Be afraid. Be very afraid. Online criminals are after your personal data. They’re smart. They’re professional. They’re efficient. Meanwhile, those guarding your data are overloaded, under-coordinated and, often, under-trained.
According to Graham Ingram, General Manager of AusCERT, the “computer emergency response team” that responds to hacker attacks, the real growth in cybercrime is the theft of identity-related information. “If you’ve got this raw information here, well, guess what? You can manufacture identities,” he says.
Ingram, addressing the eCrime Symposium in Sydney this morning, spent 15 years with ASIO, plus time with the Defence Signals Directorate. “I’ve seen it all,” he says, “and I’m still stunned by what I’m seeing today.”
The targets aren’t the secure systems at banks, health providers and the government. “Your machines at home, this is what they’re targeting,” warns Ingram. “I’m not that worried about the banks … The thing that worries me terribly is all the online services … Information is the money of the internet, it’s what criminals are stealing.”
As Crikey has reported, 80% of spam is sent using networks of “borrowed” computers called botnets. Much of that spam is designed to persuade you to click on a link to a website — a website that’s hosting malicious software, or “malware”, that will in turn infect your computer.
Once your computer’s infected, every keystroke and mouse movement can be logged and sent to the bad guys. Your computer, in turn, becomes part of the botnet.
Even if your protection is up to date, there’s still a good chance you’ll be infected. Malware is tested against market-leading anti-virus software before release, making sure they’ll evade detection. These “zero-day exploits” are then sold to the highest bidder.
With ten thousand new malware items released daily, and new infections spreading in minutes, not hours, it’s hard for anti-virus vendors to keep up.
“This malware is really good stuff, just take it from me,” says Ingram. “Computer engineers are developing this stuff, that’s the quality we’re dealing with.”
One infection, for example, injects extra code into an internet banking site. Everything about the site looks OK, because it is the bank’s legitimate site, and all the action happens on your infected computer. Except for the extra form fields requesting your ATM card PIN and mother’s maiden name. Those details go straight back to the criminals.
UK banks are now seeing criminals correlating data captured from different malware runs, compiling detailed personal profiles. That information is then used to target specific individuals in corporations with an email that looks so legitimate they can’t help but click through — targeting, say the CFO who knows about planned company mergers or the discover of a new oil field. The aim? Advantage on the stock market.
One problem is the low level of security awareness amongst web developers. Even supposedly “trustworthy” websites end up hosting malware, like the Sydney Opera House’s was in 2007. No customer data was disclosed, SOH reassured us, but that missed the point. The aim was to infect visitors’ computers.
“One of the top-20 traffic sites in this country was infected with malware over about a six-week period,” Ingram says.
“Do you think that these people are in anyway way afraid of law enforcement? The answer is no. Law enforcement catches the local copy-cats, but the real experts are untouchable.”
Nicholas Cowdery, Director of the NSW Office of the Department of Public Prosecution, says the best deterrent to any kind of criminal offending is the certainty of detection. “It’s not the level of penalties, that’s the politicians’ spin on it. It’s knowing that you’re going to be caught,” says Cowdery
The problem there, though, is that there’s still no national approach to detecting and dealing with attacks. AusCERT and other information security organisations are doing it alone.
“We regard ourselves as the fire brigade,” says Ingram. “We put out the fires and clean up the mess. What we really need is for law enforcement to stop the arsonists. Law enforcement is not functioning in the area we deal with.”
And if you think it’s bad now…
“The level of malware is directly proportional to the level of broadband penetration,” says Ingram. Malware often tests the connection speed of the computers it infects, and the crims don’t bother using slow ones.
“Everything we’ve talked about today will be on steroids when we have a National Broadband Network.”