By Flynn Remedios

How secure is the Internet? This is a question that is asked at almost every other seminar or conference on e-commerce. I think the question should be reworded to read, 'How insecure is the Internet?'

Is it safe to buy and sell on the Net? Should I make a purchase using my credit card? What are my liabilities? And so on and so forth.

While I wouldn't want to dissuade people from buying and selling on the Net, I have to tell them that it is not always safe to do so.

Besides, the onus lies on the customer, as most B2C enterprises wouldn't want to hold themselves responsible for any fraud in an online transaction.

Worse still, if the transacting parties are in two different countries -- for example an Indian customer buying from Amazon.com, the case becomes all the more complex.

According to a survey conducted by Nasscom, (National Association of Software and Service Companies) even IT intensive companies in India spend less than 0.1 per cent of their revenues on security. The situation is only slightly better in developed nations like the US where the overall spending is around 5 percent.

The main reason for this is the ignorance, and lackadaisical attitude of most senior managers, network administrators and CIOs. Till recently, the 'IT in-charge' portfolio in an organisation was one at the middle or even lower management level. As a result, even if the man in charge was aware of the issues, he was not able to implement solutions, as he couldn't make the necessary budgetary allocations. Only very recently have organisations adopted in their management hierarchy a CIO who reports directly to the MD or CEO.

In the US, the government has special budgets for Internet security. This year it is about $2billion. In countries like ours, politicians have yet to wake up to the issue. A glaring example is the lack of any IT law in the country and the inordinate delay in passing the IT bill. This when IT, Internet, and software are tunes that every other politician in the country would like to sing.

The lack of basic technical knowledge on Internet and intranetwork security is also partly responsible for all the insecure networks around.

Ask any conventional network administrator and he wouldn't even be aware of the fact that his corporate network has multiple, unguarded ports, which are every hacker's dream come true.

On several websites, entire directory listings are available, simply because the web master is unaware of the simple tech rule concerning hiding or disabling root directory rights to general or guest users.

Many corporate networks do not isolate their local or internal network from the web server. As a result a hacker who manages to get root or supervisor rights on the web server can very easily log on to the internal network and even get hold of the entire database.

Similarly, many B2C outfits doing business on the Net do not immediately transfer credit card and other data to a secured server.The data remains, sometimes for months, on the web server, which since it is not firewalled, is accessible to any hacker with even basic programming and networking knowledge.

Everyone on the net is vulnerable, said Assistant US Attorney Allison Burroughs at a recent international conference on Internet Security, voicing the concerns of the entire networked world. However, the ramifications of Burroughs' statement are yet to sink in. This is amply indicated by the fact that even after the recent attacks on Yahoo and eBay, not many organisations rushed to purchase and implement security solutions.

In the US, a recent survey had revealed that more than 62 per cent of US companies have reported security breaches in the last year with resulting financial damages crossing $124 million. "The actual figure is very much higher," Burroughs had claimed at the conference. This is because security breaches get reported only when some damage is done. Many times, hackers may crack into a system, and copy data or files, without leaving any trace and the network administrator wouldn't be any wiser.

International computer crime experts agree that identifying and nailing cyber criminals is much more difficult than tailing criminals in the real world.

Given the fact that most corporate servers, web sites and online payment conduits are unprotected, it is only a matter of time before someone somewhere wakes up to realise that billions of dollars were siphoned off during the night, from thousands of user accounts across the world.