Hackers have started to target specific government personnel, as opposed to simply using broad scattergun approaches, the Australian Customs and Border Protection Service warned this week.
We're still seeing a broad spray of attacks across the organisation, but we're also seeing individuals being targeted for certain job types.
Customs' Matthew Bunckhorst
"We're still seeing a broad spray of attacks across the organisation, but we're also seeing individuals being targeted for certain job types. For example, in the finance department we are seeing specific financial attacks across the area," the agency's manager of technical security and design Matthew Bunckhorst told the AusCERT 2009 conference on the Gold Coast this week.
Customs is one of Australia's largest government departments. It collected $6.6 billion in revenues last year.
Brunckhorst said as far back in 2007 he'd noticed that the devices of key staff who had access to the agency's multi-billion-dollar coffers were being targeted. More recently he said the agency had received a "flurry" of United Parcel Services of America spam, which wasn't targeted, "but within that, we saw specific malware that was targeting specific people".
The public servant's role at the agency since 2006 has been to improve Customs' information security practices following issues with its Integrated Cargo System in 2005.
The system is used to process incoming cargo to Australia, and has the potential to become a bottleneck to the wider shipping and air freight industries. While the 2005 outage wasn't caused by a malware infection, the system is considered a potential target and, given the country's reliance on it, a high risk.
"We want to stop organised crime from getting and collecting that money and to ensure the systems, such as particle detectors, are sound," Brunckhorst explained.
The commercial motive that has driven online crime and the growth in malware in recent years has changed how Brunckhorst views malware threats. In 2005, Customs' gateway was hit by around 658,000 instances of malware, dominated by the ZAFI.D worm, Netsky.P and SOBER.I. The same pieces of malware have remained at the top ever since.
"Big surprise," said Brunkhorst. "We're another organisation. At the gateway [these figures] just illustrates global trends. What we've seen is that old malware won't die." What those figures didn't reveal were the less common malware that made it inside the agency, which also weren't on the agency's top 10 list.
"These figures don't show the small, well-planned attacks against infrastructure," said Brunkhorst. "It doesn't show the ones that pass the gateway, including the 'weaponisation' of USB keys, for example, when staff pick up a USB from a conference. And it doesn't show when staff bring a computer home to roost. We have people travelling on a regular basis and they do bring malware home. "
We have people travelling on a regular basis and they do bring malware home
Customs' Matthew Bunckhorst
Indeed, at last year's AusCERT conference some 30 "autorun" malware-infected USBs had been handed out by Telstra. Brunckhorst had planned to reveal further information to delegates about the technical aspects of these threats and Customs' response, however, was ordered by the agency to refrain from doing so.
His advice for handling both the onslaught of malware at the gateway and for targeted attacks was for organisations to use multiple antivirus engines, patching and staff training.
"I know it sounds early 2000, but [IT departments] are still reluctant to patch due to the impact it has on customised software. But please patch, because it does make a big difference, especially for pointed malware," he said.
Meanwhile, training has included teaching 15 staff to reverse-engineer malware, and also creating a clear chain of command. "In the past we had far too many chiefs and not enough Indians. You need someone who is the go-to guy," said Brunckhorst.
Customs was also one of the only large Australian organisations to adopt Vista on the desktop. Brunkhorst said that Vista, from a malware perspective, had been "pretty good" and that the new User Account Control features "had a positive effect".
He also said that Customs had not advised staff that they had been targeted until the situation had been remedied because it didn't want those that had been targeted to panic.