Fraudsters Escape as Laws Bind AusCERT
Darren Pauli writes on ZDNet.com.au:
Efforts by security sleuths AusCERT to inform victims of fraud and identity theft that their details have been hijacked are being torpedoed by laws preventing the reverse-engineering of passwords.
Logs contained within any malware, such as key loggers or trojans, record which information (such as credit card numbers) has been captured from each victim. This enables investigators to ascertain the identity of victims and the extent of their exposure.
These logs, however, are increasingly protected by passwords, following a trend begun around three years ago. Despite AusCERT's government recognition as a crime-fighting organisation, it is not allowed by law to crack the passwords even though they are set by criminals.
AusCERT head Graham Ingram said the logs were previously viewable in plain text, but are now stored in a protected MySQL format.
"They are encrypted and we can't break that by law," he told an audience at the National Security Australia conference in Sydney yesterday.
"The logs can help identify victims who have had credentials stolen."