Outspoken cop questions whether to "turn the Internet off"

By Munir Kotadia on Aug 18, 2009 2:53 PM
Filed under Security

Panic erupts as IT security issues hit mainstream television.

Australian internet users might understandably be pulling the plug on their broadband connections overnight, after a program aired on national broadcaster ABC highlighted the risks and repercussions of going online.

Brian Hay, detective superintendent for fraud and corporate crime at the Queensland Police, gave the ABC's current affairs program Four Corners the ultimate soundbite: "I expect to see at some stage in the future there will be real debate on the benefit of the internet; should we turn it off?"

The program, titled Fear in the Fast Lane, focused on the ease at which computers could be infected with malware and then controlled by organised criminal gangs to commit online crimes -- from launching DDoS strikes such as the recent attack that knocked Twitter offline, to hosting phishing sites designed to dupe consumers into revealing their personal details.

One victim of a phishing scam was Dimitri Glianos, a Commonwealth Bank customer who discovered over $80,000 was taken from his bank account soon after he clicked on a link in a phishing email and completed a bogus security form.

"I didn't give it all that much thought. I had to get off to a meeting ... an email was urging me to do something. It had come through the firewall, it looked legitimate," Glianos told Four Corners.

Glianos gave the criminals his address, phone number and other information, which they used to steal his identity, cut off his internet access, take over his mobile phone and then clean out his bank account.

Although the bank refunded the stolen money, Gilanos claims he had a tough time convincing everyone that he was a victim.

"I will probably never really recover in the sense that it's now made me much more nervous," he said.

Far fetched?

The Twitterverse was buzzing after the show, with many users claiming the program was far fetched and sensationalist.

But Chris Gatford, a security consultant at HackLabs who featured on the program as a wardriver, told iTnews that although the IT community is generally more educated than the average user, he is constantly surprised by lax security practices in the corporate world.

He gave an example from a biotech firm.

"On an open shared network with no authentication was a document called safecombination.doc. I am not joking. And inside were instructions on opening the safe. They kept all their secret research in there!"

Fixing the problem

Education, better patch management, improved security practices, international cooperation between law enforcement agencies and even a national two-factor authentication scheme, have been spruiked as possible solutions to the problem.

The general consensus formed on the program was that the criminals behind most of the malware and phishing attacks were motivated by money.

Patrick Gray, founder of ITRadio.com.au and the RiskyBusiness security podcast, suggested a solution might lie in finding a way of making such attacks unprofitable, possibly by revisiting fraud liability laws.

"Once we get a handle on the fraud a lot of our IT security problems disappear. If we can stop people exploiting personal information for financial benefit, they are not going to be motivated to research and develop the tools and techniques to collect that information.

"It is really about changing the economics to make it unprofitable for the bad guys. As soon as you make it unprofitable, it stops," he added.

What did you think of the show? Have you been a victim of ID theft? Has your organisation's IT infrastructure been attacked?

Outspoken cop questions whether to "turn the Internet off"

17 comments in this discussion

"The following statements are quoted from the handle "HackLabs" in the 4Corners Forum on "Fear in the Fast Lane": 1. "... WPA2. It's not full proof ..." within the topic "Encrypted Wifi" 2. "... ..."

By cmlh

Tags

ddos, attack, malware, virus, auscert, hack, gatford, abc, fourcorners, security

Modems at risk in DNSChanger cut-off

ABC employee disciplined over Bitcoin exploit

Could an infosec militia support cyber cops?

ACT Govt offers phone lock-down to schools

Breaking Stories

Australia shares $2bn Square Kilometre Array

NSW retains right to veto data centre co-tenants

Optus to launch federated APAC cloud

NBN Co expands wireless trials

Aussie unis flock to international video service

Comments: 17

HyRax Aug 18, 2009 4:26 PM	I think the third paragraph of this article would be more accurate if it read "...focused on the ease at which WINDOWS computers could be infected with malware and then controlled...". You can blame Microsoft for much of the malware and viruses we see today. DDoS attacks would be virtually non-existant if Windows wasn't the dominant desktop OS. As for phishing and lax security? Well, unfortunately there's no antidote for the stupidity... The Dilbert Principle lives on.
PhilD Aug 18, 2009 6:13 PM	My, what a anti Microsoft rant by HyRax. You must be kidding if you think that by removing Microsoft products that the problem would be just about non-existant. The crims would just target other systems even more than they do so now. Particularly the first example cited was a level of stupidity that goes against all that banks etc keep telling people not to do and then he was compensated as well rather than fined. He's also probably a good candidate for a Nigerian letter. As for the safe combination, that's a display of complete stupidity, not an internet problem, and exists in all walks of life and is why there are the Darwin awards. Rather than shut down the internet, there should be an intelligence test before allowing access.
horst Aug 18, 2009 6:25 PM	it gets better-while watching 4 corners.abc, the police computer shown,was entered by one of the accused internet illigals. horst
anonymous Aug 18, 2009 8:23 PM	The Queensland police force - outspoken one day, over the top the next. Next week they may propose closing all roads to reduce car accidents, and then they will want to ban money in case somebody loses some. Less worthy of tabloid headlines, but much more to the point, would be to emphasise that people are actually responsible for their actions, and that they should exercise normal uses of due caution, even when they "have to get off to a meeting".
funkyg Aug 18, 2009 9:05 PM	This was the security expert that said 'it would take about 10 minutes if the network was encrypted'. Yeah right, if you used WEP then that is slow, if you use WPA with a strong password, I'd like to see it done in 10 years! Sounded like an off the cuff comment, so I should give him the benefit of the doubt, but that's the kind of misquote that leads to misunderstanding and a 'might as well give up' attitude. Just to confirm for everyones sake WEP is broken and should not be used, WPA is very strong still and if used with a strong, password (that can't be looked up in a dictionnary) will not be broken by anyone, security expert or youthful hacker.
funkyg Aug 18, 2009 9:09 PM	Btw - what they should have focused on was peoples shared use of Internet hotspots. Now that is a real danger that most users seem totally unaware of. I heard a stat a while back that a person packet sniffing traffic at a hotel would average 12 bank passwords a night!
Mun Aug 19, 2009 12:28 PM	Thanks for all your comments. @HyRax: I partly disagree because it doesn't matter which platform you are on if the criminals can fool you into revealing your personal details with a phishing attack. However, i must admit that currently there seems to be very little chance of being infected by malware on a Mac. @PhilD I think giving the phishing victim a fine after losing $88k would be a little harsh! However, the safecombination.doc example does make my mind boggle. @anonymous "they may propose closing all roads to reduce car accidents" =)) @funkyg I have known Chris Gatford (the wardriver) for many years. He really does know his stuff. I will try and get him to respond. Of course you are correct about WEP - just say no! As for shared wifi hotspots, use a VPN…
Mun Aug 19, 2009 12:59 PM	@funkyg Here is some more info on WPA cracking from Chris. WPA used to withstand a reasonable amount of time enough to make it too hard and attackers would move on to another easier target. But these days tools such as spoonwpa, cowpatty and even aircrack-ng can make WPA wireless nets encryption little more than an obstacle for an hour. Of course this varies depending on how they have implemented WPA (Which types i.e. Personal vs Enterprise). For a video demonstration on cracking WPA in minutes this is a good link. http://www.youtube.com/watch?v=fgE9rgmsX50
PhilD Aug 19, 2009 3:28 PM	@Mun: If you're against fining the so called victim, do you really think that guaranteeing people %100 of their money back is any deterent to the idiots doing it over and over again because otherwise they will never be held accountable. Accidents happen, but in this day and age people have to start taking some responsibility for their own deliberate actions or they will never learn. If not called a direct fine in name then if you've provided your details so openly then you only get a certain percentage back. It one way or another these losses that banks pay out on are eventually passed on to the rest of us.
PhilD Aug 19, 2009 3:38 PM	Re the safe combination example, it doesn't surprise me as it is probably quite wide spread in one form or another. I used to be in charge of a building security system and found that sharing of after hours PIN and swipe card access to unauthorised staff was common and some had actually written their number on a sign just inside the glass door for all to see. The same goes to discarding company documentation in normal rubbish bins rather than the confidential shredding bin. It's an extremely lazy and don't care attitude that is common.
funkyg Aug 19, 2009 4:16 PM	@Mun Thanks for the link to the video. Have a read through the comments and you will see that it is actually a fake though. A replay just doesn't work I'm afraid (or actually glad). You'll see that the only attack is a dictionnary or simple brute force and there isn't anyone going to try brute forcing it. WPA still remains strong with the only potential attack being a theoretical one that can only capture very short packets. You can get round this by setting your router to renew every 10 minutes or so as the attack takes 12 minutes to run. Btw This isn't particularly me saying this but have a listen to the excellant SecurityNow podcast. They have covered wireless security quite a number of times. If your friend has more info please get him to post it up.
mph Aug 19, 2009 5:34 PM	I agree, I thought it was a good show and it is great to increase awareness. But the two bit's that stood out to me as fud, is that in years to come we might be debating the benefits of the internet and should we just turn it off, and the comment about cracking encrypted wireless in around 10 minutes ( I wish they had just picked one at random and proved that point, why did they choose to turn off encryption at the journo's home, maybe not enough film ;)). The Internet can be a scary place, but education and technology can always help in minimising risk. I doubt the Internet will ever be switched off, it was designed to be resistant to nuclear attack, so hopefully it will withstand the QLD Police flicking the off switch ;). The benefits of the Internet far outweigh the risk. But the risk needs to be minimised substantially. Also, Wireless security hack in 10 minutes?? Sure if using a weaker method such as WEP, but WPA/WPA2 (even personal) can be pretty secure. Sure passwords are weak, other methods such as 2 factor are optimal. But home wireless can be protected to a point where it offers pretty good security, plus getting access to home wireless doesn't equal instant access to critical files. Why not use the show to educate about picking a good WPA password, such as "Iwouldquestionthecommentabouthackingwirelessin10minutesonthe4cornersshow!?!?!?". Also educate people to rename their SSID to something better than the default so that they reduce the risk around the precompute tables floating around the web (most only contain 1000 SSID names after all). My 2 cents worth ;)
funkyg Aug 19, 2009 8:29 PM	Btw - for a VPN try hotspotvpn an online service. You obviously have to trust them but they are easy to set up and use.
y011 Aug 20, 2009 5:53 AM	@Mun - Chris' re-explanations that WPA is "little more than an obstacle for an hour" and that the time involved in breaking the network also depends the "type" of wireless (with types apparently being Personal and Enterprise, LOL) are incorrect and are perpetuating more misinformation. The actual time for WPA-PSK depends on the quality of the PSK obviously. Dictionary-based stuff takes minutes if you happen to have the magic dictionary which contains the PSK. Otherwise, if it's a non-common SSID (hi @mph RE: CoW tables) you're generating a table. Which can take a long time. Much, much more than an hour even using distribution and FPGAs. This is one area that's pretty subject to Moore's law though. This method will speed up. Enterprise wireless (WPA/WPA2+802.1x/EAP-enabled wireless) can use WPA/WPA2 but how they use WPA/WPA2 has ABSOLUTELY NOTHING to do with WPA-PSK and current ways of breaking WPA-PSK. The tools he listed - spoonwpa, cowpatty and aircrack-ng - are useless for attacking enterprise-type wireless. Those tools are about determining a static shared key in use. Enterprise wireless solutions by design DO NOT USE SHARED KEYS. So those tools only work on WPA-PSK. Yes you can deauth clients from enterprise networks with injection methods of these tools but other than this as a potential DoS you can't break into the enterprise with those tools in their current form no matter how much time you have to do it. Implying that magically all wireless networks go boom in any amount of time just isn't correct. This may change tomorrow but, unless Chris has some amazing presently unknown to the world attack which is contradictory to his apparent understanding of wireless security in his statements so far, he's wrong on this. And here's another WPA-PSK cracking video (the music's better and it doesn't lie and say it's doing a clientless attack). http://www.youtube.com/watch?v=ZeCVkWMUSzE Full disclosure - my company made the video using the wonderful aircrack suite against a stupidly trivial WPA-PSK for illustration purposes. The time involved is based on that combination of configuration.
y011 Aug 20, 2009 6:22 AM	Actually in re-reading my comment it was a little harsh. This has been my pet area for research for a while so I'm a little twitchy about it. Sorry there. Chris is a smart guy whom I consider a friend. It's hard to strike a balance between general information for the masses and technical accuracy on a complex topic. Throw in editing and a TV producer with a sensational agenda and you have a recipe for problems. Rock on Chris.
CG Aug 20, 2009 9:28 AM	I agree with y011 and agree with his comments an no stage did I ever talk about WPA and the program never even hinted at enterprise we were driving around Balmain LOL. So it was focused on the home user not enterprise's. As stated by y011 mentioned the bar is much higher on WPA un-typical networks and practical attacks on WPA are based on poor home user practices which as we all no are highly likely to not be any good. Good calling me out on the video yours is much better ;-)
cmlh Aug 20, 2009 12:44 PM	The following statements are quoted from the handle "HackLabs" in the 4Corners Forum on "Fear in the Fast Lane": 1. "... WPA2. It's not full proof ..." within the topic "Encrypted Wifi" 2. "... WPA can withstand a focused attack a little longer. WPA2 is a bit tougher depending on configuration." within the topic "WiFi security" Are you denying that you made these comments now?