Crushing the Web's dark forces


An "accidental" ethical hacker. That's how Robert McAdam describes himself.

Attached to the New South Wales Police for many years, McAdam was lured to the private sector during his time at IBM while working on the Sydney Olympics.

He left Big Blue to pursue his dream of running his own company and founded Pure Hacking, a Sydney-based security consultancy.

When and how did your career in computer crime investigation begin?
McAdam: Quite by accident, I was working for IBM as a Project Manager on the Olympics and it was suggested by a colleague that I come across to the Security Practice. Given my work history in policing, and now Pure Hacking, I have a core personal value around making others safe.

What's a normal day at Pure Hacking like?
McAdam: Ensure the electronic systems are functioning as expected (and they always do). Read the latest security advisories, check sites which have been hacked over the last 24 hours, and respond to current and new client queries.

Then we start hacking.

What is the most challenging crime you've ever pursued?
McAdam: A financial institution was being extorted. A hacker had infiltrated the systems and was extorting the business for financial gain. At the time, the business thought it was over. Pure Hacking stopped the extorter and the business is still running today so it's a great result. Can't provide more details.

Who, in your opinion, is the most dangerous cybercriminal and why?
McAdam: A bored employee. They are the most dangerous because they are in a trust relationship. The most common offender in most crimes are those you trust -- the Internet is no different.

Which group/gang is the most dangerous online and why?
McAdam: We've only dealt with individuals acting independently for personal gain, not organised crime.

Describe, in-length if possible, your most successful bust?
McAdam: With a 9 year career in policing, there are many war stories. In IT Security, law enforcement is not a focus. For those issues, the client wants the problem fixed and that's it.

We've read stories about criminal gangs allegedly blackmailing online betting companies, threatening denial of service attacks unless they pay up ... is this a common occurrence and if not, do you see this type of activity increasing? Is it advisable for victims to report such activity if they're threatened?
McAdam: In Pure Hacking's experience, this is not a common occurrence (common being a daily or weekly event). The victims really should contact the authorities in these circumstances as they have significant resources either directly or indirectly. These resources may be available in-house, or through their relationships with other law enforcement agencies. It pays to tap into another's network -- especially when it's all that they do.

What are the top five cybercrimes?
McAdam: As follows:

  • Virus writing
  • Ignorant users opening up attachments
  • Social engineering -- relying on good manners or ignorance to gain illegal access
  • Replicas of Web sites
  • Using the Internet as a vehicle to wage a personal attack on an individual -- relating to domestic violence issues

What more needs to be done to fight cybercrime?
McAdam: Education, Education, Education. The tools exist to protect an environment and businesses misconfigure them, or let security lapse. Security is an ongoing process.

Which area of law enforcement requires the most funding to fight cybercrimes and why?
McAdam: Again, education. Simply stated, the criminals know and profit from individuals' ignorance.

The youth of today are brought up in an environment surrounded by computers and high-tech gadgets. Do you forsee a time when the number of computer crimes will exceed traditional crimes (such as petty theft, mugging, bank robberies etc)?
McAdam: In relation to crimes, petty theft and bank robberies are at different ends of the spectrum for the victims and the offenders.

I do not see Internet crime exceeding traditional crimes because the level of knowledge required to bring a bank down [offline] is usually significant. In contrast, to obtain a firearm and to walk into a bank is relatively simple.

I believe it is the same trend on the Internet as in the 'real world'. Repeat offenders will generate most of the problems.

Would you recommend Internet Explorer or other browsers such as Firefox and Opera for financial transactions over the Net?
McAdam: Firefox has significantly less vulnerabilities, but poor site design and programming means that a site can only operate securely on the IE platform. Pure Hacking uses Firefox when testing.

Is Linux really more secure than Windows?
McAdam: No

Updated 4 August 2005 5:30PM

< Prev 1 2 3 4 5 6 Next >

Talkback 24 comments

    cool dr G -- 01/08/05 (in reply to #120119713)

    this is awesome! well done!

    fghjk Anonymous -- 28/05/08 (in reply to #120119714)

    My favorite megaupload files search engine is http://megauploadfiles.com
    it’s the most powerful and easy to use.

    <a href="http://megauploadfiles.com "> megaupload files</a>
    provides relevant search results.

    open abt stats marketing guru -- 02/08/05 (in reply to #120119723)

    surprising to see how open AM is abt stats given ebay is a listed company. interesting...

    this guy is so PR tony -- 02/08/05

    for a veteran of 15 years, he has some really good marketing skills/speak

    Please choose a better interviewee for the others Craig Burton -- 02/08/05

    It is pretty clear this security person is executing the policy "don't give away more information than you have to".
    This doesn't make for a very useful or interesting article as it has neither a human element or any technical value.
    In fact, this approach is rather dubious as the world moves rapidly to open systems and standards. Can I ask if you can interview someone who provides security for a more "open" organisation?
    Best,
    Craig.

    Just PR for eBay Anonymous -- 02/08/05

    This might be interesting for people who know nothing about security.

    I felt it was more about making people "warm and fuzzy" about eBay and their online auctions.

    Where's Alastair MacGibbon? He's departed to don his Superman Cape and undies!

    pirated software - ebay security? PS -- 02/08/05

    Check this thread on ebay's forums about their allowing of masses of pirated software sold on ebay, and they call this security?
    http://forums.ebay.com.au/thread.jspa?threadID=100071539&tstart=0&mod=1122954689382

    New Zealanders know more than Australians Anonymous -- 02/08/05

    "eBay recognises the importance of educating Australians on shopping safely online"

    That must mean eBay doesn't think they need to educate New Zealanders. Which does fit the statistics.

    How the hell did Alastair get choosen as no.1 or at all... Craig S Wright -- 03/08/05

    I have known and dealt with Alistair from his time in the Feds, from the high tech crime days etc

    And.. Sorry Alistair, but you are ok-good as a manager, but there is no way I would ever think of classifying you as a security person in any sense of the word.

    Being an Ex cop has not given you the necessary skills in security.

    I agree. Anonymous -- 26/08/05 (in reply to #120119789)

    You'll notice that these guys seem to stay in a position for about 2 years.

    That's the length of time that passes until their BS starts to catch up with them and.. hey presto!, it's off to the new job!

    I know this guy too, from the AHTCC.... he is absolutely clueless.

    His skillset seems to consist of "Buzzword generation 101" and "Get as many tickets to present at conferences as possible so Industry thinks I know what I'm talking about and hire me for the big bux".

    Same goes for the Vectra woman... CLUELESS, it's all PR-speak, smoke and mirrors!

    Only decent one out of the lot is the ex FBI woman.

    Alistair email request David Jason -- 26/10/06 (in reply to #120119789)

    I need to contact Alistair MacGibbon Urgently and would ask for his email address or contact phone number.
    Thanks

    Why oh why. Anonymous -- 09/08/05

    Jo Stewart.
    Top 5 .. Missing 8%.
    There's down to 1% listed, so missing 8% is quite alot....
    "dont use internet banking"... How many internet banking transaction are there each second, and just how many are corrupted?
    See things in perspektive please.

    McAdam - Thank you. About time that there is some more focus on the ignorance problem in all of IT. No matter how good a security company, banking what ever you are, you cant really do anything about a user that opens malicious code from a email.
    Basicly the email asks
    "Is it Ok to open this potentielle computer deadly virus"
    And without giving it a second thought users presses
    "I'll give it a try"
    ........

    Soon the biggest threat is not crackers(Not hackers), but those wannabee IT "professionels" selling expensive solutions to unknowning companies.
    ........

    heh Anonymous -- 26/08/05 (in reply to #120119986)

    soon this is the biggest threat? this is what IT is based on. now give me some money.

    Crushing the Web - Day 3 Anonymous -- 10/08/05

    Support comments from anon on Aug 9 - especially the comment "those wannabee IT "professionals" selling expensive solutions to unknowning companies".

    I dont think Rattray has much experience based on the quesiton responses, it sounds more like marketing speak and look at me than real security speak.

    Yep. Anonymous -- 27/08/05 (in reply to #120120015)

    Ratray would have no idea.

    In fact, only Day2 and DAy5 appear to have any idea at all.

    This story is a farce.

    None of these clowns would be permitted into the carpark of where I work.

    And yes, we do know of 3 of those people, and their reputations amongst those "in the know" are very poor.

    ZDnet, next time try to find some real IT Security experts, not jst the first 5 glossy brochures you got in the mail that morning.

    Agreed Jane B -- 12/09/05 (in reply to #120120464)

    I work within the B&F industry and it appears like many service providers, Jo and the others interviewed have limited practical security experience. The responses given appear to be very research orientated not experience based. Agree with other comments, Please consider better people for interviws ZDNet.

    what a load of cynical PR speak!!!!! Anonymous -- 19/08/05

    what a load of cynical PR speak!!!!! This is why we have all learned to mistrust the talk from big business.....its so predictable and like the complaint mechanisms on Ebay it just goes around in every diminishing circles.

    Oh Please...... Michael Davies -- 15/09/05

    Dont use the internet for banking or credit cards for purchases....Oh please....You must not sleep at all then....

    Her recommendation must be to go back to non technology based businesses and use piggy banks and bank books for saving our money and no doubt use cash for everything.

    Why not discuss how to manage the risk then? That would be more interesting.

    Dissappointing artcle.

    Laura Chappell is one of the most talented security experts - Great Interview Robert Becker -- 24/10/05

    I have had the pleasure to attend a few of Laura Chappell's training sessions, and can tell you that she is by far the most knowledgeable and experienced Digital security professional I have ever met. If you ever get the chance to attend one of her sessions, do - Laura is an experience. If you need to learn how to protect your computer infrastructure, Laura's training is invaluable, and the best bang for your buck. If Laura is fighting against Internet predators and child pornography, then you can bet that she will make a difference.

    Ms. Chappell Ron L Jennings -- 25/10/05 (in reply to #120122394)

    I want to extend a huge thank you to MS.Chappell. I have tried to start a group called Kid Safe Internet for two years. That is why the article caught my eye. I hate people who abuse kids and pets and I will do everything within my power to stop or catch anyone who abuses them.
    Perhaps I should tell a little about my self so this post will have all the dots connected when I am done.
    This post may be a bit long, so if you are one of those who can't stay intrested for more than 60 seconds, you might want to stop reading now. Otherwise, I would like to thank you for reading my post on how I helped catch a sexual predator. I will do my best to describe months of work in as few words as possible.
    I am not as well trained as some but I have worked hard to train myself and find the best books on computer crimes.
    I belong to CSI and I have Microisoft, Cisco, etc. training in computer security. In the mid seventies my Uncle owned a bounty hunting business. He thaught me how to think like the people we were hunting.
    It was that training that lead me to this scum bags favorite place to lure children. It started out with me tracking a hack in my system. I was very new to computers at the time and my hack knew this. He would leave a trail just to show me I was unable to catch him.
    I had a lot to learn if I was going to get anything on this guy. His vaintiy and lack of respect was enough to keep me going. I found he would hide his program in MSFT Office file downloads and wait for e-mails to be sent to certain businesses. I never tried to just get him out of my system .I needed to learn how he was getting the data he wanted. He would even send email and IM's to me bragging on how he could steal information from Doctor lists, Drug Stores, CPA firms etc. Thats when I decided to try to befriend him. I told him gthat being a goodguy was not paying well and that I would like to learn from someone as good as him about how to steal information. He was so blind in his vainity that he never suspected a thing. To make a very long story short, he lead me to an underground part of the net I had never seen before. There were rooms for trading children pics doing anything and everything. Rooms were parents wanted to trade kids and would describe the child they had to offer and what they were looking for. I was shocked at how many members these rooms had. The biggest shock was how many members were women.
    I called the police deparment and was only told that I was eithier a part of it
    or I should just stop going there. I could not believe what I was hearing.
    My hacker would ask me if I had ever "caught fresh white meat?"
    That is when I knew I had to do something. I knew I should CMA, so I told a few people what I was doing and why. Then I logged on onto a different computer, went to where I thought this creep would be "trolling" as he callled it. I then prented to be a shy young girl who was unhappy with my homelife. He fell for it.
    He asked me to go into a private chat that was hosted by a well known ISP.
    Thats when I used what little computer protocols I knew to contact the milatry or anyone with authourity that was listening. He is now in a federal prision. Believe it or not that creep was in the service.
    I hope to one day be half as good as Ms. Chappell. Working toghter we can keep our kids safe
    they count on us to protect them. Let's not let them down.

    Dull read Anonymous -- 27/07/06

    This story was dull, and the questions terrible lame.
    It gave us no information at all, and security 'experts' just stonewalling with 'no comments' is not worth the pixels it is written on.
    Do better than this PLEASE!

    You are arguing the other party's case! Anonymous -- 21/04/08

    If fraud makes up only 1/100th of 1%, why are you breaching trade practices? You talk about stamping out wrongdoings, yet you yourself have set in motion a serious violation of law... third line forcing is unlawful, and no amount of sabre-rattling will change the fact that you are attempting to operate outside the law!

    So what happened to ethics? Anonymous -- 26/06/08

    I see fraud does little to stop notoriety. Ms Steward Rattray should learn to write her own material and not steal copyright.

    The article “by” Jo Stewart-Rattray titled “Information Security Governance: the nuts and bolts”.
    http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf is a perfect example.

    I quote “by” as this publication is significantly plagiarized. Over 25% of the document is directly copied and a large amount is paraphrased without accreditation. I have read the majority of it as the article in Information Systems Control Journal, Volume 5, 2001, “Harnessing IT for Secure, Profitable Use” by Erik Guldentops, CISA. Basically, the article is stolen. She has claimed the work of another as her own. So much for running a security company.

    Whatever happened to ethics in IT Security?

    Plagiarism is theft. It is a criminal copyright breach. This is fraud.

Add your opinion

Back to top

Featured