Be afraid. Be very afraid. Online criminals are after your personal data. They’re smart. They’re professional. They’re efficient. Meanwhile, those guarding your data are overloaded, under-coordinated and, often, under-trained.
According to Graham Ingram, General Manager of AusCERT, the “computer emergency response team” that responds to hacker attacks, the real growth in cybercrime is the theft of identity-related information. “If you’ve got this raw information here, well, guess what? You can manufacture identities,” he says.
Ingram, addressing the eCrime Symposium in Sydney this morning, spent 15 years with ASIO, plus time with the Defence Signals Directorate. “I’ve seen it all,” he says, “and I’m still stunned by what I’m seeing today.”
The targets aren’t the secure systems at banks, health providers and the government. “Your machines at home, this is what they’re targeting,” warns Ingram. “I’m not that worried about the banks … The thing that worries me terribly is all the online services … Information is the money of the internet, it’s what criminals are stealing.”
As Crikey has reported, 80% of spam is sent using networks of “borrowed” computers called botnets. Much of that spam is designed to persuade you to click on a link to a website — a website that’s hosting malicious software, or “malware”, that will in turn infect your computer.
Once your computer’s infected, every keystroke and mouse movement can be logged and sent to the bad guys. Your computer, in turn, becomes part of the botnet.
Even if your protection is up to date, there’s still a good chance you’ll be infected. Malware is tested against market-leading anti-virus software before release, making sure they’ll evade detection. These “zero-day exploits” are then sold to the highest bidder.
With ten thousand new malware items released daily, and new infections spreading in minutes, not hours, it’s hard for anti-virus vendors to keep up.
“This malware is really good stuff, just take it from me,” says Ingram. “Computer engineers are developing this stuff, that’s the quality we’re dealing with.”
One infection, for example, injects extra code into an internet banking site. Everything about the site looks OK, because it is the bank’s legitimate site, and all the action happens on your infected computer. Except for the extra form fields requesting your ATM card PIN and mother’s maiden name. Those details go straight back to the criminals.
UK banks are now seeing criminals correlating data captured from different malware runs, compiling detailed personal profiles. That information is then used to target specific individuals in corporations with an email that looks so legitimate they can’t help but click through — targeting, say the CFO who knows about planned company mergers or the discover of a new oil field. The aim? Advantage on the stock market.
One problem is the low level of security awareness amongst web developers. Even supposedly “trustworthy” websites end up hosting malware, like the Sydney Opera House’s was in 2007. No customer data was disclosed, SOH reassured us, but that missed the point. The aim was to infect visitors’ computers.
“One of the top-20 traffic sites in this country was infected with malware over about a six-week period,” Ingram says.
“Do you think that these people are in anyway way afraid of law enforcement? The answer is no. Law enforcement catches the local copy-cats, but the real experts are untouchable.”
Nicholas Cowdery, Director of the NSW Office of the Department of Public Prosecution, says the best deterrent to any kind of criminal offending is the certainty of detection. “It’s not the level of penalties, that’s the politicians’ spin on it. It’s knowing that you’re going to be caught,” says Cowdery
The problem there, though, is that there’s still no national approach to detecting and dealing with attacks. AusCERT and other information security organisations are doing it alone.
“We regard ourselves as the fire brigade,” says Ingram. “We put out the fires and clean up the mess. What we really need is for law enforcement to stop the arsonists. Law enforcement is not functioning in the area we deal with.”
And if you think it’s bad now…
“The level of malware is directly proportional to the level of broadband penetration,” says Ingram. Malware often tests the connection speed of the computers it infects, and the crims don’t bother using slow ones.
“Everything we’ve talked about today will be on steroids when we have a National Broadband Network.”
“The level of malware is directly proportional to the level of broadband penetration,” says Ingram. Try directly proportional to the numbers of computers running versions of Windows. FFS are Microsoft and Windows the words that dare not speak their name? Another article about the internet and computer security that doesn’t mention either word. Microsoft products dominate the desktop and personal computer world. There are less than 1000 items of malware that could affect unix, linux or OS X and they are fairly rare and not often seen. There are millions for windows, most developed by professionals, and in turn they will affect many millions of computers, both personal and corporate based. There are millions of machines out there running illegal and unpatched versions of Windows that allow even easier propogation of any type of malware. The entire computing world and network we call the internet would be a lot better off and easier to secure if it wasn’t an inbred monoculture at the user end points.
If the money to be allocated to Conroy’s censorship regime was directed to law enforcement in this area, he’d at least be doing something useful for a change.
Gail, the reason that criminals target Microsoft and Windows is that it is the default standard for the worlds computers.
If somehow the world woke up tomorrow and Linux had replaced Windows, then criminals would immediately begin writing programs to hack Linux.
The criminals follow the money, and the worlds computing is done, by and large, on Windows, no matter how much the Microsoft detractors would hate to admit it.
Microsoft is hardly blameless, but criticising them for being successful and therefore somehow complicit in the vast growth of malware, sopyware and botnets is somewhat disingenuous.
Michael James has already said what I’d have said in relation to Windows. While Windows remains the most popular operating system, it’ll remain the main target. And since that’s already providing millions of compromised computers for the bad guys to use, who spend the effort elsewhere?
Yes, Windows has certain vulnerabilities that Apple’s OS X and Linux don’t. However security is mostly about human behaviour, not technology. No matter how “secure” the operating system, if the user can be persuaded to install the intruder’s software then it’s still game over. Tests by security professionals continue to show that even supposedly secure environments such as police stations can easily be penetrated by clever “social engineering” tricks, as they’re called.
Just as Telstra pushes payment by credit card on the web for monthly bills. Nice.