House of Representatives Committees

Chapter 11 - Emerging Technical Measures to Combat Cyber Crime

Introduction       

11.1               This chapter examines a range of emerging technical measures that may assist in combating cyber crime. It also briefly canvasses ways to encourage the development of new anti-cyber crime measures.

11.2               Cyber crime is continually evolving and adapts to anti-cyber crime measures, thus emerging technical solutions only provide a partial response and are unlikely to offer a complete solution.[1] Nevertheless, technological measures can improve personal security and the resilience of the Internet and information communication technologies (ICTs). Support for technological innovation must therefore remain an important part of the overall national response to cyber crime.

Emerging technical measures

11.3               This section examines the following technical measures:

n  smart cards;

n  two factor identification;

n  an identity metasystem;

n  Domain Name System Security Extensions;

n  trusted networking infrastructure;

n  new encryption techniques;

n  privacy enhancing technologies;

n  black listing;

n  white listing;

n  walled gardens;

n  ‘clean’ boot-up disks;

n  Trusted Platform Modules;

n  black hole and sinkhole routing; and

n  program monitoring.

Smart cards

11.4               Smart cards were suggested as a method for combating online identity theft and fraud. Smart cards are pocket-sized cards with an embedded microchip that can store large amounts of data, encrypt data and communicate with other devices. A smart card can take many forms including a credit card or an identity card. In relation to online security, smart cards may be inserted into a reader to authorise and conduct online financial transactions.[2]

11.5               Smart cards combat cyber crime in a number of ways including:

n  automatically and randomly encrypting the data transferred in an online transaction to prevent tampering by cyber criminals;[3]

n  providing extra sources of verification, such as encrypted card identifiers and unique PINs, to increase the difficulty of committing identity theft and fraud;[4]

n  automatically verifying that a website is legitimate and can be trusted;[5] and

n  preventing identity fraud by recognising and blocking transactions being made from an unusual location or in excess of a daily spending limit.[6]

11.6               A number of financial institutions have already implemented smart card technology overseas and are in the process of rolling out smart cards in Australia.[7]

11.7               AusCERT argued that, while smart cards may assist in preventing some aspects of cyber crime, they do not address the threat of identity theft from computers infected with malware.[8] Additionally, the Australian Institute of Criminology (AIC) noted that several studies have demonstrated that technically competent criminals can still circumvent smart card security mechanisms. However the AIC also submitted that properly implemented smart cards are acknowledged as helping to combat identity theft and fraud. The AIC noted that there exists significant support for the continued research and implementation of such technologies.[9]

Two factor authentication

11.8               Two factor authentication is a procedure that combats online identity theft and fraud through adding an extra layer of verification when accessing online services and accounts. It requires the end user to present two factors. The first factor is something the person knows, such as a username or password. The second factor is either something the person has in their possession (such as an ID card), or a physical attribute of the user (such as a fingerprint). Attacks such as phishing or spyware may successfully steal the first factor, however without the second factor the cyber criminal cannot gain access to the account or service.[10]

11.9               A number of Australian businesses, including Australia Post and many financial institutions, use two factor authentication. When a user wishes to conduct a transaction online, not only must they gain access to their account through entering a password, but must also enter a unique six-digit code sent to their mobile by the business upon their request for the transaction. Thus users must provide two identification factors, each from a different category: a password (something retained in the user’s memory) and a unique code proving possession of the correct mobile phone (something in the user’s possession). The Commonwealth Bank of Australia informed the Committee that two factor authentication reduced their incidents of fraud by 96 per cent over 2005.[11]

11.10           Smart cards may also be used to provide the second category of two factor authentication (something in the user’s possession). Users may be required to scan a smart card in order to conduct a transaction or gain access to a certain system.[12]

11.11           Australia Post submitted that secure two factor authentication services are currently readily available from online security companies, and suggested that two factor authentication could be extended to other online transactions.[13] For example, the Australian Taxation Office suggested that two factor authentication methods could make the lodging of online tax returns more secure.[14]

11.12           Two factor authentication may also require verification of a physical attribute through the use of biometrics. Biometrics are technologies that can identify unique physical attributes including fingerprints, iris prints, handprints, facial structures and voice signatures.[15]

11.13           Some witnesses argued that biometrics may not be sufficiently reliable and may still be circumvented by advanced cyber criminals.[16] The AIC acknowledged that biometrics do have some limitations, such as the expense of implementation, but argued that such technologies are very effective in solving some of the problems of cyber crime relating to passwords and PINs.[17]

Identity metasystem

11.14           Microsoft advocated the creation of a system where all online authorisation procedures would be conducted through a single, standard program.[18]

11.15           Microsoft observed that in order to gain access to online services, Internet users are required to enter a range of different user names and passwords into many differing and unique online systems, and are often asked to provide a range of personal information.[19]

11.16           Microsoft suggested the risks to users from this process are threefold:

n  users increase security risks by employing the same passwords and usernames for a range of different authentication procedures;

n  users gain authorisation through a range of non-standard webpages and thus may not be able to recognise a phishing webpage; and

n  users are asked to provide an ever increasing number of personal details to third parties, thus raising privacy issues.[20]

11.17           To combat these risks, Microsoft proposed an identity metasystem that would connect, but not replace, all current online authorisation procedures. Every time a user needed to provide authentication they would do so by entering various identifiers into a standard interface, instead of arbitrary details through an interface unique to each online service. In turn, this interface would use the identity metasystem to interact with the appropriate webpage or application to notify if the authentication was successful.[21]

11.18           Microsoft envisages that such a system would allow users to employ verifiable details to complete a range of different authentication procedures through one standard interface. In turn, Microsoft argues that password and username security would be enhanced, susceptibility to phishing schemes would decrease and user privacy would be strengthened.[22]

Domain Name System Security Extensions

11.19           As outlined in Chapter 2, cyber criminals can subvert parts of the Domain Name System (DNS) to divert users to a malware, phishing or scam website.[23]

11.20           Dr Paul Twomey, Senior President of the Internet Corporation for Assigned Names and Numbers (ICANN), advocated the implementation of DNS Security Extensions (DNSSEC) as a means of addressing this risk. DNSSEC is an eleven year old technology which has already been introduced in certain areas of the DNS, but is not yet widespread. It requires each genuine IP address in the DNS to be given a series of unique digital signatures that must match up in order to verify a website’s authenticity.[24]

11.21           Several areas of the DNS have already implemented the technology for their country code, including Sweden, Brazil, Bulgaria and the Czech Republic. However, Dr Twomey argued that wider implementation of DNSSEC would reduce the capacity for hackers to subvert the DNS.[25]

Trusted networking infrastructure

11.22           The Commonwealth Scientific and Industrial Research Organisation (CSIRO) also informed the Committee of their work in developing a form of secure network that conceals information from ‘outsiders’, which prevents theft. CSIRO envisage that sections of the Australian network could be designated to be part of a secure information exchange system. This could be achieved through designating each individual router that would be part of the network, or by designating the ISPs whose customers would be part of the network. Each computer on the trusted network would have its own ‘electronic contract’ that would determine how its information is used, encrypted and accessed by other computers on the network. Computers outside of this trusted network would not be able to access the information. CSIRO proposed that these electronic contracts could be monitored for compliance to detect misbehaving computers.[26]

New encryption techniques

11.23           The Committee heard that new encryption techniques could also help to combat identity theft and fraud.[27] For example, Dr Peiyuan Zhu advocated his ‘Masked Identification System’ as a new method for securely encrypting data. Dr Zhu submitted that, through using a randomly generated encryption code that is unique to each data transmission, this new method would render intercepted information useless to cyber criminals.[28]

Privacy enhancing technologies

11.24           The Australian Office of the Privacy Commissioner told the Committee of a range of technologies that may enhance privacy and prevent identity theft, including:

n  data separation and anonymising tools which remove personal identifiers from data during transmission and storage;

n  privacy metadata which uses an electronic tagging system to control how information can be accessed and used; and

n  privacy management systems which permit individuals to easily determine if the privacy policies of organisations meet their own requirements.[29]

Black listing

11.25           Currently, many organisations employ black listing to protect themselves from malicious websites and emails. Black listing involves monitoring all sources attempting to access and exchange data with a particular system. The reputation of each source is assessed, and the data from the source is checked for signs of malicious code or content. Any sources that are then deemed to be malicious are placed on a ‘black list’ and denied access to the system.[30]

11.26           Technologies for assessing the risk of sources and data are continually emerging. Both Symantec and McAfee advocated products which gather data from a range of sources (including home users, software publishers and online businesses) in order to determine if a website, file or other computer system is a security risk, and thus if the source should be black listed.[31] Alternatively, ThreatMetrix Pty Ltd advocated their ‘Device Intelligence’ technology for online merchants which, through examining the location and configuration of customer’s machines, detects and blocks fraudulent transactions.[32]

11.27           The Government has already taken steps to create an Australia-wide network black list to block malicious website content, albeit without the sole focus of addressing cyber crime. On 15 December 2009 Senator the Hon Stephen Conroy, Minister for Broadband, Communications and the Digital Economy, announced Government plans to legislate for Internet Service Providers (ISPs) in Australia to block all material contained on the Australian Communication and Media Authority’s (ACMA’s) Refused Classification Content list, including content relating to the detailed instruction in crime.[33] Whilst this content filtering exercise extends to a range of online content, through blocking content relating to the detailed instruction of crime, some cyber crime-related websites may also be blacklisted.

11.28           To carry out blacklisting on a higher network level, above that of ISPs, Web Management Interactive Technologies Pty Ltd, an Australian e-security business, advocated their Australian Protected Network (APN). The APN is essentially a network-wide firewall that is continually updated via a system that anticipates new threats. Under the APN, all Internet traffic entering the Australian network would pass through a central server. This traffic would be tested against a database of threat information, as compiled by members of the Australian Internet community, and traffic originating from known malicious sources would be blocked.[34]

White listing

11.29           White listing was advocated as another method of protecting users from malware and phishing attacks. White listing is a method whereby all sources attempting to access and exchange data with a system are monitored. Known trusted sources are placed on a ‘white list’ which permits access to the system, while all other sources (even benign but unknown sources) are denied access.[35]

11.30           The Australian Bankers’ Association (ABA) submitted that white listing could be applied in a range of ways:

n  online security software could white list ‘known good’ banking websites to deny access to phishing websites;

n  ISPs could white list trusted sites to protect their clients from malicious websites; or

n  banks could white list access to users from known and trusted locations to prevent identity fraud.[36]

11.31           However, contributors also argued that white listing has its limitations, especially when deployed across large networks with many diverse users. These limitations include: potentially blocking legitimate sources; restricting flexible access to systems (such as remote access); and increasing the complexity of already complex systems. Additionally, many home users may use ‘dynamic IP addressing’ where the code which identifies their computer or location is continually changing, thus making it difficult to accurately identify and white list users.[37]

Walled gardens

11.32           Walled gardens (as mentioned in Chapter 7) were suggested as means by which to isolate and disinfect computers that are infected with malware. Some ISPs in jurisdictions outside Australia follow a process where, when a customer is found to have a computer infected with malware, their Internet access is restricted in order to isolate them from other Internet users. Such limited access is called a ‘walled garden’. ISPs then assist the customer to eliminate the malware from the system and, once the user is disinfected, remove the user from the walled garden.[38] Some ISPs already carry out this process in Australia.

‘Clean’ boot-up disks

11.33           Detective Inspector William van der Graaf, NSW Police, argued that one of the key ways to ensure safe online banking was through the use of a ‘clean’ boot-up disk. A boot-up disk is a removable storage medium (such as a USB or CD) from which a computer can load and run an operating system. Detective Inspector van der Graaf told the Committee that users can conduct secure transactions by uploading a clean operating system from a boot-up disk each time they wish to transact online, rather than relying on existing operating systems that may be infected with malware.[39]

Trusted Platform Modules

11.34           CSIRO proposed the use of a Trusted Platform Module (TPM) to protect online transactions from malware and phishing. A TPM is a microchip which can verify the safety of another computer prior to conducting a transaction with that computer. When a user wishes to carry out a transaction, the TPM tests three factors against predetermined criteria: the identity of the other user, the identity of the other machine and the configuration of the other computer (including the type of programs installed on the machine). If all three criteria are met, the transaction proceeds. However, if there is any variation from the prescribed criteria (such as unknown programs) the transaction is blocked. In turn, TPM identifies malware on the other computer and reveals phishing websites.[40]

11.35           CSIRO informed the Committee that they have developed a TPM device in the form of a consumer-friendly USB drive, the Trusted Extension Device (TED), which operates on the same principle as the above mentioned clean boot-up disk method. Through the use of a TED, a user can upload a clean operating system to any PC, in order to conduct a transaction. The TED then goes beyond other clean boot up disks by employing a TPM to verify the safety of the other computer prior to a transaction. According to CSIRO, not only do users avoid malware on their own machine, but they are also protected from malware and phishing websites hosted on the other machine.[41]

11.36           CSIRO acknowledged that TPM devices currently have limited opportunities for deployment. In order for a transaction to be authorised by a TPM, the other computer must adhere to a rigid and prescribed system configuration. Thus TPM cannot currently be applied in transacting between computers that have diverse and continually updating operating systems or programs. CSIRO submitted that this prevents wide deployment of the TPM, and that they are working to overcome this issue.[42]

Black hole and sinkhole routing

11.37           Black hole and sinkhole routing are two different techniques for diverting and combating malicious web traffic, particularly Distributed Denial of Service (DDoS) attacks.

11.38           Black hole routing is the practice of, when a computer is under attack, redirecting all traffic attempting to access the computer to a null inactive router, a ‘black hole’. This Internet traffic, including the malicious elements, then has nowhere to go and drops off. This prevents the attack on the computer, but also blocks any legitimate traffic that may be present.[43]

11.39           Sinkhole routing refers to the practice of, when a computer comes under attack, redirecting all web traffic flowing towards that computer through a router which evaluates the traffic, a ‘sinkhole’. This sinkhole router analyses, blocks and traces any malicious traffic while permitting benign web traffic to continue on to its destination. Unlike black hole routing, sinkhole routing permits a computer to continue to receive web traffic during a web attack, but may be less able to effectively handle web attacks involving large amounts of data.[44]

Program monitoring

11.40           Timesavers International Pty Ltd, an Australian e-security developer, informed the Committee of a new approach to preventing malware from infections, as achieved by their new ‘CyberForceField’ (CFF) software. Modern user-friendly programs (including many anti-virus programs) carry out a number of automatic functions, such as communicating with other programs, downloading updates, scanning hard drives and sending information to the developer. These functions can be subverted to shutdown anti-virus protection, install malware on computers and to intercept information. Timesavers CFF monitors the activity of all programs according to rules and security levels set by the user. CFF then restricts any functions that could expose the system to malware .[45]

11.41           Timesavers submitted that CFF represents a significantly different approach to e-security than the products of established and dominant e-security companies. Timesavers argued that, as a small enterprise, it is hard to gain entry into the wider e-security markets. Timesavers’ called upon the Government to support innovative small enterprises to gain access to such markets.[46]

Developing and implementing anti-cyber crime measures

11.42           Contributors to the inquiry argued that the Government could assist in the development of new anti-cyber crime techniques and technologies through the National Broadband Network (NBN) and by creating incentives for the development and uptake of anti-cyber crime measures.

11.43           The Committee heard that the NBN represents an opportunity for the Government to make the online environment more secure for Australian Internet users. A number of methods were suggested, including:

n  using the publicity surrounding the NBN to raise awareness and increase the uptake of online security technologies;[47]

n  integrating security technologies into the infrastructure of the NBN;[48] and

n  utilising the increased speed of the NBN to deliver a ‘cloud service’ for internet security (where all users may access the internet through a central security mechanism, rather than via individual security mechanisms for each computer).[49]

11.44           It was argued that such initiatives could be furthered through partnering with industry and through allocating a percentage of the NBN’s budget to security measures.[50]

11.45           Contributors also canvassed a range of ways to nurture the development and implementation of new security measures:

n  engaging with, and harnessing the technical knowledge of, the highly coordinated engineering community that builds and runs the internet, in order to inform policy and to implement new security measures;[51]

n  continuing to ensure a healthy, diverse and innovative market place for Internet security companies, which evolves and keeps pace with new cyber security threats;[52]

n  encouraging software vendors to promote products that have been developed to international software and hardware security standards;[53] and

n  provide financial incentives for Australian home users and small businesses to take up further technical online security measures.[54]

Committee View

11.46           The Committee is of the view that, while no single technology will solve the problem of cyber crime, the continually evolving nature of cyber crime will require innovative and creative responses.  Part of this response will be technical devices that strengthen protections for the network. It is important that Australia foster an environment that values research and innovation, and recognises that important technical innovations can arise from a plethora of sources.

11.47           The global IT corporations bring enormous expertise and capacity to commercialise new products, but breakthrough technologies often result from the inventiveness and creativity of dedicated individuals, small companies, and Australia’s world class science and technology researchers.

11.48           The Committee concludes that the Government should consider the value of any current and emerging measures that may combat cyber crime, including the measures outlined in this chapter. The Committee is also of the view that the Government should consider ways to encourage the development and uptake of online security mechanisms, including through the NBN, industry partnerships and market incentives.

 

Ms Belinda Neal MP

Chair

 

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Aboriginal and Torres Strait Islander people are advised that this website may contain images and voices of deceased people.