Counterhack course last year to equip organisations with skills to combat hackers. Mark O'Flaherty, partner in charge of e-security for Ernst and Young's nformation Systems Assurance and Advisory Services, says organisations face a one-in-20 chance of being hacked and the more they understand and know about their network, the better equipped they are to protect it. "Because we believe that hacking is a major threat . . . and because we have direct access to in-house information and security experts and ex-hackers, our aim is to join forces with corporate South Africa ." He said that once a hacker has compromised a system, he or she will return through installed "back doors" and spread the word to other hackers on how to penetrate the system. What aggravates the problem is the absence of laws against hacking and the defacing of websites, making South African cyber criminals difficult to prosecute. According to Wimpie Britz, the CEO of Computer Security and Forensic Solutions, companies can expect to spend about R10 000 to R100 000 a month on maintaining security. Reversing the defacing of a website could cost a company between R5 000 and R7 000 and may take anything from one day to one week to rectify. Finding a security breach and the plugging of the problem could take anything from one month to beyond one year. On the other hand, hackers could earn anything from R1 000 to over R1-million for information stolen per attack. Britz says hackers are getting cleverer and gaining access to more hacking tools, freely available on the Internet. "What companies do not seem to understand is that once you've done your security, it is an ongoing (operation). It is not something you can do in July and then hope in August you are still going to be secured, because new tools are being developed on a daily basis and new exploits are being developed on a daily basis." He says hackers often use the defacing of a website as a decoy to cover up what they are doing in the system. According to Britz, the most dangerous hacker is the professional, out to steal sensitive information such as company plans or data from large organisations and sell it to competitors or other interested parties. "From about 20 investigations that we get per month involving computer crimes being committed in companies, I would say about five revolve around industrial espionage, where information is stolen and either being used against the company for blackmailing or for financial or personal gain." While defacing a website is an easy attack, stealing information is much more difficult to pull off. Jaco Grobler, senior manager technology risk services at PricewaterhouseCoopers, says company losses due to hacking are not always tangible; but a company's reputation may suffer, and lost customer confidence "could cost millions in lost turnover". "Just investigating a security incident can cost many times the actual financial loss. Introducing appropriate controls after an incident will also cost a lot of money," says Grobler. Blackmailing by hackers is also becoming a big problem as hackers may start threatening prospeGlenn Kieser, manager of Infrastructure Consulting at Microsoft SA, says that the hacking industry in SA is not as huge as hacking in the US . However, hackers still cause extensive damage to businesses if they manage to get hold of sensitive information. "If a hacker sends (companies) . . . a list of files on their servers, theyctive clients into buying their service must assume that the hacker has had access to more files," he said. Microsoft itself has not escaped the clutches of hackers. In October a hacker gained access to some of the company's confidential source codes. The South African government has also not escaped the scourge. Amanda Blom, website manager at the State Information Technology Agency, says government websites have been hacked, but that the "design of websites limited damage to embarrassment and the time required to correct" the defaced website. Kieser also warns that hacking is moving away from a simple prank to what is considered a serious crime. "Hacking is turning very quickly from cult status, where people are revered and gain status, to where governments are passing legislation declaring hackers terrorists."