Inside AusCERT's Cybercrime Symposium

Combating online banking fraud requires the banks, various law enforcement agencies, CERTs and sometimes related parties (such as telcos and ISPs) to share information on new threats and mitigation strategies.

But just because a given individual wears the badge for one of these organisations, it doesn't immediately foster trust. The sharing of data – often sensitive to the organisation that has collected it – requires strong relationships at the highest levels.

The AusCERT Cybercrime Symposium, held on the Sunday before the annual AusCERT conference on the Gold Coast, is one attempt to encourage these connections.

At this year's event, members of anti-fraud teams from Australia's major banks, government agencies, law enforcement, security vendors and stakeholders in critical infrastructure gathered together in closed-door sessions to continue to work through industry issues and build trust.

The sessions aim to share information on the nature and impact of online crime and what tools the black hats are using. It also takes a look at what initiatives various stakeholders can collectively deploy to secure essential systems against attack.

SC Magazine spoke to two of the presenters at the Symposium in the lead-up to the event to give AusCERT attendees a flavour of what gets discussed behind the closed doors.

For Shaun Vlassis, a cybercrime expert with the Commonwealth Bank's CBAcert , the event is all about developing and nurturing trust relationships.

"My main aim at the symposium is to share the knowledge and experience we have through monitoring and actively mitigating online fraud against our customers on a daily basis," he told SC.

The event allows attendees to "put names to faces" for future collaboration, he said.

"It builds heavily on trust, which underpins a lot of the collaboration we do," he said. "In a lot of cases, unless you have shared a beer with someone you will not get the same level of interaction as you would get otherwise."

Fellow presenter Jake Lambert, a technical account manager at security vendor Vasco, will use the event to divulge information on upcoming products the company is working on, well before their release date.

"It's good for us to bounce new things out in the market by those at the front line," he said.
"End users are not able to protect themselves while on the internet from the threat of malware," Vlassis said. "However it is the merging of many threats, not just malware, that allows a criminal to enjoy some level of success."

Unfortunately that means no journalists – not even SC – are allowed in.

Lambert said there are "new weapons in the arsenal to make it harder" for cybercriminals to succeed.

"Even if they have compromised your information, these solutions aim to prevent them doing any damage," he said.

He boasts that implementation of these next generation tools could yield up to a 50 percent decrease in online banking fraud.

Assessing the threat level

This year, Vlassis doesn't expect much surprising data on the types of threats the industry faces.

From a technology perspective, the malware designed to defraud online banking customers has not changed significantly in recent years, he said.

Technology solutions such as two-factor authentication and voice biometrics have "covered the 99 percent" of issues.

For the remainder, cybercriminals must now employ a range of social engineering techniques to achieve their goals. This requires more dedication and sophistication than in the past - both on the part of attackers and those charged with security systems.

"You'll always get someone that clicks on a link or takes in a trojan from a web site," Vlassis said. "It is the merging of many threats into one that allows a criminal to enjoy some level of success."

But there are some questions – unanswered in public forums – about the volume of attacks. The closed-door sessions at AusCERT give stakeholders the opportunity to gather some trusted numbers and real-world scenarios to more accurately gauge threat levels.

It's a far more trusted alternative to the cybercrime statistics bandied about by security vendors and even government departments. Two economists, sponsored by Microsoft, recently voiced their doubts on the severity of cybercrime in a report published in the New York Times, and both Vlassis and Lambert agree that there is a tendency for the threat to be over-stated.

"When considering the numbers on losses, you always need to consider which organisation generated the stats," Vlassis said. "This level of information [is] not being shared openly – you certainly won't see it in a news article. Some of the statistics, from quarterly or annual security vendor updates, are calculated in terms of 'potential exposure', on the basis of the average size of an account and number of accounts and not actual losses."

Vlassis expects his peers in the Symposium to report that the threat continues to increase. There were an unprecedented number of attacks over the past 12 months across all industries, he said, highlighting the apparent ease with which groups like LulzSec and Anonymous illustrated how even the largest of institutions could be compromised.

"There is blood in the water," he said.

These high profile cases have only reinforced the need for stakeholders in IT security to get together and sharpen their processes.

Participants in such forums can often leverage contacts made during the symposium in times of heightened risk. Vlassis notes that international law enforcement and internet industry representatives, often invited to these forums, might be called upon at a latter date if a phishing site hosted in their region is found to be collecting information on Australian customers, for example.

There are well-publicised examples of stakeholders coming together to approach a particularly menacing threat. Microsoft pulled together a working group in 2009, for example, to tackle the Conficker worm. This group included domain name authorities, ISPs, IT security vendors, academia and other independent researchers.

While the worm ultimately continues to impact organisations, the working group's legacy has been greater information sharing between stakeholders. It has published tools to check whether systems are infected, repair tools and a report on the lessons learned from mitigating the threat.

Vlassis noted the Conficker Working Group as an example of where industry collaboration can yield measurable results.

"It's always good to talk to like-minded people in our community – to find out what the industry is doing," Lambert says. "I hope to meet some other security experts that share common goals."
"[The Symposium] has been extremely successful over the years," Vlassis agreed. "I'm looking forward to participating."

Copyright © SC Magazine, Australia