Chapter 7: Protecting the Integrity of the Internet
Total Page:16
File Type:pdf, Size:1020Kb
7 Protecting the Integrity of the Internet Introduction 7.1 This chapter discusses current and future initiatives for promoting a more secure Internet environment. In particular, it considers the role of the Australian Communications and Media Authority (ACMA), Internet Service Providers (ISPs), and Domain Name Registrars and Resellers in promoting greater resilience within the Australian Internet networks. 7.2 The chapter focuses on six key issues: the effectiveness of the Australian Internet Security Initiative (AISI) to detect and drive the remediation of bots; the role of ISPs in the AISI and the proposed Internet industry e- security code of practice; remediation of infected computers; ACMA‟s capacity to respond to the threat of compromised websites; ACMA‟s spam reporting initiative and the role of ISPs under the Spam Code of Practice; and e-security and the Domain Name Registration System. Australian Internet Security Initiative 7.3 The ACMA is a statutory authority within the Australian Government portfolio of Broadband, Communications and the Digital Economy. The 128 HACKERS, FRAUDSTERS AND BOTNETS: TACKLING THE PROBLEM OF CYBER CRIME ACMA is responsible for regulating broadcasting, the Internet, radio communications and telecommunications.1 7.4 The ACMA developed the AISI in 2005. The AISI identifies computers operating on the Australian Internet that have been infected by malware and are able to be controlled for illegal activities.2 The Committee was told that AISI has been progressively expanded over time and has attracted international interest.3 7.5 As noted previously in this report, 99 per cent of spam is sent from botnets.4 Spam email is one of the primary vectors of malware and the dissemination of scams and phishing attacks on end users. By detecting malware infected computers, regulators can address the problem of spam and make strategic in roads into the problem of botnets. The AISI recognises that link and is intended to target the source of the spam problem by detecting compromised machines and botnet activity.5 7.6 In essence, AISI is a „data handler‟ system that collates data into one central database and enables ACMA to standardise the information. ACMA issues daily reports to ISPs about types of compromises detected in their customers‟ machines.6 ACMA explained: Through the AISI, the ACMA collects data from various sources identifying IP address that have been detected as exhibiting „bot‟ behaviour on the Australian internet. Using this data, the ACMA provides daily reports to participating … ISPs identifying IP addresses on their networks that have been reported as compromised (infected with malware) in the previous 24-hour period.7 7.7 There has been a steady increase in the number of compromises reported daily through the AISI, and „a marked increase since March 2009‟.8 In June 2009, ACMA was reporting more than 10,000 individual compromises per day to Australian ISPs. At the hearing on 21 October 2009, Mr Bruce Mathews, Acting Executive Manager, Strategy and Coordination Branch, ACMA, submitted that the prevalence of botnets on the Australian 1 The ACMA was established on 1 July 2005 by the merger of the Australian Broadcasting Authority and the Australian Communications Authority. 2 ACMA, Submission 56, p.3. 3 Mr Bruce Mathews, ACMA, Transcript of Evidence, 21 October, 2009, p.2. 4 Mr Bruce Mathews, ACMA, Transcript of Evidence, 21 October 2009, p.10. 5 ACMA, Submission 56, p.3. 6 Mr Bruce Mathews, ACMA, Transcript of Evidence, 21 October 2009, p.7. 7 ACMA, Submission 56, p.3. 8 ACMA, Submission 56, p.5. PROTECTING THE INTEGRITY OF THE INTERNET 129 internet remains of considerable concern and warrants the attention of the Committee.9 7.8 The data obtained through AISI is expanding due to: an increase in the number of sources and improvements in compromise data resulting in the identification of more malware types and infected machines; an expansion in the number of ISPs participating in AISI providing greater coverage of Australian IP addresses; an expansion of IP address ranges by ISPs to provide for customer growth; and more comprehensive IP address range information provided to ACMA.10 7.9 The Committee was also told that the increased number of reported compromised machines has required a „substantial increase in ACMA resources‟: ACMA‟s interaction with ISPs and their customers – the latter being usually via the ISP – has increased markedly since March 2009. These most generally involve the ACMA providing further information on individual compromise reports in response to enquiries.11 7.10 The effectiveness of the AISI depends on three elements: access to information on zombie computers and botnet activity; the willingness and capacity of ISPs to take action; and the ability of end users to remediate infected computers and protect themselves in the future. 7.11 These issues are discussed in the following sections. Access to Network Data 7.12 Access to network data is vital to detecting IP addresses of compromised machines and botnet activity. ACMA told the Committee that network 9 Mr Bruce Mathews, ACMA, Transcript of Evidence, 21 October, p.2. 10 ACMA, Submission 56, p.5. 11 ACMA, Submission 56, p.8. 130 HACKERS, FRAUDSTERS AND BOTNETS: TACKLING THE PROBLEM OF CYBER CRIME data comes from a range of sources, including some on a confidential basis: The AISI collects data from a number of parties who run honeypots, spamtraps, sinkholes and other mechanisms for the purpose of identifying compromised hosts or other malicious activities on the internet.12 7.13 To ensure access to this information ACMA often agrees „not to disclose the operations, tools, methods and infrastructure utilised by its partners‟.13 The publicly acknowledged sources are The Shadowserver Foundation14, The Australian Honeynet Project,15 and SORBS (Spam and Open Relay Blocking System).16 The ACMA also operates its own honeypots and spamtraps.17 7.14 The Committee heard there is also a vast wealth of network intelligence available from global IT companies that could be tapped by government. As noted in Chapter 5, Symantec told the Committee that it possesses a rich repository of intelligence data. The issues raised by Symantec in relation to sharing real time cyber threat intelligence are also relevant to the sharing of network data in the context of AISI. In particular, the extent to which authorities monitor the data, who the data is shared with, where the data is stored and legal implications regarding privacy are all pertinent. 7.15 Sophos also pointed out the high commercial value of data from filtering technologies that identify the IP addresses of botnets. The Committee was told that this data is not likely to be shared openly between competitors.18 7.16 Sophos said: Although ACMA/AISI is already tackling this problem, with additional co-operation … Australia could be seen to be leading the world in anti-botnet activity, and to encourage such a process to be rolled out as worldwide best practice.19 12 ACMA, Supplementary Submission 56.1, p.2. 13 ACMA, Supplementary Submission 56.1, p.2. 14 <http://www.shadowserver.org/>. 15 <http://www.honeynet.org.au/>. 16 <http://www.au.sorbs.net/>. 17 ACMA, Supplementary Submission 56.1, p.2. 18 Sophos, Submission 66, p.6. 19 Sophos, Submission 66, p.6. PROTECTING THE INTEGRITY OF THE INTERNET 131 7.17 As a step toward greater cooperation with the private sector, Sophos proposed that interested security vendors, together with government, should consider mechanisms to increase data sharing on botnets.20 Internet Industry Participation 7.18 The Internet industry has grown rapidly over the past decade and it was estimated there are now between five to six hundred ISPs currently operating in Australia.21 Although large companies such as Telstra and Optus have the largest share of the market, a significant proportion of the industry is made up of small providers. Elsewhere it has been estimated that more than a quarter of ISPs have an annual turnover of less than $3 million.22 7.19 The Committee heard that ISPs occupy a unique position as the only party that can link an individual user to an IP address identified by AISI.23 And ACMA emphasised the importance of this role in the overall national strategy to combat cyber crime.24 7.20 The AISI started as a pilot project in 2005 with six ISPs. The Committee was told that „the 2007 Budget allocated approximately $4.7 million (over four years) to enable the expansion of the AISI to all Australian ISPs who wish to participate‟.25 There are now 71 ISPs participating in the scheme, which ACMA estimated covers 90 per cent of Australian residential customers.26 7.21 ACMA‟s published statement to the ISPs states: There are no costs to ISPs associated with participation in the AISI. It is a free service provided by ACMA to assist in reducing spam and to improve the security level of the Australian internet. By participating, you will contribute to the overall reduction of spam and e-security compromises, thereby reducing costs for all ISPs.27 7.22 The ACMA also states that: 20 Sophos, Submission 66, p.6. 21 Mr Bruce Mathews, ACMA, Transcript of Evidence, 21 October 2009, p.6. 22 See ALRC Report 108, pp.1330-1331; see also, Office of the Privacy Commissioner, Submission Draft Internet Industry Association eSecurity Code of Practice, p.3. 23 Mr Keith Besgrove, DBCDE, Transcript of Evidence, 25 November, 2009, p.9. 24 ACMA, Submission 56, p.23. 25 IIA, Submission 54, p.7. 26 ACMA, Submission 56, p.3; Mr Bruce Mathews, ACMA, Transcript of Evidence, 21 October 2009, p.1. 27 <http://www.acma.gov.au>, viewed 27 May 2010.