Hackers have started to target specific government personnel, as opposed to simply using broad scattergun approaches, the Australian Customs and Border Protection Service warned this week.
Hackers have started to target specific government
personnel, as opposed to simply using broad scattergun approaches,
the Australian Customs and Border Protection Service warned this
week.
We're still seeing a broad spray of attacks across the
organisation, but we're also seeing individuals being targeted for
certain job types.
Customs' Matthew Bunckhorst
"We're still seeing a broad spray of attacks across the
organisation, but we're also seeing individuals being targeted for
certain job types. For example, in the finance department we are
seeing specific financial attacks across the area," the agency's
manager of technical security and design Matthew Bunckhorst told
the AusCERT 2009 conference on the Gold Coast this week.
Customs is one of Australia's largest government departments. It
collected $6.6 billion in revenues last year.
Brunckhorst said as far back in 2007 he'd noticed that the
devices of key staff who had access to the agency's
multi-billion-dollar coffers were being targeted. More recently he
said the agency had received a "flurry" of United Parcel Services
of America spam, which wasn't targeted, "but within that, we saw
specific malware that was targeting specific people".
The public servant's role at the agency since 2006 has been to
improve Customs' information security practices following issues
with its Integrated Cargo System in 2005.
The system is used to process incoming cargo to Australia, and
has the potential to become a bottleneck to the wider shipping and
air freight industries. While the 2005 outage wasn't caused by a
malware infection, the system is considered a potential target and,
given the country's reliance on it, a high risk.
"We want to stop organised crime from getting and collecting
that money and to ensure the systems, such as particle detectors,
are sound," Brunckhorst explained.
The commercial motive that has driven online crime and the
growth in malware in recent years has changed how Brunckhorst views
malware threats. In 2005, Customs' gateway was hit by around
658,000 instances of malware, dominated by the ZAFI.D worm,
Netsky.P and SOBER.I. The same pieces of malware have remained at
the top ever since.
"Big surprise," said Brunkhorst. "We're another organisation. At
the gateway [these figures] just illustrates global trends. What
we've seen is that old malware won't die." What those figures
didn't reveal were the less common malware that made it inside the
agency, which also weren't on the agency's top 10 list.
"These figures don't show the small, well-planned attacks
against infrastructure," said Brunkhorst. "It doesn't show the ones
that pass the gateway, including the 'weaponisation' of USB keys,
for example, when staff pick up a USB from a conference. And it
doesn't show when staff bring a computer home to roost. We have
people travelling on a regular basis and they do bring malware home.
"
We have
people travelling on a regular basis and they do bring malware home
Customs' Matthew Bunckhorst
Indeed, at last year's AusCERT conference some 30 "autorun"
malware-infected USBs had been handed out by Telstra. Brunckhorst had planned to
reveal further information to delegates about the technical aspects
of these threats and Customs' response, however, was ordered by the
agency to refrain from doing so.
His advice for handling both the onslaught of malware at the
gateway and for targeted attacks was for organisations to use
multiple antivirus engines, patching and staff training.
"I know it sounds early 2000, but [IT departments] are still
reluctant to patch due to the impact it has on customised software.
But please patch, because it does make a big difference, especially
for pointed malware," he said.
Meanwhile, training has included teaching 15 staff to
reverse-engineer malware, and also creating a clear chain of
command. "In the past we had far too many chiefs and not enough
Indians. You need someone who is the go-to guy," said
Brunckhorst.
Customs was also one of the only large Australian organisations
to adopt Vista on the desktop. Brunkhorst said that Vista, from a
malware perspective, had been "pretty good" and that the new User
Account Control features "had a positive effect".
He also said that Customs had not advised staff that they had
been targeted until the situation had been remedied because it
didn't want those that had been targeted to panic.