Fraudsters escape as laws bind AusCERT

Efforts by security sleuths AusCERT to help repatriate victims of fraud and identity theft have been torpedoed by laws preventing reverse-engineering of passwords.
Written by Darren Pauli, Contributor

Efforts by security sleuths AusCERT to inform victims of fraud and identity theft that their details have been hijacked are being torpedoed by laws preventing the reverse-engineering of passwords.

Graham Ingram

AusCERT general manager Graham Ingram (Credit: Liam Tung & Ed Tran/ZDNet Australia)

Logs contained within any malware, such as key loggers or trojans, record which information (such as credit card numbers) has been captured from each victim. This enables investigators to ascertain the identity of victims and the extent of their exposure.

These logs, however, are increasingly protected by passwords, following a trend begun around three years ago. Despite AusCERT's government recognition as a crime-fighting organisation, it is not allowed by law to crack the passwords even though they are set by criminals.

AusCERT head Graham Ingram said the logs were previously viewable in plain text, but are now stored in a protected MySQL format.

"They are encrypted and we can't break that by law," he told an audience at the National Security Australia conference in Sydney yesterday.

"The logs can help identify victims who have had credentials stolen."

The number of logs available to AusCERT have plummeted from more than 20,000 in 2009 to "virtually zero" this year, Ingram said.

However, this problem doesn't seem to have affected CERT Australia, which operates within the Attorney-General's Department. In the first 12 months of its operation, it managed to inform 50,000 people that their identities had been stolen.

A cybercrime pandemic

Ingram also revealed that the number of email notifications issued by AusCERT to malware-infected websites spiked from about 6000 at December 2009 to 29,000 by the end of 2010.

Almost half of the notifications were sent to Australian-registered commercial websites (.com.au).

Notifications for infected web hosts had declined slightly to 4100, with Australian-registered educational hosts (.edu.au) responsible for a whopping 61 per cent of infections.

He said administrators notified by AusCERT will often react by reinstalling a backup image of the compromised website, which contains the same vulnerability that allowed the infection to take hold.

"They'll just re-image a backup without fixing the vulnerability and get infected again," Ingram said.

He told the audience that Australia is on the verge of a cybercrime "pandemic".

"We are at the threshold of a pandemic. Very near that point on a scale where we say 'this is unacceptable'," Ingram said.

"It is a cybercrime revolution that is silently and stealthily taking over computers."

He said one in five computers is infected with some form of malware.

"The day money became the focus of malware is the day the internet changed," Ingram said. "I'm telling you now, a Russian who has employed some clever coders to write malware will very likely never be caught and will be very rich."

Ingram said many malware writers are professionals, not just hackers.

Editorial standards