IT security staff keep paedophile business afloat
Police are holding the IT security linchpin responsible for propping up an online business that specialises in networking paedophiles and trading images of children being sexually abused.
Yesterday Queensland Police announced that Operation Achilles -- which has been pursuing child sex offenders online -- has led to the successful shut-down of a major paedophile business. Queensland Police cooperated with the FBI, as well as New Zealand and European law enforcement agencies, to bring down the operation.
At the centre of the operation is an Italian Web site administrator, Sergio Marzola, who was responsible for the ongoing security of the group's communication, Queensland Police said.
Twenty paedophiles across six countries have been arrested. Investigators are now poring over 400,000 video files captured from the group.
"Some networks have a security officer, for lack of a better word, who that's all that persons job is to ensure the proper encryption is utilised, change the encryption keys on a regular basis, look for violation of whatever the group's security protocols might be," said Arnold Bell, Head of FBI Innocent Images Unit, on ABC's Lateline.
Ty Miller, CTO of penetration testing firm Pure Hacking, said that the systems described by the FBI mirror "high security" organisations.
"That sounds like a typical thing that an organisation should do if they are a high security organisation, for example, a bank. They will rotate keys on a regular basis just in case someone cracks a key," Miller told ZDNet.com.au.
The gang also used legitimate Web sites to create backdoors for the group to communicate and trade -- a technique commonly used by groups distributing malware.
"Often when you find a compromised Web site, you will find things like spam servers and porn servers have been set up. They end up hosting IRC servers and peer-to-peer file sharing," said Miller.
"If they're using compromised systems to distribute content, there's no difference between the way they operate and your more generic hackers who are trying to cause mischief," he added.
While sophisticated encryption technologies protected the organisation, the level of encryption used by the group exposed it to prosecution under US law and was high enough to prompt charges of obstructing justice, according to Lateline.
The Bureau of Industry and Security, under the US Department of Commerce, regulates the export of encryption technologies in the US. Other controls on the export of encryption technologies are governed under the Wassenaar Agreement, to which Australia, along with 40 other countries, are signatories.
Queensland Police would not disclose the level of encryption being used by the group because it would compromise ongoing investigations, a spokesperson told ZDNet.com.au.