Crushing the Web's dark forces


Until today, Jo Stewart-Rattray remains wary of Internet banking.

"I personally do not recommend it," she told ZDNet Australia recently. When asked what keeps her awake at night, she said: "The idea of acceptable risk in the banking and finance sector when it comes to online and credit card transactions!"

As director of Information Security at Vectra, an Australia-based security consultancy and IT specialist, Stewart-Rattray is more than qualified to talk. She has extensive experience in IT security, providing corporate clients with strategic and technical information security services, vulnerability assessments and business risk guidance throughout the Asia-Pacific region.

The $18 million company caters to a variety of enterprises which hail from banking and finance, transport, manufacturing, retail, health and government sectors.

When and how did your career in computer crime investigation/forensics begin?
Stewart-Rattray: Whilst I was working in the utilities sector I was involved in investigating potential misuse of corporate IT services together with tracking down a cyber stalker and an identity thief!

What's a normal day at work like?
Stewart-Rattray: Not entirely sure that I know what a normal day is!

I spend a lot of time educating senior management about the dangers of the Net and the need for low level in-house forensics capability. Much of my day is spent liaising with and I guess interpreting for technical resources and translating their output into management speak.

What is the most challenging crime you've ever pursued/still pursuing?
Stewart-Rattray: The most emotionally draining was the case of a cyber stalker. A lot of my psych skills were required.

This case also required us to be squeaky clean because of the potential legal ramifications.

Who, in your opinion, is the most dangerous cybercriminal and why?
Stewart-Rattray: Anyone who uses people and exploits natural human conditions can be extremely dangerous. A social engineer is of course a good example of this. These people do not use technology to gain access to sensitive information in the first instance but rather use any organisation's weakest link to gain access …its people.

Which group/gang is the most dangerous online and why?
Stewart-Rattray: Any group in it for the ego trip ... hacking, cracking, or indeed, phreaking, simply because they can.

The damage in terms of leaked information can be immense costing organisation's their reputations along the way.

How is your work performance measured?
Stewart-Rattray: As my consulting team is engaged by corporations to track down internal issues or external attacks, our success is measured by our ability to secure their environment or our ability to prevent the environment from being breached.

Describe, in-length if possible, your most successful bust?
Stewart-Rattray: One I would prefer not to answer.

We've read stories about criminal gangs allegedly blackmailing online betting companies, threatening denial of service attacks unless they pay up ... is this a common occurrence and if not, do you see this type of activity increasing? Any idea who's behind this or where these gangs originate from? Is it advisable for victims to report such activity if they're threatened?
Stewart-Rattray: Any such activity should be reported to the e-crime unit of the police service in each state. It's commonly thought that such activity emanates from behind the old Iron Curtain. These are not, according to police statistics, a common occurrence in Australia at present.

In terms of ranking, list your top 5 cybercrime categories
Stewart-Rattray: According to local eCrime statistics for computer-related crimes, they are:

  • Porn (24 percent)
  • Fraud (19 percent)
  • Drugs (16 percent)
  • Sex (11 percent)
  • Assault/Harassment (8 percent)
  • Homicide (5 percent)
  • Larceny (4 percent)
  • Identity (3 percent)
  • Terrorism (1 percent)
  • Access (1 percent)

In working with local and international law enforcement agencies, what do you find most challenging? Red tape? Language barriers?
Stewart-Rattray: Jurisdictional issues!

What more needs to be done to fight cybercrime?
Stewart-Rattray: Ensure that law enforcement agencies have the staffing and technical levels required to fight the growing number of computer-related and computer-assisted crimes.

Organisations need also to be aware of their responsibilities in relation to good governance practices with regard to information security.

Which area of law enforcement requires the most funding to fight cybercrimes and why?
Stewart-Rattray: State police services have little funding. A lot of funding is allocated to the federal sector and for research into policing methodology however, at state level, e-crime units seem to be under staffed and have a great deal of trouble keeping people with good technical skills as they are often poached by the private sector. This issue relates directly to salary discrepancies in the public and private sectors.

The youth of today are brought up in an environment surrounded by computers and high-tech gadgets. Do you forsee a time when the number of computer crimes will exceed traditional crimes (such as petty theft, mugging, bank robberies etc)?
Stewart-Rattray: Not everyone is going to want to sit up nights in a darkened room by themselves playing at being a super nerd. There will always be crimes that include blood and guts and manual means.

What keeps you up at night?
Stewart-Rattray: The idea of acceptable risk in the banking and finance sector when it comes to online and credit card transactions!

Would you recommend Internet Explorer or other browsers such as Firefox and Opera for financial transactions over the Net?
Stewart-Rattray: I personally do not recommend Internet banking. As for transactions such as purchases over the Net ... there is always a risk involved, the idea is to minimise it. Currently Firefox is picking up momentum in this space.

Is Linux really more secure than Windows?
Stewart-Rattray: More holes are being found in Linux every day. It should be remembered, that in the world of hacking, where there's a will there's always going to be a way!

Updated 3 August 2005 7:00PM

< Prev 1 2 3 4 5 6 Next >
Advertisement

Print feature brought to you by Hewlett Packard

Talkback 24 comments

  1. cool dr G -- 01/08/05

    this is awesome! well done!

    1. fghjk Anonymous -- 28/05/08

      My favorite megaupload files search engine is http://megauploadfiles.com
      it’s the most powerful and easy to use.

      <a href="http://megauploadfiles.com "> megaupload files</a>
      provides relevant search results.

  2. Marketing speak Anonymous -- 02/08/05

    it's hollywood

    1. open abt stats marketing guru -- 02/08/05

      surprising to see how open AM is abt stats given ebay is a listed company. interesting...

  3. this guy is so PR tony -- 02/08/05

    for a veteran of 15 years, he has some really good marketing skills/speak

  4. Please choose a better interviewee for the others Craig Burton -- 02/08/05

    It is pretty clear this security person is executing the policy "don't give away more information than you have to".
    This doesn't make for a very useful or interesting article as it has neither a human element or any technical value.
    In fact, this approach is rather dubious as the world moves rapidly to open systems and standards. Can I ask if you can interview someone who provides security for a more "open" organisation?
    Best,
    Craig.

  5. Just PR for eBay Anonymous -- 02/08/05

    This might be interesting for people who know nothing about security.

    I felt it was more about making people "warm and fuzzy" about eBay and their online auctions.

    Where's Alastair MacGibbon? He's departed to don his Superman Cape and undies!

  6. pirated software - ebay security? PS -- 02/08/05

    Check this thread on ebay's forums about their allowing of masses of pirated software sold on ebay, and they call this security?
    http://forums.ebay.com.au/thread.jspa?threadID=100071539&tstart=0&mod=1122954689382

  7. New Zealanders know more than Australians Anonymous -- 02/08/05

    "eBay recognises the importance of educating Australians on shopping safely online"

    That must mean eBay doesn't think they need to educate New Zealanders. Which does fit the statistics.

  8. How the hell did Alastair get choosen as no.1 or at all... Craig S Wright -- 03/08/05

    I have known and dealt with Alistair from his time in the Feds, from the high tech crime days etc

    And.. Sorry Alistair, but you are ok-good as a manager, but there is no way I would ever think of classifying you as a security person in any sense of the word.

    Being an Ex cop has not given you the necessary skills in security.

    1. I agree. Anonymous -- 26/08/05

      You'll notice that these guys seem to stay in a position for about 2 years.

      That's the length of time that passes until their BS starts to catch up with them and.. hey presto!, it's off to the new job!

      I know this guy too, from the AHTCC.... he is absolutely clueless.

      His skillset seems to consist of "Buzzword generation 101" and "Get as many tickets to present at conferences as possible so Industry thinks I know what I'm talking about and hire me for the big bux".

      Same goes for the Vectra woman... CLUELESS, it's all PR-speak, smoke and mirrors!

      Only decent one out of the lot is the ex FBI woman.

    2. Alistair email request David Jason -- 26/10/06

      I need to contact Alistair MacGibbon Urgently and would ask for his email address or contact phone number.
      Thanks

  9. Why oh why. Anonymous -- 09/08/05

    Jo Stewart.
    Top 5 .. Missing 8%.
    There's down to 1% listed, so missing 8% is quite alot....
    "dont use internet banking"... How many internet banking transaction are there each second, and just how many are corrupted?
    See things in perspektive please.

    McAdam - Thank you. About time that there is some more focus on the ignorance problem in all of IT. No matter how good a security company, banking what ever you are, you cant really do anything about a user that opens malicious code from a email.
    Basicly the email asks
    "Is it Ok to open this potentielle computer deadly virus"
    And without giving it a second thought users presses
    "I'll give it a try"
    ........

    Soon the biggest threat is not crackers(Not hackers), but those wannabee IT "professionels" selling expensive solutions to unknowning companies.
    ........

    1. heh Anonymous -- 26/08/05

      soon this is the biggest threat? this is what IT is based on. now give me some money.

  10. Crushing the Web - Day 3 Anonymous -- 10/08/05

    Support comments from anon on Aug 9 - especially the comment "those wannabee IT "professionals" selling expensive solutions to unknowning companies".

    I dont think Rattray has much experience based on the quesiton responses, it sounds more like marketing speak and look at me than real security speak.

    1. Yep. Anonymous -- 27/08/05

      Ratray would have no idea.

      In fact, only Day2 and DAy5 appear to have any idea at all.

      This story is a farce.

      None of these clowns would be permitted into the carpark of where I work.

      And yes, we do know of 3 of those people, and their reputations amongst those "in the know" are very poor.

      ZDnet, next time try to find some real IT Security experts, not jst the first 5 glossy brochures you got in the mail that morning.

    2. Agreed Jane B -- 12/09/05

      I work within the B&F industry and it appears like many service providers, Jo and the others interviewed have limited practical security experience. The responses given appear to be very research orientated not experience based. Agree with other comments, Please consider better people for interviws ZDNet.

  11. what a load of cynical PR speak!!!!! Anonymous -- 19/08/05

    what a load of cynical PR speak!!!!! This is why we have all learned to mistrust the talk from big business.....its so predictable and like the complaint mechanisms on Ebay it just goes around in every diminishing circles.

  12. Oh Please...... Michael Davies -- 15/09/05

    Dont use the internet for banking or credit cards for purchases....Oh please....You must not sleep at all then....

    Her recommendation must be to go back to non technology based businesses and use piggy banks and bank books for saving our money and no doubt use cash for everything.

    Why not discuss how to manage the risk then? That would be more interesting.

    Dissappointing artcle.

  13. Laura Chappell is one of the most talented security experts - Great Interview Robert Becker -- 24/10/05

    I have had the pleasure to attend a few of Laura Chappell's training sessions, and can tell you that she is by far the most knowledgeable and experienced Digital security professional I have ever met. If you ever get the chance to attend one of her sessions, do - Laura is an experience. If you need to learn how to protect your computer infrastructure, Laura's training is invaluable, and the best bang for your buck. If Laura is fighting against Internet predators and child pornography, then you can bet that she will make a difference.

    1. Ms. Chappell Ron L Jennings -- 25/10/05

      I want to extend a huge thank you to MS.Chappell. I have tried to start a group called Kid Safe Internet for two years. That is why the article caught my eye. I hate people who abuse kids and pets and I will do everything within my power to stop or catch anyone who abuses them.
      Perhaps I should tell a little about my self so this post will have all the dots connected when I am done.
      This post may be a bit long, so if you are one of those who can't stay intrested for more than 60 seconds, you might want to stop reading now. Otherwise, I would like to thank you for reading my post on how I helped catch a sexual predator. I will do my best to describe months of work in as few words as possible.
      I am not as well trained as some but I have worked hard to train myself and find the best books on computer crimes.
      I belong to CSI and I have Microisoft, Cisco, etc. training in computer security. In the mid seventies my Uncle owned a bounty hunting business. He thaught me how to think like the people we were hunting.
      It was that training that lead me to this scum bags favorite place to lure children. It started out with me tracking a hack in my system. I was very new to computers at the time and my hack knew this. He would leave a trail just to show me I was unable to catch him.
      I had a lot to learn if I was going to get anything on this guy. His vaintiy and lack of respect was enough to keep me going. I found he would hide his program in MSFT Office file downloads and wait for e-mails to be sent to certain businesses. I never tried to just get him out of my system .I needed to learn how he was getting the data he wanted. He would even send email and IM's to me bragging on how he could steal information from Doctor lists, Drug Stores, CPA firms etc. Thats when I decided to try to befriend him. I told him gthat being a goodguy was not paying well and that I would like to learn from someone as good as him about how to steal information. He was so blind in his vainity that he never suspected a thing. To make a very long story short, he lead me to an underground part of the net I had never seen before. There were rooms for trading children pics doing anything and everything. Rooms were parents wanted to trade kids and would describe the child they had to offer and what they were looking for. I was shocked at how many members these rooms had. The biggest shock was how many members were women.
      I called the police deparment and was only told that I was eithier a part of it
      or I should just stop going there. I could not believe what I was hearing.
      My hacker would ask me if I had ever "caught fresh white meat?"
      That is when I knew I had to do something. I knew I should CMA, so I told a few people what I was doing and why. Then I logged on onto a different computer, went to where I thought this creep would be "trolling" as he callled it. I then prented to be a shy young girl who was unhappy with my homelife. He fell for it.
      He asked me to go into a private chat that was hosted by a well known ISP.
      Thats when I used what little computer protocols I knew to contact the milatry or anyone with authourity that was listening. He is now in a federal prision. Believe it or not that creep was in the service.
      I hope to one day be half as good as Ms. Chappell. Working toghter we can keep our kids safe
      they count on us to protect them. Let's not let them down.

  14. Dull read Anonymous -- 27/07/06

    This story was dull, and the questions terrible lame.
    It gave us no information at all, and security 'experts' just stonewalling with 'no comments' is not worth the pixels it is written on.
    Do better than this PLEASE!

  15. You are arguing the other party's case! Anonymous -- 21/04/08

    If fraud makes up only 1/100th of 1%, why are you breaching trade practices? You talk about stamping out wrongdoings, yet you yourself have set in motion a serious violation of law... third line forcing is unlawful, and no amount of sabre-rattling will change the fact that you are attempting to operate outside the law!

  16. So what happened to ethics? Anonymous -- 26/06/08

    I see fraud does little to stop notoriety. Ms Steward Rattray should learn to write her own material and not steal copyright.

    The article “by” Jo Stewart-Rattray titled “Information Security Governance: the nuts and bolts”.
    http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf is a perfect example.

    I quote “by” as this publication is significantly plagiarized. Over 25% of the document is directly copied and a large amount is paraphrased without accreditation. I have read the majority of it as the article in Information Systems Control Journal, Volume 5, 2001, “Harnessing IT for Secure, Profitable Use” by Erik Guldentops, CISA. Basically, the article is stolen. She has claimed the work of another as her own. So much for running a security company.

    Whatever happened to ethics in IT Security?

    Plagiarism is theft. It is a criminal copyright breach. This is fraud.

Add your opinion


Back to top

Featured