Inside CERT Australia
The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public. These weaknesses are being used by criminals to steal our money and our data. They may even be a cornerstone to planned attacks on critical infrastructure, like energy, water and transport. But in the murky battle between those that protect us and those who seek to harm, these vulnerabilities are also the bait with which cyber-criminals are caught.
(Handshake image, by Johnny Magnusson, public domain)
The agency that keeps tabs on the vulnerabilities is the Computer Emergency Response Team (CERT) Australia, formed in 2009 to be a trusted ear in which organisations from around the world could whisper information on ruinous security threats that would otherwise remain secret. It functions also as a clearing house for security notifications from other CERTs around the world.
Yet we don't hear much about it. Since its inception, the agency has kept tight-lipped on its operations, and not without cause. The agency has knowledge of security vulnerabilities that, if publicly disclosed, could grind significant elements of cyber crime to a halt. The holes could pull the rug from industry scourges like spam and fraud botnets, and prevent possible hacking attacks on the nation's big four banks and countless corporate giants.
But in the game of security subterfuge, the vulnerabilities may be more valuable if they are kept hidden and used as a means to track skittish cyber criminals. The inevitable risk that withholding the threat places on you and me can be worth it for the chance to take-down a big target.
"The reason some vulnerabilities are confidential is the minute the bad guys know people have tripped over them, they will change their techniques" says Mike Rothery, of the Attorney-General's Department whose division has responsibility for CERT Australia headed by Ms Deborah Anton. "If the vulnerabilities were known, criminals could go and write malware for it before it is fixed."
The information is even withheld from the global CERT community, which has chapters in most countries. It is typically disclosed once the threat of exposure is deemed to have fallen, a decision that is reviewed on a daily basis.
Yet some victims are too valuable to be sacrificial lambs. Australia cannot afford to suffer damage to its critical infrastructure, including power, water, energy, telecommunications and transport. The impact of a network attack on these could be devastating, and CERT Australia's job is to keep them informed on these sensitive security threats.
"If we become aware of control nodes for botnets or those that harvest data that is being ex-filtrated out of a network, we will pass that information on so that it can be blocked at firewalls and organisations can see if they have a compromised machine," Rothery said. "We need to allow organisations to exploit known information on threats through our advisories for as long as possible."
The agency issued 23 security advisories in the last six months of varying severity to a handful of state and private sector organisations that are listed in the Attorney-Generals' "Trusted Information Sharing Network". Those privy to the information must sign non-disclosure agreements.
"We are not just restating things you will get from security bulletins from hardware and software vendors. It may include additional information about a vendor patch which, although the company may not publicly say, will mitigate a nasty vulnerability that is has the potential to be exploited."
Australia's critical infrastructure operators will be tipped-off to the presence of these silent patches and told to implement them immediately. Some organisations may take months to roll out the same fix, or even ignore it completely.
The privileged group of more than 300 companies under CERT Australia's wing is expanding, but it does not plan to offer the secretive information more broadly.
It chooses organisations based primarily on the importance they hold to Australia, and then by the likelihood that they will be attacked. This process is fluid, so if CERT Australia notices an attack targeting, for instance, a coal excavation company it will bring it into the fold, and then look to neighbouring miners that may also be targeted.
The mining sector is currently under consideration to be covered by CERT Australia, along with major banks.
"The effects on the community if someone attacks mining would be significant," Rothery said.
Discussions with the finance sector have only recently emerged, and surprisingly centre on the physical security of the industry datacentres. One of the specific concerns is how a bank may protect or deal with an attack against an air-conditioning system charged with the vital role of keeping a datacentre cool.
Once an organisation has joined CERT Australia, it may be invited to send its engineers off to get hands-on experience dealing with complex and targeted attacks against SCADA infrastructure at the United States Government's Idaho National Laboratory — the same lab used to create the Stuxnet worm, according to the New York Times.
To date, 200 people have been trained courtesy of the Federal Government and a further 30 will be sent this year. Rothery said the training has a ripple effect, since those trained will likely move through industries and help teach others how to protect SCADA networks.
The agency will also turn its focus onto consumers, creating many government-run public security education campaigns. It will produce books and alerts that form the backbone of campaigns such as Fraud Awareness Week.
CERT's "toe in the water" was the booklet "Protecting Yourself Online", produced during cybersafety awareness week. It will be updated this year to include the internet service provider iCode agreement.
It will also produce business and consumer advisories through the Stay Smart Online website, which has been the stomping ground of AusCERT. Rothery said the advisories will "supplement" AusCERT notices.