STUFF : TECHNOLOGY : DIGITAL LIVING - STORY : New Zealand's leading news and information website

STUFF : TECHNOLOGY : DIGITAL LIVING - STORY : New Zealand's leading news and information website

Avoiding bugs and bots at internet cafes
27 June 2005
By REUBEN SCHWARZ

Internet cafes have come a long way from the shabby shops with tinted windows that first sprung up in the dot-com boom. Today, many are clean and bright, marketed not at game-playing students but business people and tourists.


But don't let the gloss fool you. Like the saloons in the Wild West, the industry is still young, still unregulated, and, in some cases, still quite dangerous for the uninitiated.

An informal study of New Zealand's internet cafes by IBM showed computers in 90 per cent contained spyware and adware and in some cases more insidious programs such as trojans and keyloggers that can be used to steal passwords by recording keystrokes.

Computers in four of the cafes surveyed hadn't yet upgraded to Windows XP Service Pack 2 – showing it's not just laypeople who ignore Microsoft's advice – and two were still running Windows 98. That might not be as unsafe as it sounds, since many malware programs – adware, spyware, viruses, trojans, worms, and the like – only work on Windows XP.

Some cafes, though, do offer a secure Web experience and work hard to keep their computers clean. The industry is making tentative noises toward adopting some sort of voluntary code of compliance, a set of standards good cafes could follow to be certified – and advertise themselves to the public – as secure establishments.

"It's a good first step in getting the industry itself organised," says Liz Butterfield, director of Internet safety group Netsafe. "I think it's definitely worth exploring but we do have to be realistic about the limitations."

A code would be a good substitute for government intervention, a route some countries have chosen. In India's Bangalore, for example, cafes must record details such as name, age and address before a customer can use the Internet.

Cafes in Taipei face a raft of red tape governing their locations, access by minors, and censorship of extreme violence. Many have chosen to go underground to avoid the rules – in fact, estimates put these at three times the number of legally registered ones.

Saudi Arabia requires cafes to record IDs of customers, ostensibly to discourage terrorists, criminals, and minors from using them, though the rules seem to be widely ignored.

China also watches cafes closely, with police in one province issuing 200,000 swipe cards to monitor which sites individuals visit.

Uzbekistan requires cafe owners to ensure customers don't access "forbidden" information, and rewards owners who dob them in.

The actual number of places with public internet access in New Zealand is hard to pin down. Nationwide, the Yellow Pages lists 114 entries in the "internet cafe" category, but this doesn't include the many backpackers and libraries which have computers available for public use.

AdvertisementAdvertisementThe Yellow Pages lists 526 backpackers in New Zealand.

Some believe the computers in backpackers aren't as secure as in regular internet cafes because they're more likely to be managed by people without the necessary experience, and kept up on the cheap.

IBM New Zealand security practice leader John Martin, who conducted the informal survey of eight Auckland and two Wellington cafes, says none of the surveyed cafes displayed an acceptable use policy, though one had a dress code and another warned customers they'd be booted off if they downloaded popular file-sharing program Kazaa.

Lack of common standards is a problem. Customers by and large don't know how risky public Internet can be, and don't know what to look for in a cafe to keep safe.

"The internet seems secure and private, but it's not," Mr Martin says. "Unless you're totally aware of what's on that computer it's not in your control."

THIS could be addressed through a voluntary code of compliance to let customers know what's expected of them and that the cafe they're using meets a minimum security standard. The code could mandate regular malware sweeps, filtering of adult content, supervision of minors, and a well-protected network.

Mr Martin says a voluntary code may help win back public confidence in the cafes, damaged by a recent spate of bad press kicked off when a hacker installed a trojan on a cafe computer to gain access to customers' bank accounts. "It would be good for business."

Netsafe's Ms Butterfield says a voluntary code, if it does nothing else, would help raise public awareness of security issues. First, though, the industry must decide how to objectively and randomly audit cafes.

She believes the industry will improve over time, and customers will start avoiding unsavoury cafes and learn more about how to stay safe online. "It's not just about the conduct of the cafe owners. It's also about the conduct of cafe users," she says.

Most customers don't take the simple precautions on public computers that can prevent identity theft and bank fraud.

Mr Martin recommends users download an anti-spyware program before using any applications and that they then delete any documents and logs when they finish.

Still, there's only so much the average user can do.

"Unless you really know what you're looking for you wouldn't know it's actually there," Mr Martin says.

He wouldn't use an Internet cafe to do banking, though he would for e-mail after following these precautions.

The websites of ANZ, National and BNZ advise caution when using public computers.

Westpac advises customers check that the latest firewall, anti-virus, anti-spyware and browser software is installed. Spokesman Ian Bonnar says customers should also change their passwords on a "known secure computer as soon as possible after using a public computer".

BNZ spokesman Owen Gill goes one further, saying customers should "generally avoid Internet cafes or public computers if they are using on-line banking. They are taking a risk they don't need to take".

Maarten Kleintjes, head of the police's e-crime unit, says cafes are fine for e-mail and surfing the Web.

"But for Internet banking, we wouldn't recommend it. You have no idea about the security that these machines have."

Mr Kleintjes supports a voluntary code of compliance, with certification displayed in the window to show customers a cafe is safe.

"It'd be good for the tourists when they come here to know what Internet cafe is a safe environment to go to, because they can't go anywhere else."

Cafes contacted by NZ InfoTech were all confident their computers were secure and malware-free.

Cafes commonly restore computers daily from "ghost images" which wipe all but a set list of programs and delete anything installed by customers during the day. However, that doesn't protect customers from malware installed on the day they use the machine.

The iPlay Internet cafe in Manners Mall takes another precaution. It has proprietary software called Cafe Manager to eliminate programs not on its safe list every time someone logs on.

Manager Arona Wehipeihana says there's only been one attempt by a customer to download malware, and that was captured quickly.

Mr Wehipeihana says a voluntary code would be effective if "people realise its significance. It couldn't hurt the industry at all. It'll help everyone that complies with it."

Cyberjacks in Paraparaumu takes the unusual, but often advised, step of locking up the backs of its computers. This prevents someone from installing a hardware token to record keystrokes, such as the devices used to attempt to steal 220 million euros from the London offices of the Sumitomo Mitsui bank earlier this year.

If customers want to do online banking, owner Jackie Hunkin says they're placed on computers which haven't yet been used that day. Since the cafe restores its 24 computers from ghost images every night, these terminals will be free from malware.

Ms Hunkin says a voluntary code would be useful in allaying the public's fears. "There is a fear and if the fear is there it needs to be addressed. Personally, I think these computers here are safer than the ones they have at home."

"It's keeping up with the hackers that's the problem," she says. "It's quite hard. They're very clever people."

John Hamilton, owner of Lambton Quay's CyberSpot, doesn't restore daily from a ghost image though he's investigating doing so.

He uses another network monitoring program to ensure no one downloads malware on to his 13 machines.

He knows other public internet sites aren't as stringent with security, saying he gets customers who "come in with infected files downloaded from other cybercafes".

Mr Hamilton supports a voluntary code, calling it an "excellent idea".

"I think there really needs to be some sort of organisation that cybercafes can belong to."

That may be what it comes to in the end – some sort of national organisation to unify the splintered internet cafe industry, dictating common standards to allay the public's fears.

The saloons in the Wild West never banded together to keep criminals in line and protect the public. Can New Zealand's internet cafes?