30 Years 30 Stories

AusCERT 30 Years 30 Stories – Chris Horsley

Who better to hear from than one of AusCERT’s original seven security analysts, Chris Horsley. Working with AusCERT from 2004 to 2006, Chris is now the Chief Technology Officer at Cosive, a cyber security consultancy firm based in Melbourne, Sydney and New Zealand. From helping victims get their credentials returned to utilising cryptographic analysis, Chris’ years of experience in the evolving cyber world is worth a read.

Can you describe a memorable experience you had while working with AusCERT?

We dealt with a lot of financial malware back in those days — it was the early days of criminals writing malware to steal money from bank accounts, usually by stealing passwords. There was one malware crew who were more sophisticated than others and they would encrypt their data. To get their victims, they would place malware on the machines they would upload the credentials to, taking them to another server. We managed to get our hands on the encrypted data to find out whose data was stolen. We then used cryptographic analysis to work out how they were doing that encryption. We managed to break their encryptions and then we went into a big program trying to get those credentials back to the people — the bank customers, the university employees and the government employees. It was a really meaningful job and very interesting in terms of the analysis work required.

Can you briefly describe your role and responsibilities during your time at AusCERT?

Between 2004 to 2006 I was one of AusCERT’s security analysts. It was a time when there were only seven of us, meaning we all had to do a bit of everything. We had what we called ‘point’, where we triaged all the correspondence coming in; whether it was a report about incident handling or a query from a member about how to approach a certain problem. We did a lot of security vulnerability work too and were constantly flooded with new information about patches and vulnerabilities. We had to analyse each and re-bundle them for AusCERT members. Outside of this, we travelled to many conferences because we were the national CERT at this particular point in time. We would go to international conferences and talk to our counterparts in Europe, Asia, and the United States. I got a lot of opportunities to go travelling which was an amazing experience.

With AusCERT’s vast history, did you get to work on the beginning cases of phishing in Australia?

Around 2004, phishing became a big problem in Australia. AusCERT did a lot of groundbreaking work because Australia was one of the first countries to be hit. As a team, we did a lot of analysis to find out how phishing worked, how they run their servers and where they were in order to figure out the most effective way for us to take them down. We would often try to chase the credentials and get them back into the hands of the victims.

Recapping on the 30 years AusCERT has been around, how would you say the cyber security landscape has changed?

The cyber security landscape has changed drastically. We didn’t have smartphones in this era – it was all desktop machines and there were no operating systems that were self-contained mobile operators.

However, despite the changes, phishing is still around and continues to this day. I still do that type of work and it’s 20 years since I joined AusCERT and started working in this industry. One thing that has been a big change in the landscape is how mainstream cyber security has become. In the early days, a lot of companies weren’t thinking about cyber security as a problem. Businesses didn’t have cyber security officers and the board didn’t think about cyber security problems. These days cyber security is very mainstream.

Another big change has been the consideration of the threat of cyber warfare. Back then, a lot of people were debating whether cyber warfare could become ‘a thing’. These days, cyber warfare has definitely eventuated and it’s definitely a different playing field in terms of how cyber security and attacks on computer systems are accepted as a serious problem.

What was the most significant security incident you dealt with while at AusCERT?

One of the most significant incidents I dealt with was what I called ‘credential repatriation’ where I would find financial malware uploading to servers, often gigabytes worth of stolen credentials. I ended up writing a lot of software that analysed who got their credentials stolen. I would try to write software as best I could to get their credentials back into the hands of the organisations it was stolen from. I spent a lot of time pouring through these logs and trying to get them back into the right hands so that the owners of the accounts could change passwords and remediate damages. I remember that being very rewarding work.

How did AusCERT support its members in improving their security posture, and what were some of the most effective strategies you used?

Quite often members will ring us because they would be going through an incident. At that time, there was a lot less public information and supporting documentation around. Members would often have an incident that they were trying to handle, and they would ring us, so we could be a sounding board for them. When you’re handling an incident, it can be a very stressful experience and often by talking to us, we could give feedback or listen to what they had done so far and provide them with assistance.

How has your experience working at AusCERT influenced your career path and approach to cyber security?

I view my time at AusCERT as foundational. It was my first cyber security role – prior to it I’d been a software developer building web applications. My time at AusCERT taught me so much about incident response, coordination and vulnerability handling.

One of my most rewarding experiences was the relationships I built with the other seven analysts I worked with. They were a great group of people who I stay in touch with to this day. I have so many great memories of that time.