Hack attacks--a public embarrassment?
By Patrick Gray
ZDNet Australia

A 17-year-old Queensland youth was arrested last week on charges relating to a security breach at a prominent internet service provider (ISP). ZDNet Australia spoke to the director of the recently established Australian High Tech Crime Centre (AHTCC), federal agent Alastair MacGibbon, about the arrest, and found out why letting the world know you've been hacked isn't necessarily a public relations disaster.

If there's one thing MacGibbon wants known, it's that the AHTCC wants more companies to come forward when they've been the victim of a computer crime. It's heartening to see how the victim reacted in this case, he said. We understand that the vast bulk of these crimes aren't reported to us and we are in the process of encouraging industry to report matters to us.

Many companies fear the negative publicity that comes with acknowledging that data has been unlawfully accessed, he said. However MacGibbon argues that companies should not hesitate to report these crimes because trying to sweep incidents under the carpet may backfire. It's a small industry... people find out, he explained.

The way in which pharmaceutical companies now handle poisoning scares is an example of a change in corporate attitudes to reporting crimes that may cause fear and concern among customers, MacGibbon says.

We've seen quite a shift in the way businesses handle the publicity around product contamination issues, and how they respond to them as good corporate citizens [in the last] ten or twenty years ago, he said. We argue it's the same thing when it comes to this type of quite catastrophic attack against a service provider, for example, we say that there are actually some positives that can come out of it. You're showing yourself to be someone that's willing to go to the police and work with the police and have a person prosecuted.

What a person does when they take over an ISP is they're infringing on every single user of that ISP and what that company can say is 'we're actually out there protecting your interests by cooperating with lawful authorities in a lawful manner'. I think that's quite a change, he added.

The world's governments are by no means unified on the issue, MacGibbon said. Some countries have looked at some confidentiality issues where they will actually try to legislate to protect the victim corporation against exposure, he told ZDNet Australia . Other countries, like in the U.S., have gone in the exact opposite direction. Californian law, from what I understand, says that if you are company that has public information on and you have an incident in relation to a computer, you have to, by law, publicize that incident and let people know whose data has been compromised, which in this case would be all the users.

The AHTCC has its eyes on developments in the disclosure area. We constantly scan the horizon to see what's being done overseas, MacGibbon said.

It's not all about disclosure though, MacGibbon claims. Companies may simply be unaware that they've been the victim of a digital attack. Another reason why these matters aren't reported to us is by the very nature of the offence, people may not know that it's actually occurred and that's a real problem when it comes to IT incidents, he said.

Your home computer or your business computer might be compromised and you may just think it's behaving a bit anomalously and not being a technical person myself I may just turn it off and back on again. I might call up the IT helpdesk and say 'look for some reason I can't open up a word document' I may not realize that it's an IT security incident, he added. In the long run we usually find out why something has happened, but it may be a compromise that's gone on for quite some time... depending on the capability of the [attacker] and how much they want to do using the system that they've actually compromised, they may be in the system for quite some time before it's discovered. It depends on how sophisticated they are.

In the case of the recently breached ISP, the alleged offender was located and arrested within 24 hours of the report being filed. The victim provided us the right amount of information to be able to approach other providers who could assist in tracking down where the offender was, he said. It's a simple game where it can fall down at any point so what we had was good co-operation from the victim, and excellent cooperation from other providers that allowed us to lawfully obtain information to locate the person.

The victim has not yet been named; however the ISP will be identified as court actions progress. I wouldn't say who the victim is until such time as they actually want to say they are. This is again a part of our commitment to industry to make sure that we treat them with the level of respect they deserve, he said. They have a lot of considerations to take into account on how they manage their vulnerabilities, for example, and how to recover from the incident, and then how they inform their customers and the public of what happened.

We see that as being the job of the victim. What we say to industry is 'for as long as we can we will protect your identity', but at some stage it will obviously become known, and in this case it will become known at the very latest when it goes before the courts, he added.



ZDN