Page 1

CYBERCRIME | THE BREWERY


CYBERCRIME


THE BREWERY JOURNAL Editor in Chief

EDWARD AMORY

Managing Editor

JAKE EVANS

Assistant Editor

BEN JACKSON

Art Director

JAMES FENTIMAN

Design

MARGRIET STRAATMAN

Illustrations

JAMES FENTIMAN

For any Brewery Journal enquiries contact: brewery.journal@freuds.com

The Brewery Journal is published by The Brewery at freuds The Brewery at freuds is a strategic communications consultancy. We partner with corporations, brands, governments and individuals to build and protect reputation and help them to better connect with the world around them. The brewery at freuds was founded on the belief that good communications can make the world a better place. We exist to raise that bar.

THE BREWERY DIRECTORS Managing Director

DR ARLO BRADY

Client services

EDWARD AMORY

TERI O’DONNELL

RUTH SETTLE

DAVID PAGE

Issues and Crisis

JO LIVINGSTON

Insight

ALICE CARTNER-MORLEY

Strategy

ELEANOR COATES For new business enquiries contact:

Special Projects

HANNAH PAWLBY

Chairman, freuds

MATTHEW FREUD

CEO, freuds

ANDREW MCGUINNESS

natalie.beach@freuds.com | www.thebrewery.com

For general enquiries contact: info@freuds.com Follow freuds: @insidefreuds | www.freuds.com

Business Director

LISA KILMARTIN

freuds, 1 Stephen Street, London, W1T 1AL

Copyright © The Brewery (London) Ltd 2016. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or any information storage or retrieval system, without the prior permission in writing from the owner. The greatest care has been taken to ensure accuracy but the publisher can accept no responsibility for errors or omissions, nor for any liability occasioned by relying on its content.


6 8 14 19 24 28 32 36 40 48 52 56 58 64 68 74 78 80 86 90

Editorial The Online Frontline Dido Harding | CEO, TalkTalk The Year Of Living Dangerously 12 Months of Internet Attacks Digital Defenders Ciaran Martin, Director-General of Cyber Security & Dr Ian Levy, Technical Director of Cyber Security, GCHQ Villains Of The Piece Adrian Leppard | Retired Commissioner, City of London Police and Director, Templar Executives Stealth Management Dr Adrian Nish | Head of Cyber Threat Intelligence, BAE Systems Cat Burglars Dr Liam Fox MP | Conservative Party Crime Hoppers Chi Onwurah MP | Shadow Culture & Digital Economy Minister, Labour Party Cybercrime Statistics Not Kidding Mary Aiken | Cyberpsychologist and Professor of Cyber Analytics The Strong, Silent Type Janis Sharp | Mother of Gary McKinnon Space Invaders Mum of 13 Year Old Schoolboy Duck And Cover Luke Harder | Hacker, Anonymous The Codemaker Phil Zimmermann | Silent Circle and Blackphone Coder Beneath The Surface John McAfee | Creator of Anti-Virus Software Hacked Off Lauri Love | Hacker To Protect And Serve Dan Jones | Consumer Editor, The Sun What’s The Catch? Emma Watson | Vishing Scam Victim Mum’s The Word Tony Neate | CEO, Get Safe Online The Alpha Threat Glossary of Terms


EDITORIAL Never before in human history has technology wrought such a rapid change in the way we live as the internet has achieved in a couple of decades. Most remarkable about this shift is the way in which it has inserted itself into nearly every aspect of our lives. We now communicate online, shop online, find partners online and work online.

As a result we now share intimate and

important details about our personal and financial lives with a wide variety of companies and organisations. We do so because of the exciting new opportunities that this sharing makes possible, but it does also include an element of risk.

Criminals of all kinds – individuals,

organised crime syndicates, state sponsored groups – have followed us onto the internet, and are seeking to obtain our information and use it for malicious ends. We are therefore all of us – consumers, companies, and government agencies – engaged in what Liam Fox describes in this Journal as a hidden war.

The true nature and extent of the

threats, and the ways in which we can counter them, is evolving daily. This Journal explores that battleground, with contributors from both sides of the conflict. It offers comprehensive analysis of the problem, a variety of proposals for tackling it and consideration of the motivation of those seeking to obtain our information.

The war against cyber criminals is ably

described by Adrian Leppard, the departing head of the City of London police and, in an unprecedented


interview, by two senior figures from GCHQ. The

and ideas openly and without prejudice.

private sector war on hacking is illuminated by Dr

Adrian Nish from BAE Systems, Phil Zimmerman

what is the most comprehensive look

from Silent Circle, and John McAfee, the creator of

yet undertaken at the war against cyber

the eponymous anti-virus software.

criminals is one of cautious optimism.

We are as a society placing more and

Politicians including Dr Liam Fox and

The picture that emerges from

Chi Onwurah share their political and personal

more sensitive information online, but

perspectives. Tony Neate from Get Safe Online offers

we have also now awoken to the need

individuals some advice on staying safe, while Dido

to protect it. Hackers are clever, but

Harding, Chief Executive of TalkTalk, does the same

disorganised. The right combination of

for the corporate community.

sensible personal decisions, corporate

The views of the hacking community are

investment and government intervention

represented by a contributor from the organisation

has the capacity to tip the scales in

Anonymous and by Lauri Love who faces extradition

favour of the forces of law and order.

to the United States for allegedly hacking NASA

But such optimism is only justified if we

and the US Defence department, among others. The

act together, decisively, now, taking the

motivation that drives hacking is explored by Mary

problem as seriously as it deserves, and

Aitken, professor of Cyber Analytics, and by Janis

implementing some of the compelling

Sharpe, the mother of so called ‘No.1 Black Hat

recommendations found in this Journal.

Hacker’ Gary McKinnon. The Journal has been produced by freuds

in collaboration with TalkTalk, who like nearly every major UK company, have themselves been the victim of hackers.

Its intention is not to provide the final

word on the subject because, like conventional criminal activity, this is not a war that can ever be won, but in a civilised society it’s necessary that the

CYBERCRIME | EDITORIAL

forces of law and order stay ahead of those seeking chaos and criminality. That will only happen with cybercrime if all interested parties share information

7


The Online Frontline Dido Harding, CEO, TalkTalk

We all have a responsibility to protect ourselves against cybercrime As the CEO of any business will tell you, there are good times and bad times. On a good day you deliver something for your customers, like Homesafe, which when we introduced it was the first free filtering service that put parents back in control of the content their children see online. Then there are bad times; days where you ask yourself: ‘what could I have done differently, what do I need to do differently now?’ In all my years in business, October 2015 will stand out as one of those times.


In October 2015, TalkTalk was hacked. Like most

large corporates, we successfully defend against cyber

engaged in a war online - against criminals who

attacks every day; this was the first to succeed. It

seek to steal our information and use it against us.

wasn’t initially possible to tell how much data had

This activity comes in different forms: from nation

been taken, nor which customers had been affected.

states and organised gangs, to misguided young

But we knew an illegal raid on our online estate had

people in high-stakes games of digital ‘dare’. We must

taken place, and we knew we had to let people know,

start recognising it, and tackling it, with the same

so they could protect themselves. Over the following

determination as we do crime in the physical world.

days, weeks and months, we would wrestle with this

unfolding situation in the full glare of the media

expects it to happen to them. And no-one (myself

spotlight, learning as we went the harsh realities of

included) knows enough about it. Business leaders,

an event which had hitherto been a theoretical ‘risk’.

governments and charities are largely not digital

natives. Unlike teenage ‘script kiddies’, growing

There were some tough lessons for

As with crime on the streets, we’re now

Part of the problem is that nobody

TalkTalk - things I believe in hindsight we could

up immersed in technology, we’ve had to work out

have done differently, and which we are fully facing

how to live in this new world.

into now. There were also things we came to realise

were simply not well known or understood generally

temptation is to allow cyber security to operate in a

across business, consumers, or the media. Even

silo within a business. While many companies say it’s

government and law enforcement are racing to get a

a board-level issue, in reality that often means CEOs

grip on this rapidly evolving threat.

wanting to be told by their Chief Technology Officer

that everything’s under control, that ‘we’re safe’. The

I am determined, to the greatest extent

Because it’s a complex, technical area, the

possible, to share what we learned (the good and

troubling reality is that there is no such thing as

the bad) in the same spirit of transparency and

totally safe. Any Chief Technology Officer who says

openness with which we approached the cyber

otherwise is part of the problem. The only way to be

attack itself. That’s one of the reasons I am pleased

completely protected is to stop all online activity.

TalkTalk is able to support this Journal. What

happened must be both a critical driver of change

both individuals and businesses can change the

for TalkTalk, and also a wake-up call for every

way we perceive and handle the risks. As a CEO, I

other business which believes it can’t, or won’t,

have learned that the right question is not ‘Are we

happen to them. The reality check for many of

safe?’, but ‘What risks are we taking and what could

those companies is: it probably already has.

be done to mitigate them?’ That doesn’t require a

PHD, nor a knowledge of coding. You just need to

Perhaps the most important lesson for me,

So whilst we can never be totally ‘safe’,

is a real acceptance that of course the digital world

be unafraid to ask the important questions. And if

has a dark side, just like the physical world.

risk is being approached and discussed differently in

boardrooms after what happened to TalkTalk, that

Telecoms companies like TalkTalk are

passionate champions of the digital revolution. But

can only be a good thing.

like everything in life, this comes with risks as well

as rewards. I have come to understand that nobody

nobody talks about it. In the weeks following our

in business is yet spending enough time or money

attack, we were supported by several highly experienced

thinking, worrying or talking about, the anti-social

security and law enforcement organisations, all of whom

and criminal ecosystems that have naturally evolved

presented the same fact: it is far more common than

along with the online world. Centuries ago, we

anyone likes to believe, or to admit.

began to civilise our society, with values, ethics

and laws; but we are only just beginning the digital

exponentially worse. Nine out of ten large UK

equivalent of that process.

businesses have suffered a security breach, yet the

The next issue is that when it happens,

The reality is that the problem is growing


vast amount of these go unreported. Add these

Government figures to the 200 ‘major incidents’

up both reporting requirements for

GCHQ handled each month over the summer of

companies which have experienced a

2015, and it’s clear that what happened to TalkTalk

data breach, and fines for employees

was not a rare, one-off occurrence. The difference is

caught committing a crime of this

that we chose to make it public.

nature. Current rules mean that the vast

majority of these incidents go unreported

Some see this as a controversial, even

We can dramatically ramp

naive, decision. Of course it’s tempting as a CEO

– customers simply never know. This

to get yourself to a place where you believe it’s

leaves them vulnerable to scammers and

unnecessary, or won’t help. But going down

criminal gangs from the moment that

that route will only destroy customer trust and

data is stolen. Over the long term, it also

perpetuate the problem. Faced with either warning

risks undermining customer confidence

all our customers early so they could protect

in the digital economy altogether.

themselves; or waiting (in the end it took two weeks)

Transparency has to be our friend in this

before we could isolate who was affected and in

fight. A reformed reporting system, with

what way, I firmly believe we made the right choice.

proper sanctions, is a good start.

That decision came with consequences,

We can also ensure businesses,

both financial and reputational. But I hope any Chief

government and law enforcement have a

Executive faced with this choice in future will take

clear, streamlined approach to planning

courage from this fact: all independent brand metrics

for, and handling, these incidents. The

and customer feedback we have tells us we benefited

Government’s announcement of a one-

from doing the right thing. The topline message from

stop shop ‘cyber hub’ will vastly improve

customers is that yes, they’re worried about their

the current system, where businesses

data; but they don’t think what happened was our

which have suffered an attack are faced

fault, and they appreciate how we dealt with it.

with a multitude of different agencies,

with diverse objectives and protocols.

In fact, over and above any other factor, it’s

the honesty and openness with which we approached

As a telecoms company, TalkTalk was

the cyber attack which shaped customers’ attitudes to

fortunate in having strong links with

what happened. It was that decision which provided

several government agencies which were

the foundations on which we are now rebuilding

able to provide useful first points of

their trust, and which will enable TalkTalk to emerge

contact. This is not the case across all

from what happened a stronger and better business.

sectors, or sizes of business.

But being honest in admitting that the

CYBERCRIME | THE ONLINE FRONTLINE

‘I am determined, to the greatest extent possible, to share what we learned’

Companies can also do much

cyber threat is growing doesn’t mean conceding

more. More management time, more

defeat. There are things we can do to fight back.

investment, greater transparency, a

11


different approach to risk. These are all hard

earned lessons for TalkTalk, from which I hope

should ensure that the internet does not become a

other companies will benefit.

digital Wild West, but instead operates within the

legal, moral and social framework of a civilised

Some companies, like telcos, can actually

The combined effect of these endeavours

offer products which keep customers safe and

modern society. Even after everything that I have

make it harder for criminals to target them. For

learned and experienced in the last few months

example, the sheer amount of data now online

(or perhaps because of it), I remain optimistic that

means customers are ever more vulnerable to data-

we can do it. Of course it won’t be perfect, because

related fraud. Often (as was the case with TalkTalk)

human beings are not perfect. But a civilised digital

what the criminals get hold of is not enough on

society is possible and I’m determined that TalkTalk

its own to steal from a customer. But it might be

plays its part in helping us get there.

enough to scam customers into handing over their money themselves. Telecoms companies can block these scam calls and emails at source, and provide privacy and safety features for customers to protect themselves. But for the last two years, TalkTalk has been the only provider offering these services for free. We now block around 70 million scam calls each month. Some providers are following suit and offering these services free of charge. But the vast majority still don’t, and I would very much like to see this become an industry-wide commitment.

No technology solution is ever perfect

though. So arming customers with better information about the tactics criminals use, and how to stay safe, is also critical. We all need to think about changing our behaviour. For instance, we’ve all clicked ‘remind me later’ when our applications ask us to update the software. But without these updates, our systems become vulnerable to evolving security threats. Another example is the need to start treating people online or on the phone as we would face-to-face. When someone phones up purporting to be from an organisation, we must learn to view them with the same degree of healthy suspicion as if they’d knocked on our door.

But this isn’t a purely defensive game.

It’s time we took the fight to criminals. Last year, the Chancellor committed to giving our police and security agencies the resources they need to find, disrupt and prosecute the networks behind attacks. We should support that. It’s time to shine a light on those currently hiding in the shadows.


CYBERCRIME | THE ONLINE FRONTLINE

‘The most important lesson for me, is a real acceptance that of course the digital world has a dark side, just like the physical world’

13


The Year Of Living Dangerously 12 months of internet attacks In just the past year at least 130 million people have had their personal data breached or hacked - including tens of millions in the UK and hundreds of millions in the USA.

2015 • US health insurer Anthem discovers a major breach of its database which hackers have combed through for names, social security numbers and birth dates of over 78 million people.

January • Online greeting card service Moonpig suspends its app after claims a security flaw allowed access to any of its 3.6 million customer accounts. • The US Scout Association is told its database,

February

which holds the contact details of 450,000 youngsters

• Uber reveals that 50,000 drivers’ names and

and volunteers, is ‘insecure.’

licence plate numbers across the United States


have been made public after a hack on the cabhailing service. US site Motherboard reported thousands of drivers’ details were available on the Dark Web for $1 a time and many phantom trips were charged to other account holders. • A database of parking ticket details for almost 10,000 motorists is published online, by PaymyPCN. net, which has a direct link to the DVLA.

May • The social security information of 21 million people is stolen after the US Office of Personnel Management is hacked. The personal information of all federal employees, their social security numbers, employment history, health, criminal and financial history is all

March

included. The New York Times blames the attack on Chinese hackers.

• Around two million customers of Vivastreet, the owner of Mexican classified site Vivanuncious, are revealed to have had their emails, passwords, phone numbers, postcodes and IP addresses exposed prior to the site being bought by eBay. • British Airways says hackers have accessed 10,000 personal information had been viewed or stolen, but froze all affected accounts.

June • JD Wetherspoons, the FTSE 250 firm

• Health insurers including Premera Blue Cross,

and chain of 950 pubs, has its database

CareFirst BlueCross, Blue Shield and Excellus

of 656,000 customers hacked - although

Health Plan reveal breaches that have affected

it claims the details of just 100 customer

22 million people stretching back to March 2014.

credit cards are revealed. The attack was

American investigators believe China targeted

only discovered in December.

insurers in the US to see how medical coverage and insurers are set up.

• Barclays agrees to pay out half a million pounds in compensation after losing a USB stick containing personal data of about 2,000 of its customers. It offers them £250 each. Data, including jobs, salaries, debts, insurance, mortgage

CYBERCRIME | THE YEAR OF LIVING DANGEROUSLY

frequent flyer accounts. The firm maintained no

and passport details and national insurance numbers were in the hands of at least one fraudster for seven years.

15


• PwC find nearly nine out of 10 large organisations now suffer some form of security breach – suggesting that these incidents are now a near certainty.

September • The details of thousands of Lloyds Bank Premier customers account holders are revealed to have been lost after a data storage device is reported

August • Hackers release details of 1.2 million accounts

stolen. The data affected customers with Royal Sun Alliance emergency home cover on their premier account between 2006 and 2012.

and 25 gigabytes of company data from Ashley Madison - a website that helps users have extra

• UK government agencies and banks feature highly

marital affairs. The data includes 1,200 Saudi

on a ‘hitlist’ of 385 million email addresses that has

Arabian email addresses where adultery can be

been used by cyber criminals to spread the Dridex

punished with death. The same month a pastor and

banking Trojan.

professor at the New Orleans Baptist Theological Seminary commits suicide citing the leak that had occurred six days before. Users whose details were leaked are filing a $567 million class-action lawsuit. Analysis showed that '123456' and 'password' were the most commonly used passwords. • Mumsnet co-founder Justine Roberts is hit in a ‘swatting’ attack that saw an armed police response team sent to her house. The parenting website was also targeted in a distributed denial of service

October

attack. A group calling themselves @DadSecurity

• 157,000 TalkTalk customers’ personal details

claimed to be behind the attacks.

are accessed with more than 15,600 bank account numbers and sort codes stolen. The firm said 4% of

• Carphone Warehouse admits the encrypted data of

customers had sensitive data at risk and warned to

90,000 people may have been stolen, the firm warns

protect themselves from scam phone calls and emails.

its 2.4 million customers after a sophisticated attack.

Five men, including a 18-year-old from South Wales and 20-year-old from Staffordshire, were arrested and are on bail until March (2016). • The British Gas emails and passwords of 2,200 customers appear online. The company writes to those affected to apologise.


• Pharmacy2U is fined £130,000 for a data breach that saw the company try to sell the details of 20,000 customers names and addresses to marketing companies without telling them. • Hackers access the details of 1,837 Vodafone customers along with customers’ names, mobile numbers, bank sort codes, and the last four digits of their bank accounts.

December • The BBC is hit by a denial of service attack that locked millions out of iPlayer and live streaming and radio for three hours.

November • Hong Kong toymaker VTech has 727,000 children’s profiles and 560,000 parent profiles hacked, the breached accounts included selifes and audio recordings. The hack was first revealed on the website Motherboard, by a man who claimed he wanted to

• British payments company Paysafe admits details of 7.8 million customers were hacked. The listed company, formerly known as Optimal Payments, admitted the customers had their accounts hacked between 2009/2010. It said limited data was taken that didn’t include passwords, card data, or bank account information. It said 1,500 people had lost money, but had no reports of other losses. • US online takeaway service Hungry House is hit by a data breach and resets the passwords of 10,000 customers.

CYBERCRIME | THE YEAR OF LIVING DANGEROUSLY

expose the firm’s ‘s***ty security.’

17


Digital Defenders Ciaran Martin, Director-General of Cyber Security & Dr Ian Levy, Technical Director of Cyber Security, GCHQ - Interview with Ben Jackson

GCHQ v The Winged-Cyber-Ninja Monkeys One of the Government’s most secretive intelligence agencies is emerging from the shadows for the first time. For almost 100 years the ‘listening agency’, GCHQ, has uncovered vital information from decoded messages, detected threats through phone calls and emails - and increasingly - protected the UK from hostile cyber attacks. Now, in an unprecedented move, two of its most senior staff have agreed to be jointly interviewed to explain their wider mission to help guide firms

CYBERCRIME | DIGITAL DEFENDERS

and the public in the fight against cybercrime.

19


The Government’s communications agency could

services of the agency whose work has largely

never be accused of overdoing the branding. The

been kept from the eyes of the public for the best

address for our interview is an anonymous door,

part of a century.

beside a coffee shop, on an anonymous London

street. No sign indicates to passers-by the line of

inform and help,” Ciaran says. “There are some

work of anyone who might pass inside - or even if the

extremely sophisticated threats out there which

building is in use at all.

are matters of State and we are expected to act as

defenders of the State for the Government and areas

Inside an empty entrance hall betrays no

“There is much more expectation to

further clue to our location. The single exception is a

of crucial national infrastructure.

line of grey lockers along one wall. In this building

at least, the agency sometimes described as the UK’s

out for the cyber health of the UK,” he says. “It

‘digital spooks’, would prefer you to check in any

requires us to get out there and talk to people.

phones or recording devices beforehand.

allow millions to deal with the low level threats, leaving

Upstairs, on the first floor of this 1930s

“But our new role will also involve looking

“GCHQ needs to ‘project and amplify’ to

office block is a sparse room with a boardroom table

GCHQ to deal with the biggest, nastiest threat attacks -

and three disconcertingly large video monitors,

what the agency call advanced persistent threats (APT).

where two of Britain’s most senior GCHQ staff

make themselves known. Both are so utterly

threats and what we like to call those from ‘adequate

different that any preconception of this as a bland,

pernicious toe-rags,” Ian says a touch more frankly.

but secretive, civil service disappear quickly out of

the carefully-lined window.

of all kinds in the UK is on the rise. Robert

Hannigan, GCHQ’s director, has confirmed: “The

First into the room is Ciaran Martin; tall,

“We generally divide it into advanced

The number and scale of cyber attacks

measured and thoughtful with a dry wit - a former

organisation detects a wide range of cyber attacks

high-ranking Cabinet Office and Treasury official, he

every day. The threat is growing in number,

is the agency’s director-general of cyber security.

sophistication and impact.”

The second is Dr Ian Levy, bearded,

The Chancellor George Osborne revealed

more casually-dressed and outspoken, the technical

in November that GCHQ deal with 100 cyber

director of GCHQ’s cyber security mission. An

national security incidents a month - twice the

expert in his field, he once previously described

rate of the year before.

himself as ‘the evil Cheltenham security geek’ when

presenting a paper - hilariously called ‘Fighting

(an archive of hacking attacks),” Ian says. “It tells you

The Winged-Cyber-Ninja Monkeys’ - to industry

how many departments with a .gov.uk address have

professionals after describing the original title of

been hacked in the past year. At last count there were

‘cyber security’ as frankly too boring.

around 1067 - that’s not on!”

In a world where both their identity and

“Have a look at a website called Zone H,

Attacks on the private sector have also

their work has been secret for so long, the pair are

risen quickly, but Ian adds a note of warning. “A

gently stepping into the role of explaining some of

lot of the costs of an attack on business are often

what this long secret agency does - and what it can

exaggerated, and many people are reacting like

do to protect Britain in the modern cyber age.

bunnies in the headlights,“ he says.

The change came late last year when the

“Yes, being hit by a cyber attack is a big risk.

Government’s intelligence agency was tasked with

But you need to treat it the same as all other risks.”

setting up a new National Cyber Centre for the

UK “It is a big national priority” Ciaran Martin

majority of common attacks to be managed by other

says, “Transforming GCHQ.”

people, so we can concentrate our energies on national

defences. A lot can be done more straightforwardly to

The decision stands to revolutionise the

Ciaran chimes in: “We would like the


start to reduce the impact of common attacks.”

defences GCHQ has published,

Amongst the suggested

UK every day, there are ways we can suggest that

is advice to web designers and

will be reasonably effective umbrellas. They won’t

administrators not to continue to make

protect against rocks, but they will protect us against

employees and customers remember an

showers - if that works as a metaphor?" he adds with

endless sequence of passwords.

a touch of self-mockery.

mainly aimed at system designers

“We believe we can get 80% of the way -

“Our password guidance was

and the final 20% will take a lot more effort. But

mainly because they do some stupid

let’s be clear, we’re not trying to nationalise the

things,” Ian says. “Currently the

cyber security industry - the Government have just

situation is equal to the average person

tasked us with trying to produce a better national

remembering a different 660 digit

framework.

number every month. That’s terrible to

be honest, so by changing the system

“Certainly in the organised crime space,

our assessment is there are decisions made by the

they can make people’s lives easier.”

attackers, very like if they were running a big company

and using a management information dashboard. If

agency recommends is using passwords

they have a line of business and they see one kind of

made from three random words or using

attack making high margins, they will launch more

password managers and jettisoning overly

attacks, but if you make it even slightly harder then it

complex password rules in favour of systems

might be not worth their while.”

capable of detecting unauthorised activity.

Among the suggestions the

‘We generally divide it into advanced threats and what we like to call those from ‘adequate pernicious toe-rags’

CYBERCRIME | DIGITAL DEFENDERS

"While attacks are showering in across the

21


In future there may even be other ways to

we can’t take the public trust for granted.

identify yourself using systems like mobile payment

systems, the Trusted Platform Module (TPM), bank

cyber threats facing the UK, but people should not

credit cards and even your FitBit.

think that we’ll be trawling through their emails or

Facebook accounts. There are clear processes we have

In a single brief example, Ian highlights the

“We need to use bulk data to decipher the

scale of the digital challenges facing the UK. Recently

to go through to get warrants. We need to make the

he has been examining the £12 billion smart metering

case for each investigation in the national interest.”

system, new energy meters the Government plan to

begin installing in every home from later this year.

also helped by, “over 150 pages of advice on our

website including advice on the various methods of

“The issue,” Ian says, “is will they let

The task of putting forward their case is

someone disconnect all the power to your house? Or

encryption - so we need to nail that particular canard

can someone turn off the right number of meters in

before it gathers momentum,” he adds.

the right way to cause a collapse in the grid’s systems?

How does an agency based from a secret

“The guys making the meters are really

But the secrecy won’t help surely?

good at making the meters, but they might not

address help inform the public?

know a lot about making them secure. The guys

making head end systems know a lot about making

he responds quickly. “We even have a bus with

them secure, but not about what vulnerabilities

a sign on it waiting at the local railway station

might be being built into them.

every morning,” he says of GCHQ’s doughnut

headquarters. “We have groups of tourists turning

“In the design of the system, we’ve

“Our Cheltenham location isn’t secret,”

assumed that vulnerabilities exist in each

up thinking it’s a football stadium.”

component and designed the system so that it’s

tolerant to those weaknesses. The resilience is

will also not be top secret. “It will have the same

gained by needing three independent exploits or

security of a large corporation or a mainstream

failures to happen to cause any large scale effect.

government department,” he says.

This is all being done to protect the population

itself.

a group of intent looking staff arrive for a video

“I’m not talking about small outages here,

Parts of the new National Cyber HQ itself

Our interview is briefly interrupted as

conference - a series of faces flicker into view on

because frankly you could take out the supply cabinets

the monitors in front of us.

of 100 houses with just a hammer! So we’re working

on some wider analysis with a few universities.

on cyber security - even allowing the press to peek

behind the ‘cloak and dagger’ facade?

“Assuming attacks will come and assuming

So there will be a new culture of openness

the vulnerabilities are there - what is the impact?

This is how it works, how do I protect it?”

glance towards the street outside the anonymous-

looking window.

The question of how to cope with the

“Yes, that’s right,” Ciaran adds with a

digital threat also raises questions about how so

much public and private advice can be provided

coffee shop downstairs really.”

publicly by an agency that has spent almost a century in the shadows.

While, at least a section of the public

may also fear they will be hacking their emails or listening to their phones.

“The polling we’ve done shows we are

trusted - people want to engage with us and work with us,” Ciaran says. “But there’s no question that

“We could have done this interview in the


GCHQ say dealing with the ‘simple stuff’ can mean a host of relatively straightforward solutions for firms trying to tackle cybercrime.

Getting companies to identify emails

that originate from outside the firm. “Most attacks start with an email,” Ian says. “So let’s highlight emails that come from outside the company. “If you are dealing with a request from the Chief Financial Officer about staff remuneration it will raise a question mark if that comes from somewhere else.”

Educating the administrators. “We

can’t advise everyone in an office not to open a spear phishing attack, because we know it’s likely that at least one will get through. But what we need to make sure is that when that happens the rest of the system isn’t left wide open to anyone who gets in,” Ian says. “Similar safeguards should ensure no one in the company is using their administrator account to browse the web.”

Dealing with the most common

attacks. “SQL injection and XSS or cross sites scripting are both ‘very common,’ in the world of cybercrime. They are both very easy to fix, yet the impact of not fixing them is potentially catastrophic,” Ian says. “It isn’t even necessary to be a technical expert to make websites safe - very good quality products can be purchased off the shelf,” he adds.

There needs to be an incentive model.

“You have a fixed budget as a company. Do you invest that in something intangible (like securing your existing app servers

CYBERCRIME | DIGITAL DEFENDERS

‘The threat is growing in number, sophistication and impact

THE ‘SIMPLE STUFF’

where nothing bad has happened) or do you invest in building new functionality for your users, such as integrating Apple Pay?”

23


Villains Of The Piece Adrian Leppard | Retired Commissioner, City of London Police and Director, Templar Executives

Why Britain is “swamped” by cybercrime In his final interview as the man in charge of policing fraud and cybercrime in the UK, retiring City of London Police Commissioner Adrian Leppard reveals why the authorities are now “swamped” by online crime and why - despite the crisis - the UK could still become a world leader in cyber security.

For the first time last year the British Crime

We have also seen the recent Dridex malware

Survey, which measures crime across the UK,

attacks, which stole £20 million from online bank

included questions on fraud and cybercrime. It

accounts. This indicates that the theft of bank

shows there are five million frauds and 2.5 million

account details from individuals and businesses is

cybercrimes taking place a year, compared to a total

a popular target for criminal gangs.

of seven million other crimes.

huge crime bureau for the country. We have the

Those are very significant figures. They

The City of London police acts like a

double crime levels in an instant - and make fraud

lead responsibility for policing economic crime and

and cybercrime the most prevalent in our society.

fraud – including cyber. Any fraud or cybercrimes

reported come to us in the UK through a fairly

The challenge we face as police is that

only a fraction of those (250,000) crimes are

clunky system called Action Fraud, which is a

actually being formally reported. So at the national

website and reporting centre, before they are then

level, we are unaware of the scale of the problem.

passed to the City of London Police.

There is also only enough capacity within British

policing to deal with around 60,000 of those crimes

volume. The major issues are largely down to factors

a year and we only get a positive outcome rate of

beyond our control. Firstly, the bulk of criminality

about 12,000. So, as you can see, the chances of

is being conducted from overseas from countries

being caught are very slim.

where we can’t reach them. The British police can’t

just walk into another country and arrest somebody.

There has been a significant surge in

It’s a good process, but we are swamped by

bank card fraud across the UK; one in five of

Second, these threats come through the internet.

us have been a victim in the past 12 months.

The traditional means by which governments protect


you and I from other crime types are borders, for

effect to your business. You need to make

cybercrime this approach does not work.

sense of the cyber threat.

We have no one standard

anywhere in the world and, in the

well-versed in preventing the more visible crimes, but

UK, there is no standard that is a

that needs to continue to evolve to meet the threat

requirement. There’s no regulatory or

posed by cybercrime, especially online fraud. There is

lawful requirement to adopt a standard

only so much that can be achieved within the limited

of security and when we look to the

resources available and the competing priorities

future we have to look to what are

police forces are seeking to deal with.

the minimum standards that business

should be adhering to. They have to

Ultimately, this new crime needs new

resources from the Government, such as a big

adhere to minimum standards in Fire

campaign to reach every household, similar to

Safety for example – but my view is we

the ‘Clunk Click’ campaign for drink driving.

should be adhering to a common set of

Campaigns of that scale reach everybody and

standards which are laid down by law

that is what is needed so people can protect

for cyber security.

themselves. I think there is a role for government

in accrediting certain services, like email, making

Government that doesn’t like to

it a more secure environment for everybody.

regulate business, we can estimate it’s

costing the UK about £30 billion a

You also start to recognise that all of

Although we have a

this threat is being hosted through industry. The

year in fraud, and other countries are

internet facilitates the benefits and health of

all grappling with these same changes.

our society, so it’s a good thing, but it is actually

So what I’d like to see Britain doing is

criminals working through ISP’s, through telecom

becoming a lead in cyber security.

providers and through the businesses at the front

end who are using the internet to facilitate a

looking at the positive advantages to the

service for their customers. They therefore hold

country and to business. You are already

the key to how we protect society.

seeing a number of FTSE 500 companies

that are bringing significant investments

So the next challenge is - how do we

What you need to do is start

find a way that businesses can adopt common

into cyber security. It would be a good

standards of information security in a way that’s

start recognising what the individual

achievable and cost effective for them and doesn’t

business growth is and, from a trading

place them in a competitive disadvantage against

perspective, what the overall growth

businesses in other countries?

could be if we became one of the leading

countries in cyber security.

Cyber health and safety should be the new

health and safety. We should know that of all the

attacks in recent years, about 60 or 70% involved an

have a well connected Government,

insider threat.

led through a Cabinet Office with a

security strategy. Our security agencies,

If you look at some of the PwC and

It is achievable because we

KPMG research you will see 90% of small

GCHQ in particular, have been heavily

companies are being attacked each year, while the

involved with business for a long time,

corporates will also say it costs them an awful lot

providing advice and guidance.

when they have a breach.

agencies are still quite stand-offish from

You can’t just say ‘Woe is me.’ You have

to have a conversation about a cyber breach and its

CYBERCRIME | VILLAINS OF THE PIECE

So what can we do? Certainly as I reach the

end of my policing career, I know I leave a service

Across the world, some security

business, but we’ve been working in this

25


area for a long time and we have gained a lot of

knowledge and expertise in cyber security. So we have

targeting their funding structures. We’ve been

the potential to turn this into a business and power

working with some of the big funding providers,

growth in the country.

such as Mastercard and Visa, to provide information

on websites selling illegal material, which in turn

The conversation we tend to have is

What we’ve been doing is effectively

always negative, about the challenge and the threat

they prevent operating by shutting down the funding

and how difficult it is.

structures they host. We have done the same with

online advertising, in order to take down advertising

But London is the world’s largest trading

centre in banking. It competes with New York so

from certain web sites.

there’s good reason for it to be the leading light

for cyber security.

still remove their ways to make money. We now

shut down 4,000 enabling structures a month.

The UK Government has a good name

If we can’t reach the offender we can

in a range of areas. We have technical skills in

For example, intellectual property websites or

cyber security. There’s the uniqueness of British

investment websites, those trying to sell you

policing in its success at preventing crime and

diamonds or trying to sell you land. We’ve found

working with communities.

Voice Over Internet Phone (VOIP) numbers used

by fraudsters, which look like they’re a British

So many countries use a fairly traditional

enforcement approach to combat crime and for

phone number but they’re not.

many decades we have led on a softer approach,

which is how to eradicate crime. By working with

stifle criminal enterprise, we therefore protect more

offenders and businesses, to see how crime might

people and prevent more crime. We estimate that we

occur, you can help to curb crime from the outset.

are saving the UK roughly £500 million a year by

doing this.

I wouldn’t say this is all about prevention

If we close these things down and start to

either. If you look at enforcement, you have the

National Cybercrime Unit (NCCU), who we work

in this country is £30 billion a year and we’re only

with, then there’s the European Cyber Centre. There

preventing £500 million - that’s a big gap.

is also the US Department of Homeland Security,

the FBI and the US Secret Service. By working

individual states’ capability in this area is growing

together we can collectively set targets. For example,

quickly. Every government agency in every country is

the Eastern European countries are working very

putting more and more investment into cyber. They

effectively in cyber space because they have a

are building their own scripts that are getting on to

presence on the dark web and infiltration into

the internet that can do damage, and increasingly we

organised crime groups in the cyber world.

see criminals using hijacked scripts that have been

built by intelligence agencies.

We can’t look at that as being our only

It’s just another stat, but if you said fraud

There’s also military scoping, and

means of addressing the problem. We have got to

think in a different way. We need to be innovative.

exponentially and people’s access to the internet is

For example, we have an Intellectual Property Crime

growing. It is an arms race.

Unit within our Economic Crime Unit here and

it focuses on hard goods and, more importantly,

and we’re getting better every year. There’s a positive

virtual goods. So where people are putting albums on

journey and we can see increasing successes. My only

websites and you can buy the latest track and get it

word of caution is that it is still only a drop in the

for free, that’s a crime. Stealing intellectual property

ocean compared to the threat we are facing.

- that’s stealing people’s livelihoods.

So whilst we are growing in capability, the threat is

growing faster than us.

Often these are hosted by websites in other

countries, so what can we do to target it?

So you have state capability growing

In Britain we have good technical skills


CYBERCRIME | VILLAINS OF THE PIECE

‘If we can’t reach the offender we can still remove their ways to make money’

27


STEALTH MANAGEMENT Dr Adrian Nish | Head of Cyber Threat Intelligence, BAE Systems

Everything you think you know about cybercrime, you don’t When TalkTalk was hit by hackers, CEO Dido Harding confirmed the first external call she made was to cyber defence specialists at BAE Systems. Here, the head of the firm’s Cyber Threat Intelligence team, Dr Adrian Nish, details the key threats companies face - including ransom viruses and denial of service attacks - and how Russian speaking criminal gangs and UK-based money launderers are amongst those behind them. Threats are now moving so fast that “what we’ve learned can be out-of-date in six months” he warns.


As with any walk of life, technology has

investigate cyber breaches, along with

had a major impact on how criminals go about

running more traditional security

their business. The internet has become a way to

services for organisations. TalkTalk is

reach a global base of victims and illicit services

one of the few examples of customers

– and its global reach makes it very attractive.

we work with whose breach is public

Conducting crime in cyber space as opposed to

knowledge, and CEO Dido Harding is

the physical world also comes with a perception of

on record saying one of the first things

anonymity and lower risk.

she did was pick up the phone to us.

Across the world we are seeing

cyber attack and fraud techniques spread fast, as criminals see what works and what is most profitable. The challenge is that anybody who wants to launch an attack can quite easily pick up readily available tools, and hide in dark corners of the web whilst using them. Much of what is reported is also just the tip of the iceberg. There are many attacks that people and companies are not even aware of, which is a big challenge both for victims and the security community.

Across the industries we work

in, not every company is looking to protect the same thing. Many customerfacing firms will be most concerned about their customers’ personal and credit card information, while for others it may be sensitive data in email exchanges, or information that relates to well-known clients. Companies also care a great deal their brand, about records of upcoming mergers or acquisitions, or intellectual property, which could be of great benefit

BAE Systems is a multi-national defence,

to rivals.

aerospace and security company that builds military

hardware, advanced electronics and information

takes place can tell you a lot about

technology for air, land and sea forces, but now

who is behind it, so our approach to

increasingly focuses on the cyber domain and

attributing attacks depends on what’s

defending businesses. In this division of the

being targeted and who we think would

company, we have 4,200 people spread across 30

be most likely to go after it.

offices around the globe who deliver cyber security

and intelligence solutions for customers.

cards, we would look at which gangs

have a past history of stealing such

Our expertise includes Incident Response

work for companies in need of extra support to

How and where an attack

If the attacker goes after credit

data. If they are looking for sensitive

CYBERCRIME | STEALTH MANAGEMENT

about preventing reputational damage to

29


information or emails of a particular individual, they

some of the more sophisticated capabilities acquired

might be trying to figure out what that manager (or

from players in other regions. Equally, information

department) is working on. If it’s a big deal that’s

travels quickly through the modern media. When

worth billions, then it may be competitors in another

breaches get reported in the press we read that as

part of the world that are also interested in this.

good guys thinking, “Oh that’s how they did it,” but

Some cyber attackers may be out to make money as

are plenty of bad guys out there thinking, “I could do

quickly as possible, others will do it for some cause or

that and potentially make some money.”

political reason – and may not care about concealing

their actions. However, espionage actors – whose

provide a fortress to keep everyone out. Technology

attacks are industrial or politically driven – work

and attacks have evolved in the last five or six

hard at remaining covert. They take great care not

years. Not long ago you could just put in a firewall

to let you know there has been a breach in the first

and anti-virus software to keep most threats at bay.

place and may take clever steps to complicate and

However, those are what are called ‘technical point

misdirect attribution efforts.

solutions’ and the challenge is that the bad guy is

always able to get around a specific point.

The 16-year-old in the bedroom gets a lot

These days it’s certainly very difficult to

of the headlines because they will often publicly

announce what they’ve done, but their attacks are

more than just pure technical solutions are

certainly not the most frequent or the most significant.

needed. What’s becoming increasingly important

Most incidents we deal with are either originating

is how to identify anomalies on your systems,

from cyber spies or well established criminal gangs.

respond to them, and to train your people to spot

potential cyber attacks, such as suspicious emails.

A lot of people talk about the Russian-

Organisations are realising that much

speaking criminal underground, and that is certainly

You can’t keep everything out, so it’s making sure

a hotbed of cyber threat activity that we come across.

you respond effectively so you can mitigate the

Much of the more sophisticated criminal capability

damage that is important.

that has been built over the years comes from this

region. There is a community that goes back over

have been going through the same journey at a

a decade with a lot of their interactions taking

different pace. The financial industry has been very

place within closed forums. These are groups that

aware of the threat for many years. They track the

require vetting prior to access being granted, and the

groups behind attacks, and try to be proactive to

individuals who use them may never meet physically

work with law enforcement to go after the criminals

- it’s all done using aliases online.

wherever possible. Other industries are realising

that they also face significant threats, maybe not in

These closed criminal groups have grown

In the cyber world, different industries

into a whole ecosystem and different actors will

the same way, but are now looking at how they may

focus on different elements. Some focus on building

invest more to improve their security.

malware, (the malicious code that gets used in

attacks,) others focus on the infrastructure - the

attacks we see are from commodity, semi-automated

servers that get used to host and control the malware.

malware kits and affiliate programs.

Another segment will focus on building networks

of money launderers in order to cash out the stolen

UK now. It is a banking malware, which tries to

funds from bank accounts. It’s just like a process of

facilitate transfers from one person’s bank account to

industrialisation – divvying up the tasks to different

the criminal’s account. It waits until the user is logged

specialisations, and within those specialisations

in and then it will basically pause your banking session.

people become more proficient.

You may see a timer icon, but in the background the

malware is forwarding your banking session to the

More recently, we have been seeing West

African groups getting more organised and using

At the moment, the vast majority of

Dridex is one that is very prevalent in the

criminals so they can enter new payee information.


The money is often moved to another

hit with DDoS attacks - distributed denial

bank account in the UK - someone we call a money

of service. Again, these may be followed by

mule. These are people who the criminals recruit

a ransom note saying: ‘Unless you pay us

to work as drop points for their transfers. Often

xxx bitcoins we are going to hit your site

they are recruited through the work-from-home

harder next time and knock it offline.’ It has

type ads - the type that might say ‘Make £3,000

been around for a while, but we believe the

pounds a day, working from home.’ Sometimes that

increasing popularity of anonymous payment

can mean working for one of these types of gangs.

mechanisms such as bitcoin is enabling the

The ‘employees’ may believe they are facilitating

criminals to make such attempts.

international money transfers and are often

recruited through fake companies.

cyber threats is by improving the

sharing of information related to their

You’d have to be a little bit naïve – or

One of the best ways to fight

desperate – but it does look somewhat legit. You

activities and how to mitigate them.

receive money into your account and you may

This is already quite mature in the big

have to transfer that into your PayPal account

financial services organisations, but we

and from there you might have to transfer it to

are starting to see that trickle down into

the criminals’ account. Or you may have to cash

the other sectors and smaller industries

it out and then make an international transfer,

as well. We all need to share the best

for example using MoneyGram or Western Union.

practices that people find useful for

Usually the amounts are in thousands of pounds,

defending against threats as well as

‘How and where an attack takes place can tell you a lot about who is behind it’ but that takes place thousands of times, and large

building up that network of support, so

sums can be laundered this way.

you have somewhere to go if you need

that extra bit of expert help.

A small business legally doesn’t have the

a vast amount of advantages which

same protection, although the bank will often

outweigh the risks, but we need to avoid

compensate because they don’t want to see small

being complacent. Let’s be frank - we

businesses going bust over things like this.

are not going to win the war against

cybercrime. But we can do our best to

Recently we have been blogging about

The internet brings us such

another class of threats which is also popular at

have properly empowered, knowledgeable

the moment. They are pieces of malware, called

law enforcement and a security

ransomware, which encrypt files on your computer,

community that can shake out the most

then suddenly say ‘Pay £100 or you’ll never get your

devious activity and keep our networks

files back’. Usually the encryption they use is quite

and information secure.

good, so even with expert decryption capabilities it may still be impossible to get the files back.

CYBERCRIME | STEALTH MANAGEMENT

If you fell victim to such malware, as a

retail customer you’d be entitled to compensation.

Extortion in general is a popular technique

at the moment. Another variation is where websites are 31


Cat Burglars Dr Liam Fox MP | Conservative Party

Waging a war on cybercrime Bill Clinton said the other day that when he took office, ‘only high energy physicists had ever heard of what is called the World Wide Web… Now even my cat [Socks] has its own page.’

This exponential jump, both in computing power

cyber criminals into what they regard as a growth

(a single iPhone could have run the entire Apollo

area; small attacks by geeky teenagers are still

space progamme) and in reach (from desktop to

significant, but less strategically worrying. Nor is it

laptop to phones to the Internet of Things) has

just private sector criminality that we have to worry

touched all of our lives. In 1995, only 0.5% of the

about; there are plenty of state-sponsored cyber

world’s population were using the internet, by

criminals who not only have access to advanced

2012 that had increased to 39%.

technology, but can also use their activities to

generate extra funds through fraud and extortion.

It’s not surprising then that this

astonishingly rapid and profound change has had

many consequences, some good, a few bad. One

the kinds of attack we may face, and how to meet

of the major downsides has been the growth of

those attacks. For example, the denial of service

cybercrime, which has risen alongside the growth of

attacks which are very common on large companies

the connected world, exploiting new vulnerabilities as

are often used as a smokescreen to conceal the

security fails to keep pace with technology.

implantation of malware onto their systems. This can

then be used later to extort ransoms by threatening

The enemy is not only many headed and

As a nation we need to learn more about

driven by multiple different goals, but it is also hard

to cripple the system. Nokia were recently the victim

to identify. The ‘War of the Invisible Enemy’ has

of such an attack when blackmailers successfully

begun. Three elements encourage activity on this

persuaded the company to part with a suitcase

new criminal frontier; first, that it’s usually low

containing millions of dollars in exchange for the

risk and high return; second, it has the advantage

crucial piece of smart phone software.

of anonymity; and third, it often isn’t reported to

the authorities by companies who worry about the

demands, they may find systems data is wiped, their

reputational damage they will sustain.

files are encrypted to the point of becoming useless,

or their customer information made available to

These advantages have drawn large-scale

If the victims don’t give in to the criminals’


other criminals for use in cybercrime.

organisation and can identify who has accessed

them, may be the future.

Both the public and private sectors are

vulnerable to such attacks. In 2014, the banking

giant JP Morgan had cyber criminals sitting on their

to accelerate the process, which has already

servers for over two months before being detected. In

begun, of shifting finite resources away from

the meantime around 76 million personal accounts

conventional warfare and policing, and resourcing

were compromised along with seven million business

cyber warfare capacity.

accounts. Only a year earlier CIA contractor Edward

Snowden stole an estimated 1.7 million classified

significant changes to the law. First, all companies

documents from the US Government, significantly

– not just internet service providers as at present –

impacting their counterintelligence capacity.

need to have an obligation to report to the relevant

authorities when they are hacked. Second, all

In the future, new areas of vulnerability are

At a national level, governments need

I also believe that there needs to be two

likely to emerge. As IT becomes ever more important

companies that do business with the Government

to healthcare, the security of the most sensitive

should have a minimum level of defined cyber

patient records is worrying. Currently you can buy

security. I accept that this would exclude some

medical records on the black market at $2000 per

smaller firms from government contracts but I

person, but in the future this might become more in

believe it’s a price worth paying. Finally, the

line with credit card data, which is on sale on the

Government needs to appoint a single minister with

dark web for as little a dollar.

overall responsibility for cyber security. This is now

too important an area for us to take the risk that it

In addition to health data, even elements

of our physical identity could soon be vulnerable to

might fall between ministerial responsibilities.

hacking. During 2014, an unknown group of hackers

stole 5.6 million sets of fingerprints from the US

benefits of the extraordinary technological revolution,

Office of Personnel Management.

then we have to protect ourselves against those who

would exploit it for their own malicious ends. If the

None of this, however, is a counsel of

Overall, if we want a society to enjoy the

despair. The vulnerabilities that criminals exploit are

private sector, the Government and individuals all

often relatively easy to tackle.

step up and take control of their own cyber security

efforts, then I believe that we can and will win the

Companies are, for example, particularly

vulnerable to periods of mergers or acquisitions, when they often give new potential partners unparalleled access to their systems. Firms are also bad at vetting employees, especially junior staff like cleaners, but of course it only takes a moment to insert a USB drive into an unattended computer and infect the system with malware. Another problem is employees accessing social media through their work computers, permitting gateway access to potential saboteurs.

Relatively simple changes to security

can prevent this kind of incursion. Proper staff vetting, clear procedures to prevent easy access to secure networks, and careful consideration of vulnerabilities through supply chains are a start. More complex software, such as Glasswall, which tracks the movement of documents within an

invisible war.


CYBERCRIME | CAT BURGLARS

‘The War of the Invisible Enemy has begun’

35


CRIME HOPPERS Chi Onwurah MP | Shadow Culture & Digital Economy Minister, Labour Party


What is absolutely clear is that the levels of crime in the UK are not going down. They are just going online Crime is moving off the UK’s streets to reappear online, where the criminals find it much easier to evade the law, Labour’s Digital Minister Chi Onwurah says. The Newcastle MP was herself hacked in an attack that affected her Westminster and constituency offices for nearly a month.

moving online to where the criminals fail to get caught. It means we’re now less safe online than we are in the street.

These criminals are more

innovative, more motivated, and better financed than the good guys and yet we still don’t know the full extent of cybercrime as there’s such a huge under reporting of it.

CYBERCRIME | CRIME HOPPERS

In Britain crime is not slowing, it’s simply

I’ve had friends try to use the

UK’s anti-fraud website Action Fraud, where online crime is reported, only to

37


give up because it is too complicated. There’s also

but it needed to have a much higher priority on

the embarrassment of reporting it at all for many

the political agenda.

people.

What is absolutely clear is that the levels

As things have changed I believe there are

now two other growing areas that we need to give

of crime in the UK are not going down. They are

extra consideration for the immediate future.

just going online. It’s a lot less risky for a criminal

than breaking into a bank. They can also aim at

to have much less protection than operating

many targets at once, but as a society we’ve not

systems like Windows. Ofcom have said mobile

automated our response.

security should be left entirely to mobile

operators, which I personally think is not good

What we need to do is make cybercrime

The first is mobile phones, which tend

reporting easier and use better data analysis. Most

enough. That approach was repeated when, after

of the cases reported to Action Fraud are simply

the TalkTalk breach, I asked for a government

not taken up and investigated. We also need

response to what was being done, and the answer

automated analysis to make sure identifying the

was basically, ‘It’s nothing to do with us, guv.’

people behind the small time offences is much

easier. At the moment it’s relatively risk-free

Internet of Things - the idea that household items

activity compared to storming down the high street

connected to the internet will talk to us and each

and trying to break into a bank.

other. I'm a big believer in this technology. I’ve

studied it and even built bits of it - in a previous

Even a decade ago it was obvious this

was going to happen. Back then I was head

The second threat will come from the

career I was a software and a hardware engineer

‘Once criminals have data on you, you are vulnerable to a whole series of other attacks’ of technology for Ofcom and I was sent off to

and a network engineer building mobile, fixed and

Chatham House for a conference in 2004/5 on the

wireless networks. I was also the first MP to speak

subject of internet safety and crime.

about the Internet of Things in the House. I believe

it has the potential to transform our lives more

I came back with a whole load of terms

including digibots, white hats, wizards, and some

than anything since electricity, but there are huge

words they seemed to have invented on the spot like

security implications.

televiruses. When I reported back, people thought

it sounded like something out of Dungeons and

their data is being hijacked, used, stolen and breached

Dragons. But what we were all talking about then

- imagine how they will feel about their water supply

was exactly what occurred, it just didn’t get taken

being hacked? Their children’s bedrooms?

seriously at the time and that’s still the case. I went

back to that old presentation the other day and now,

is to keep its citizens safe, but it is already failing

everything is exactly as predicted.

that for citizens online. This will be a question

of standards, protocols, industry co-operation, self

In those days Ofcom, under Lord Currie,

People are already uncomfortable with how

The Government’s primary responsibility

was very clear that the internet was not within

regulation and - if necessary - legislation. Once

its regulatory remit, so nothing was done. It was

criminals have data on you, you are vulnerable to a

nobody’s responsibility, irrespective of the dangers,

whole series of other attacks.


We need much more protection for

HOW CHI’S CLAIMS STACK UP

individuals. Just 1% of the cybercrime budget is spent on consumers, with the rest spent on national

“We are less safe online than on

security and critical infrastructure, while small

the street”.

businesses and consumers are left to fend for themselves. The national defence budget is two to

For the first time cybercrimes were

three times the size of the police budget, but online

counted in the latest 2015 UK Crime

we spend around nine or 10 times more on national

Survey statistics leading to a shocking

security than personal security.

107% rise in all crime – more than

double the previous level - meaning

Industry needs to change too. I recently

launched the Association of Chartered Accountants

more than half all current reported

in England and Wales (ACAEW) report on cyber

crime now takes place online.

security. They are calling for big companies and

corporations to become much more pro-active in

Bureaucratic fraud reporting

taking responsibility for the small companies in

procedures.

their supply chain - and that goes for governments as well. That could mean bringing in both

Action Fraud is the online fraud reporting

reporting requirements and also insurance

website for the UK. It confirms that simply

companies reflecting this in premiums.

filling in the forms to report a cybercrime

takes “20 to 30 minutes”.

Being attacked myself last year brought

home a bit more the threats we face. We have five

people in my office which makes us about the same

Large numbers of cybercrimes are never

size as a small business. I had already spoken to staff

investigated.

USB sticks, but it looks like it may have got through

In the the last full year of figures Action

by someone clicking on a legitimate advert.

Fraud ignored three out of four complaints.

It received 230,000 reports of crime of which

What happened to us wasn’t exactly a hack.

It was a malware crypto-lock virus. It’s ransom-ware.

61,000 were passed to police to ‘consider’

It locks up files and it’s serious enough – certainly if

investigation, Home Office minister Mike

you believe the ransom and pay the money - or if you

Penning told the Commons.

don’t have the right IT support behind you.

Britain spends the majority of its

Luckily enough as an MP I had enough

support to deal with it. We lost three or four days

money on fighting international

of work, although it took about a month to get

cyber threats and very little on

back to normal. We believe it may have come from

consumers and small businesses.

an advert on a web page. It certainly wouldn’t

have come through any office staff and the firewall

In a written answer to Chi, the Secretary

should have got it, but as we know viruses can

of State for Culture, Media and Sport,

change their tags 3,000 times in a single day.

Ed Vaizey revealed that just £14 million

out of a total spend of a £840 million

Collectively, we have to realise that the

internet is not free and our whole lives will have

programme is exclusively aimed at small

traces of everything we do on it.

businesses and the consumer. (The

Government plans to double its total

It is not another world. It’s not another

universe, it’s used by criminals living in the real word right now.

CYBERCRIME | CRIME HOPPERS

about their online behaviour and not bringing in

investment of the next five years). 39


CYBERCRIME | EDITORIAL

CYBERCRIME STATISTICS

41


CRIMINAL ACTIVITY The estimated number of online crimes reported last year was 7.6 million. This is more than all other crimes combined. Only a fraction of online criminal activity is reported to the police, limiting the authorities’ ability to research and set effective policy.

There were an estimated 5.1 million cybercrimes and frauds last year

...and 2.5 million offences under the Computer Misuse Act


1. The 2015 UK Crime Survey 2. City Of London Police

CYBERCRIME | CYBERCRIME STATISTICS

A total of just 250,000 cybercrimes are reported to the police each year

...of those, 60,000 are investigated - and just 12,000 result in a prosecution

43


CRIMINAL COSTS

Cybercrime costs the UK £27 billion a year

£27bn

UK businesses are the biggest loser with an estimated total loss of £21bn

£21bn

The cost of the worst breach suffered has gone up sharply for all businesses sizes from £1.46m to £3.14m for large organisations and from £75k to £311k for small organisations Criminals are trading email account data for up to US $12, credit card data for up for up to US $30 (per card) and bank account information for up to US $125

£3.14m £311k $125 $30 $12


90% 81% 74%

There has been an increase in security breaches over the past year - from 81% to 90% for large organisations

...and from 60% to 74% for small organisations

60%

39% 27%

39% of large organisations and 27% of small organisations have insurance that would cover them in the event of a breach

Information Security Breaches Survey 2015 conducted by PwC in association with Infosecurity

CYBERCRIME | CYBERCRIME STATISTICS

50%

50% of the worst breaches in 2014 were caused by inadvertent human error

45


‘The demand for the cyber security workforce is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million’ Michael Brown, CEO, Symantec


47

CYBERCRIME | EDITORIAL


NOT KIDDING Mary Aiken | Cyberpsychologist and Professor of Cyber Analytics

We need a Technology Quotient – to identify the most talented children early


Millions of youngsters become less inhibited online than they would be in their own daily lives, Professor Mary Aiken, the world’s first forensic cyberpsychologist argues. Here the academic advisor to the European Cybercrime Centre, and inspiration for the CBS crime show: CSI Cyber, explains that as ‘cyber delinquency’ now costs billions to the world economy and it may be time to couple better policing with identifying and supporting the most cyber skilled youngsters from an early age.

In 2015 the UK saw a series of teenagers allegedly

youth in criminal activity online. In

involved in high-profile hacking incidents. These

2015 the Australian Bureau of Crime

included a British teenager who worked as a

Statistics and Research reported that

‘hacker for hire’ and was spared a prison sentence

cyber fraud offences committed by people

after cyber attacks from his bedroom targeted

under 18 years of age had jumped by

global institutions which allegedly ‘almost broke

26% in the previous two years, and 84%

the internet.’ He was just 13 when he joined a

in the previous three years.

network of online hackers.

Many were surprised by the young age of

Squad Commander Matt Craft said: “Fraud

some of those involved in these hacking incidents,

is a growing crime category, thanks in part

but it’s not really surprising that impulsivity and

to the proliferation of internet-based fraud

risk-taking behaviour comes to the fore during the

and other cybercrime.” In a recent survey

formative teenage years.

conducted by an online security company,

roughly one in six teenagers in the US, and one in four teenagers in the UK, reported that they had tried some form of internet ‘hacking.’

Hacking is a serious and costly

cybercrime. Dido Harding, the Chief Executive of TalkTalk, said that the total bill in the wake of the TalkTalk cyber attack would cost, including profit loss and exceptional costs, around £60m. Recent statistics suggest that there is an increase in the amount of cybercrime being perpetrated worldwide.

As noted in a Europol report,

cybercrime has evolved from a few small groups of hackers to a thriving criminal industry that costs global economies between $300 billion and $1

CYBERCRIME | NOT KIDDING

The reality is that for some time there

have been reports of increasing involvement of

Acting Fraud & Cybercrime

trillion a year.

Interestingly, the Director of

the FBI has stated that, “there are only

49


two types of companies: those that have been hacked,

and those that will be.”

investigation of human factors in cyber security.

I argue that online behavioural effects including

What is curious to note is not necessarily

One of my specialist areas is the

how fatalistic or pessimistic that statement is –

anonymisation, invisibility, immersion, and

but how odd it would seem if it were made in

disinhibition all seem to be contributing to

the context of real world physical security. The

the increased visibility and presence of cyber

combination of emergent cyber juvenile delinquency,

criminality in contemporary societies.

the cost of cybercrime and hacking, and a somewhat

pervasive resigned approach to the inevitability of

understanding why young people behave the way they

these crimes are all causes for concern for the global

do on the internet. Understanding the link between

economy.

disinhibition online and risky, impulsive behaviour

So what can we do? The answer may lie in

Online disinhibition is important in

in adolescents is critical.

developments in the scientific community.

of the issue. Recent research examined ethical

Cyberpsychology is the study of the

It's also important to consider the morality

impact of technology on human behaviour.

belief systems regarding physical shop lifting (e.g.

Approximately 30 peer-reviewed journals now

stealing CDs) and digital ‘soft lifting’. It found that

publish an estimated one-thousand articles every

moral beliefs would prevent a person from stealing

year on topics related to cyber behaviour, a field

a CD from a record store, but the same person was

that is expected to enjoy exponential growth in coming decades due to the pervasive and profound

‘There are only two types of companies: those that have been hacked, and those that will be’

impact of technology on mankind.

Unfortunately, I cannot help but observe

that the behavioural sciences have been somewhat blindsided by rapid evolutions of online behaviour.

In terms of a scientific investigative

approach, we really need to question if traditional psychological or sociological concepts are sufficient in understanding online behaviour. As scientists, will we need to develop new theories or modify existing ones?

As a cyberpsychologist my job is to deliver

insight at the intersection between humans and technology – or as law enforcement say ‘where humans and technology collide.’ While there are substantial benefits associated with technology, it can also be problematic. Consequence is critical what happens in the cyber world can impact on the real world, and vice versa.

My research to date has focused on

applying forensic cyberpsychology to criminal behaviour, ranging from cyber stalking to technologyfacilitated human trafficking. The one thing that I have observed is that whenever technology intersects with base human inclinations, the result are amplified and accelerated.

ambivalent about downloading pirated material. This suggests that there is a disconnection between real world ethical beliefs and online behaviour. So what is the solution for a generation desensitised by the consumption of illegally downloadable music, videos, software and games? And what sort of criminal activities might a generation of ‘virtual shoplifters’ progress to?

On the other hand, it could be argued

that as certain negative online practices become normalised, it can become increasingly difficult for young people to make the right judgement calls and if so, what can we do collectively to address the issues?

First and foremost I am an academic,

an educator who cares deeply about the impact of emerging technologies on all of us, and the societies


we live in. I am particularly concerned about the

We have to ask if, as a society, we really

effect of technology on developing youth, and the lack

want to criminalise 13, 14 and 15 year-

of focus on this problem from a societal perspective.

olds who offend from their bedroom.

Alternatively, do we want to try and

area. We know a lot about real-world criminology;

understand the behaviour, engage

we know about a kid in a particular home, in

with these incredible skillsets, mentor

a particular neighbourhood, with a particular

talented youth, and try to guide them in

group of friends that may get involved in juvenile

the right direction?

delinquency. But we know very little about

cyber juvenile delinquency, - compounding this

community has long fought an uphill and

problem, we know very little about the effect of the

losing battle to recruit new talent.

minimisation and status of authority in cyber space.

EQ and CQ (Intelligence Quotient,

Interestingly, Estonia has just introduced a

Let’s not forget that the security

We have scales for IQ,

‘Web Constable’ initiative, which may in time offer

Emotional Quotient and Creativity

some insights in terms of cybercrime prevention.

Quotient), but we don’t have any

scales for TQ – ‘Technology Quotient.’

In the next few weeks, in collaboration

with the European Cybercrime Centre (EC3) at

We need to develop metrics to assess

Europol, we will be launching a research initiative

technology related skillsets at the

investigating 'Youth Pathways into Cybercrime'.

earliest possible stage, identify those

who have the potential to excel in this

The project will draw together

existing, recent evidence on online behaviour

area, and then develop this talent. This

and associations with criminal and anti-social

problem space is not confined to youth

behaviour, specifically exploring the pathways

hacking - there are wider societal

that lead to ‘cyber criminality’.

issues that provide context for the

behaviour.

We will be examining the behaviour of

young offenders and victims online, and producing

guidelines and information for professionals working

a new world order where privacy, national

in the prevention and intervention of online youth

security and individual rights are being

offending, as in the case of hacking.

rewritten because traditional checks on

anti-social behaviour are absent online.

Additionally, we aim to support victims

Cybercrime represents a shift to

and agencies who are susceptible to multiple

Where is the societal debate? What is the

aggressive and significant financial attacks, such as

role of governance online or cyber ethics?

members of the finance and banking sectors. We

anticipate that the research outputs will have wide

was designed to be rewarding, engaging

international relevance across the European Union

and seductive for the general population

and internationally. Crucially, the findings will aim

- but did anybody really think about the

to inform prevention, practice and policy.

impact on criminal, deviant or vulnerable

groups?

As a cyberpsychologist, I’m often asked

what the motive is to engage in hacking. It’s a broad spectrum - motives can range from hacking for profit to hacking ‘just for fun.’ We should not lose sight of the fact that hacking is in fact a

I often observe that technology CYBERCRIME | NOT KIDDING

There is a paucity of research in this

skillset; over time it has become a pejorative and negative term.

51


THE STRONG, SILENT TYPE Janis Sharp | Mother of Gary McKinnon

Asperger’s often means an obsession with logic and a sense of injustice


Pinksy the cat patrols silently outside, watching a

collection of recently rescued goldfish criss-cross

of high functioning autism - often have

the garden pond at the house of Janis Sharp,

an obsession with logic, a heightened

mum of Gary McKinnon.

sense of justice and an intense curiosity

The prowling feline is named in honour of

that makes them want to know everything

Pink Floyd musician David Gilmour - the rock star

about a particular subject. It's a perfect

who helped rescue this family as they faced mounting

personality match for a hacker.

psychiatric and medical bills for defending their son

Gary against a possible 60-year US jail sentence.

involved his search for a US cover-up of

Inside, Gary’s mum Janis talks

In Gary’s case the curiosity

evidence of extraterrestrial life – under

affectionately about her son, who in the past month

the hacker tag ‘Solo,’ a tag previously

has been hailed as "'number 1' on the list of black hat

used by another infamous hacker.

hackers" by renegade hacking group Anonymous.

The group say his alleged 2002 raid on

Today Janis admits she is

worried for the future of another

97 Pentagon and NASA computers where the US

similar hacker. Lauri Love, 28, is also

claimed he stole passwords, deleted files and shutdown

facing extradition for breaking into US

networks on military bases, makes him the best "black

Government computers.

hat" hacker ever in a list of the world’s top ten.

Strange then, that the “vulnerable” son that

“He also has Asperger’s,

is idealistic and says too much

Janis talks about actually bears more resemblance

politically,” she says.

to a famous detective than a criminal mastermind.

“Believe it or not Gary looks unbelievably like

brightest computer brains may be being

Benedict Cumberbatch,” Janis says.

wasted and criminalised when they may offer

far more skills in a cyber addicted society.

"When Sherlock was on TV, even his

She fears many of Britain’s

solicitor Karen Todner wrote to me and said:

'God, he’s Gary’s twin!'"

to get children off their computers, but

It is three years since Home Secretary

Theresa May blocked Gary’s extradition to the US on

“The shame is people are trying

they’re often so advanced. Technology is getting so fast and and moving so quickly.

the grounds of his human rights after ruling there

“Around one in 100 children

was, “no doubt he was seriously ill.”

have Asperger’s. Do we have a way of

harnessing their skills? We need an

Still instantly recognisable, Gary shuns

interviews and public places where he can be

outlet that can harness what they have

recognised. Gary’s mum says that like many others

to offer in the best possible way.”

with Asperger’s, he has a “fear of socialising,”

although he enjoys talking about UFO’s and the

of Defence Analysis at the US Naval

theories that surround them.

Postgraduate School, has argued that

“Many people with Asperger’s shut themselves

John Arquilla, Professor

winning future cyber wars may not be

away in their rooms. It’s a choice thing,” says Janis.

possible without hiring master hackers

“I remember once a girlfriend of Gary’s had arranged

who can “walk through firewalls.”

a party. Her relatives were all there. They were all

standing in one corner of the room looking not happy at

to call for Gary to be allowed to go free,

all and Gary was in the middle at this big table on his

Arquilla says the world’s best hackers

computer. I went up to him and said 'Gary, it’s a party.'

often have a “startling intelligence,

He looked at me and said 'But it’s my party too,' and I

and a deep attraction to the beauty and

said, 'Yeah, but this is not what you do!'"

complexity of cyber space.

As one of the first US figures

CYBERCRIME | THE STRONG, SILENT TYPE

People with Asperger’s - a type

53


“They are not motivated by a desire to

interviewed on TV following his arrest by the

disrupt: if anything, they are devoted to free, secure

National Hi-Tech crime unit in the UK that he

flows of information,” he says. He compares hackers

was diagnosed,” Janis says.

to being like “shy woodland creatures” - a description

that has them “down to a tee”, Janis says.

interviewer said 'Obviously you thought you would

Many people with Asperger’s are already

“During the TV interview, the

leave a bit of egg on their faces?' and Gary said

being employed in America. Paypal founder Peter

quizzically ‘It wasn’t egg!’”

Thiel says: “In Silicon Valley many of the more

successful entrepreneurs seem to be suffering from

you could have sent terror through the network,”

a mild form of Asperger’s, where you’re missing

and Gary, who had posted a note during his US

the socialisation gene. It happens to be a plus for

military hack saying ‘Your security is crap’ replied:

innovation and creating great companies.”

“I don’t think you can send terror through a

Janis, who wrote her autobiography ‘Saving

Then the interviewer told him: “At worst

network by leaving a note.”

Gary McKinnon: A Mother’s Story’ in 2013, adds:

“In Silicon Valley they employ loads of people

watching started calling me, a combination of

with Autism Spectrum Disorder, because they are

parents of people with Asperger’s and experts. They

attracted to the logic. They’re extremely good at their

realised Gary was taking the questions literally, and

obsession. They can talk about it until everyone is

explained, ‘he’s got Asperger’s.'”

bored out of their head,” she laughs.

lack of facial expression - also clear traits of ‘Aspies.’

“Gary is not a genius,” she says, “but simply

Janis explains: “People who had been

They also noted his monotone voice and

has a lateral way of thinking and did significantly less

Within weeks he had been diagnosed with the

than he has been accused of,” she maintains. “It is

condition by leading UK experts Simon Baron-

wrong to blame him and others for crossing over into

Cohen and Thomas Berney.

less legal computing methods.” She adds, “if you leave

a child in a room with a computer, human nature

socialise with others with the same condition. “We

means they always want to see what’s on the other

went to a Jools Holland concert for people with

side of the fence. If you tell a child not to search for

autism and Asperger’s and the autistic performers

something - of course they will, because you can find

and autistic audience all got on like a house on fire,

information on anything on the internet, and it can

Janis says, “it’s almost like an alien race who light

lure the obsessive into dangerous waters.”

up when they’re together and when they talk to each

Gary, 49, is currently living with his

Many people with ASD change when they

other. Many people with Asperger’s often say they

girlfriend Lucy Clarke, 40, who he met during

feel as though they are living on the wrong planet.

the course of his ordeal. Gary now runs a small

There’s even a website for people with ASD called

search engine optimisation business. “He’s very

www.wrongplanet.net.”

young for his age, innocent but not backward,” she

The end of the 10-year campaign to block

says, “he sings, he plays songs - he’s a very good

Gary’s extradition has left Janis looking happy

musician and he cooks. They’re very different but

and relaxed.

Lucy is good for him. They both love cats, food

and music. Lucy would like a family and Gary is

and you’re under intense pressure. The fear is awful.

amazing with kids, but I think it might be too late

Only someone who has gone through it would

for them to have children. Gary also worries about

understand it. You are actually living in terror. You

the responsibility. He can flip from job to job; if

wake up every morning with this fear and go to bed

someone says something he leaves. He can’t take

every night with it. You are imprisoned by terror.”

the confrontation.

Prosecution Statement that says: “The evidence we

“Incredibly it was only after Gary was

She says of the experience: “You’re trapped

She is careful to point out the UK Crown


‘In Silicon Valley many of the more successful entrepreneurs seem to be suffering from a mild form of Asperger’s’ have does not come near to reflecting the criminality

says. “They quickly become part of

that is alleged by the American authorities.”

your family. When the first group we

The family say they were surprised and

fostered left we would find ourselves

hugely grateful when Pink Floyd’s David Gilmour

crying for months afterwards.

offered to help them meet their bills. “David Gilmour

wanted to help us,” Janis says, “I wouldn’t accept

the extradition debate there was a knock

money, but he insisted and paid Gary’s psychiatrist

on the door and there were two young

bills, which amounted to just under £10,000.

social workers standing outside in the

dark with a little boy and his baby

“Then he donated on our behalf, thousands

“Even when we were watching

of pounds each to Liberty, NAS, Research Autism,

brother. We knew we shouldn’t take them

Simon Baron Cohen’s ART (Autistic Research Trust)

at that point in time because there was so

plus various amounts to others who had helped us.

much going on, and so much to do, but

We had just been forced to sell our house and David

we couldn’t say no.”

Gilmour and the electronic band The Orb, who collaborated with him, really saved our lives when we were truly at rock bottom in every sense of the word.” She is also deeply thankful for the endless

support of Trudie Styler, Sting and Sting’s sister Anita Sumner and the support of thousands of others including Home Secretary Theresa May for her incredibly courageous decision to keep Gary in the UK. “The support from our rag tag Twitter army was also incredible and proved to be an awesome force,” she says.

At home, Janis and her husband of

42 years, Wilson, have fostered more than 60 children, and are currently busy caring for three children under four in their Hertfordshire home. The youngest of the three wobbles happily across the floor in front of us.

CYBERCRIME | THE STRONG, SILENT TYPE

“It’s very upsetting when the time comes

for them to move on as you can’t help worrying about their future and how they will fare.” she

55


SPACE INVADERS Mum of 13-Year-Old Schoolboy

My 13-year-old researches how to hack NASA A generation of millennials is exploring the Internet to a degree their parents struggle to comprehend. Here Clare, the mum of schoolboy Alex from South London, reveals how she found her son trying to connect to the Dark Web and watching an instructional video on ‘How To Hack NASA.’

I find it difficult to control Alex’s computer time. I try to keep an eye on it, but for him the online world harbours all these amazing possibilities, games and activities and hooking up with people. I’m sure it’s very relaxing for him without an adult telling him what to do all the time. He’s nice and warm curled up on the sofa in a world where he has an amount of control.

There are obviously many inherent

dangers, including the prolonged damage of just sitting down for a long time. You can’t entirely know where they are going and what they're seeing even with parental controls.

Alex spends so long on it that I have to

try hard to find other things for him to do. The computer is often a great babysitter - although I don’t say that without a twinge of guilt - and children of his age don’t want you looking over their shoulder all the time. Then, as soon as I take it away from him, he says: “But Mum- I need to go online to do my homework.”

Recently I saw Alex looking at a YouTube

video on ‘How To Access the Dark Web’ and the instructions for putting up ‘mirrors’ so he could go on there without being traced. Then on a separate occasion I noticed he was watching something about ‘How to Hack NASA.’ We talked about it and I don’t really believe it is something he’s likely to do, but he’s just very a curious boy. He has a


a

scattergun approach to the things he’s interested

in, so he often sees something and then loses

keep up, then I think we might need

interest, but it certainly concerned me.

another level of support, like peer

mentors to help some of the children

We’re lucky that he is quite open with us.

If parents and schools can’t

Whatever we do or say as parents, we try to make

who are most interested in technology.

sure he is honest about what he’s doing, but children

I always try to be clear about what he

will always be a step ahead. We can let them know

is doing, but you can only let them take

where to go, but they can always find the next big

you by the hand and show you.

thing before we know that the dangers exist. Parents

are just very behind. Besides, the information is out

technology as a society and, for boys like

there - if he really wants to find it, he can.

him, who are a bit socially awkward

and struggling to do their growing up in

I don’t think all the other kids are as

We all have to embrace

fascinated by computers as Alex. The teachers at

public, it’s nice if he can test things out

school are certainly a long way behind. His least

without having to worry about being face-

favourite subject at school is ICT (Information and

to-face with other people all the time.

Communications Technology). He finds it frustrating

and says he knows the answers while the teacher

I can help make it a safe environment for

is still figuring out which button to push on the

him to do that.

But for me it’s just a worry how

computer. He told me they set him a task designing a programme on Scratch (a coding site), and he knew

* Names have been changed.

how to do it straight away and he didn’t think the

‘The information is out there - if he really wants to find it, he can’

CYBER CRIME | SPACE INVADERS

teacher even knew herself.

57


DUCK AND COVER Luke Harder | Hacker, Anonymous - Interview with Ben Jackson

Legislation will never keep up with technology They are the world’s most infamous hackers - known for attacking ISIS with images of rubber ducks and with a long list of hacking victims that includes Donald Trump, child pornographers, The Church of Scientology and the city of Sacramento. They claim hackers can train in just five years and their simple slogan threatens: “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.” Here - using a pseudonym - 34-year-old Anonymous member Luke Harder challenges the damages companies claim they suffer after being hit by hackers. The LA-based hacker also reveals why any “High School student with a C average” is clever enough to join the underground group and why the Internet is not the answer to all the world’s problems.


So Anonymous - politically-motivated campaigners

So the humour stops it feeling like a

or the Internet’s chief mischief makers?

moral mission?

What the original people involved with Anonymous

A lot of times, the things Anonymous

did was pranks. There wasn't any raw fibre to it. It

does are just to attract attention. In

was just to be funny. (For the lulz). So that’s always

the grand scheme of things most of it

been a theme of people who have been with the

doesn’t have a huge effect.

organisation for a long time. If you take things too

seriously it takes the enjoyment out of it. To be

gets hacked, the damage numbers

fair, I’m not part of the group that was in it just for

are inflated on the company’s behalf.

fun. I didn’t become interested in Anonymous until

They’re collecting insurance and they’ll

it was standing up for something. It was standing

say a hack cost them $3m. Yeah, right!

up for Pirate Bay (a file sharing site) and quickly

They were already paying their IT guys

afterwards Wikileaks as well.

$67,000 a year. They pay them some

overtime to work 36 hours straight to get

When a company or institution

everything back up, maybe they had a consulting fee for $150,000 to an outside company - these things are inflated.

The real impact is the attention

and that is so much better if something is funny or fun or humorous - as opposed to some serious message. It’s like ‘Oh God, we’re sick of serious messages’ - and I’m speaking from the public’s point of view too. Think how much more entertaining it is to read an article where somebody changed someone’s website to something funny. It works much better. If you make

CYBERCRIME | DUCK AND COVER

people think it’s funny - you won’t make

59


people sick of it. But there’s a bit of a divide amongst

stuff together in a pile, that’s just a pile right? It’s

people in the group who insist that they’re for laughs

not organised, it’s not alphabetised, it’s not sorted by

and people who are too upset to laugh anymore.

colour. There’s no organisation, it’s just a pile!

Does that mean that attention is the guiding

That has to bring limitations. It’s hard enough

principle above everything?

getting agreement when there are just five people in a room.

More or less. There’s definitely some damage element to it too. Sometimes the goal is to hurt the enemy

But that’s just the thing. Organisation amongst

who is getting attacked, but a lot of times it’s just to

people inevitably requires a shift of power.

get some attention on the issue. Isn’t that the idea

It requires those in the lesser positions in the

with any protest? It also helps to create a brand, so

organisation to give up their power to someone else.

there’s a common theme running through all of this.

So if you abandon the organisation everyone has an equal amount of power, which is what democracy

How do you translate public sympathy into

really should be. It’s an experiment in democracy in

recruiting members? Is recruiting important?

its purest form. The only thing that can affect it is a person’s voice.

I’m not aware recruiting exists. It’s more like the

recruiting is done as a safeguard, because we know

Does that work in practice?

people are coming in and we are trying to save those people from themselves. That’s why there are guides

You tell me? Something is working - we’re talking.

for people. If you want to be Anonymous, there’s a

If you went and told your editor, “I’m really sorry,

guide on how to hide your identity, and how to use

but I p-ssed that guy off something fierce,” he’d be

Virtual Private Networks. Those guides are put out

f-cking scared right? He wouldn’t have any right to

more to save those people than for recruiting, because

be, because I’m not that type of person in general and

it would be bad for the brand if a bunch of people

it’s purely hypothetical, but I would say what we have

tried to become Anonymous and they all went to jail.

constructed or created is working quite well.

But then there’s no shortage of Anonymous

The ISIS campaign is interesting. That’s a big

members who have gone to jail.

thing to go after.

It would be interesting to compare the number of

They’re just people. Can Anonymous stop ISIS?

people who have gone to jail versus the number

No - the only effect we have is on the internet and

who have been arrested and which of those are

communications, but compared to a government

confirmed members of Anonymous. We could

agency we’ve got the manpower.

compare it to the incarceration rate of an average country. What would those numbers be? Maybe

How do you work within and without the law?

there is a shortage of people being arrested? I mean

There must be some consideration of how far you

maybe our percentage is really small!

can go or not?

But you’re not like a country. You’re an organisation.

That consideration is only weighed in risk. How badly do you want to avoid being locked up? The

You have to think about the definition of that. People

question is what are you willing to risk for this cause.

use that world wrongly. An organisation means

There are things that are not as risky to some people

there is organisation. If you just have a bunch of

as they are to others.


‘It’s an experiment in democracy in its purest form’ In terms of the technical skill level of those

So can laws help keep malicious people

working for Anonymous, is it on a par with

from doing damage on the Internet?

anything out there? Legislation will never keep up with It’s on a par with a High School student with a

technology, largely because the people

C average.

making legislation don’t know a goddamn thing about technology. There’s no way

Explain?

they can make laws to contain it if they don’t understand it. It would be like

The actual technology and knowledge required to

someone who had no concept of the Laws

hide your identity fits on a single sheet of paper.

of Physics trying to make laws about how

That’s not hard. Actually hacking something, that

people can move.

requires skill. It’s going to take some practise and some quality hardware. (Anonymous training guides

Here in the UK, the Government is

suggest five years of study)

justifying the fact that they can monitor people are trying to limit your freedoms

programmes off the shelf which they can or can’t

and that governments don’t get it?

operate. Is that something you have a view on? It’s not that they don’t get it, they’re It’s tough because it’s a situation that makes a lot

terrified! We’re taking power away from

of people have a desire to create a law around it,

them. Once they gained the ability to

because it can have a malicious effect. When you study

effectively just open your mail - because

something and learn it - you learn to have a respect

that was the only communication other

for it. Much like someone who has been crafting and

than face-to-face that anybody had for a

milling revolvers for a lifetime. He’s the last person

long time - once they gained it, losing

who is going to misuse a revolver. He’s got respect for

that becomes terrifying. That gave them

it. Then when you give that revolver to somebody who

such an enormous edge, so how could you

is not very bright and doesn’t have any respect for it,

ever relinquish that?

CYBERCRIME | DUCK AND COVER

all communication. Do you believe We are increasingly seeing people renting hacking

something bad’s probably going to happen. 61


Is it the case that many types of encryption are now

And that’s why you would want to be a part of it?

beyond the security services ability to read them? I think it’s an effective tool against those who would Yes, but that’s something that constantly evolves. Ask

consolidate power.

any locksmith. If you don’t keep up you’ll go out of business. You have to keep making a better lock. It’s

Do you like being called hacktivists?

an endless cycle. It’s the only part of capitalism that can experience endless growth. The Internet keeps

Well it’s clever. It’s a misnomer, but it’s kind of too

changing, so you have to keep updating and you have

late to change the name. I don’t really care for it, but

to keep changing your protection.

it’s like hover boards. It’s not actually a hover board, but it’s too late to change the name now. You might

That will have a bearing on the Internet of

as well get with it. I reserve the word ‘hacker’ for the

Things. Are people right to fear the possibilities?

elite. If you look at the internet as a separate society, a hacker is like a superhero – you’re able to alter

It’s like being afraid of being hit by a meteor. You can’t

reality in a way a normal citizen cannot.

walk around in fear all the time. Enjoy the technology. Your dishwasher may go awry because someone hacked

There’s a really good analogy to describe this.

it, but it’s not going to become some epidemic. If it does,

Anonymous is like a flock of birds - at any point a

those products just won’t be successful.

bird can fly up out of a tree and join the flock or go land on a street lamp. The only thing that makes the

The Internet is something we have appreciated

flock of birds a group is that they’re headed in the

and loved, but aren’t we going to have to learn to

same direction.

fear it more too? I don’t know if fear is the right word. I think respect would be a better word. Why on earth do we need the Internet hooked up to the goddamn water supply? The water supply has worked fine for years, I don’t see what good that does. So we draw lines between what we do and don’t want to tamper with? Absolutely. Not so long ago there was a test on the new Jeep Grand Cherokee. Somebody driving along next to one doing a stunt for a magazine hacked into the control system from the car driving beside it. It was terrifying what was possible. Why is anything besides the radio hooked up? Do you know what I mean?

A Anonymous. Are they a force for good? As a society we generally assume that people are inherently good. It would be hard to assume that Anonymous is anything other at this point.


ANONYMOUS ATTACKS THE CHURCH OF SCIENTOLOGY

and posted a video following the death

2008 - Anonymous’ first widespread example of

of Tamir Rice, 12, a boy with a BB gun

activism came after waging war on the church -

shot by a police officer in a Cleveland

warning the group it would be ‘expelled from the

park. Anonymous also uncovered

Internet’ and launching DDoS attacks, prank-calling

the phone number and address of a

its hotline and sending black faxes to waste ink along

policeman involved in the shooting.

with thousands protesting in Guy Fawkes masks from

the film V for Vendetta.

announced a major operation against

PIRATE BAY 2009 - Anonymous

ISIS 2015 - Anonymous

ISIS after the Paris attacks, declaring,

hit back after an Indian software firm, Aiplex

“Anonymous from all over the world will

Software, was contracted by film studios to launch

hunt you down. You should know that

DDoS attacks on websites hosting pirate content,

we will find you and we will not let you

like Pirate Bay. Together they shutdown the

go.” ISIS responded with a telegram

firm’s website and then targeted the Recording

calling them “idiots,” and asking, “What

Industry Association of America and the Motion

they gonna hack?”

Picture Association of America posting the

message: ‘Payback is a bitch.’

pictures of rubber ducks in place of

WIKILEAKS 2010 - As Wikileaks

Anonymous photoshopped

ISIS fighters, spammed twitter feeds

released hundreds of thousands of leaked US

with cat memes and replaced one site

diplomatic cables, Amazon, PayPal, MasterCard and

with an advert for Viagra. It claimed to

Visa cut off its services. Anonymous hackers brought

have taken down 3,824 pro-ISIS Twitter

down PayPal and hit Visa and MasterCard sites.

accounts - later increasing that to 20,000

SONY APRIL 2011 - Anonymous attack

although the list was later found to

Sony for trying to stop hacks into the PlayStation 3

include many inaccuracies.

consule. More than 100 million Sony accounts were

compromised and services were taken down for a

Anonymous attack the website for Trump

month apiece by cyber attacks.

Tower in New York after the Presidential

LOLITA CITY 2011 - Anonymous takes

DONALD TRUMP 2015

hopeful proposed that all Muslims be

down more than 40 illegal child pornography

blocked from entering the US.

websites. The hackers specifically targeted Lolita

City, a file-sharing site used by paedophiles,

Hackers release a video warning of

and leaked the names of the site’s 1,589 active

consequences for the city of Sacramento

members to the public.

if the city does not lift its ban on urban

TAMIR RICE 2014 - Anonymous shut

camping, a measure it called a ban on the

down the website of the police in Cleveland, Ohio

human right of sleeping – and seen as an

SACRAMENTO 2016

anti–homeless measure.

CYBERCRIME | DUCK AND COVER

63


The Codemaker Phil Zimmermann | Silent Circle and Blackphone Coder

People used to ask ‘Are you a criminal? What have you got to hide? Now they give me awards’ Phil Zimmermann is in the Internet Hall of Fame and has been named as one of the world’s top 50 tech visionaries. The code he first published as an anti-nuclear activist 25 years ago has been adopted by almost all of the world’s intelligence agencies. His latest venture, Silent Circle, makes the ultra sophisticated Blackphone, and was founded with former US Navy Seals. Yet the 62-year-old firmly believes snoopers know too much about us all – worse, their tactics may be leaving us wide open to criminals.


Phil Zimmermann is responsible for bringing privacy

to the Internet. As an anti-nuclear campaigner in the

encryption has gone from "almost forbidden to

Eighties he feared the US Government was snooping

required in America and Europe", he says.

on him and other protestors who opposed nukes.

His simple idea was to write a piece of

The incredible turnaround has come as

“We had to fight all through the 1990s. If

you were using strong crypto (code) then you had to

code that would make his communications and

explain yourself: 'Why are you using strong crypto –

files invisible to their attentions.

are you a criminal? What have you got to hide? You

His encryption was light-heartedly

must be up to no good.'

named Pretty Good Privacy and published in

1991. It took its moniker from Ralph’s Pretty

to explain. If you are a doctor or a clinic and you

Good Groceries, a fictional store on a US radio

don’t protect your patient records with encryption you

programme by Garrison Keillor.

are in violation of the law.”

But the results were better than pretty

“But today if you’re not using it, you have

Despite creating virtually uncrackable

good. Much better. The free software for encrypting

codes, the cyber world has not become more

emails worked by assigning one public key to be

secure. Phil says, “Is there a perfect level of

shared, with one private key, known only to the

security? No, It’s an arms race!

individual for decoding their emails.

It was passed around, first across anti-

“The very best cryptography is now much

stronger than the very best analysis. But the

nuclear groups in the US, before rapidly spreading

reverse is true in cyber security.

internationally across countries where dissidents of

all types feared government snooping.

prevent your computer from being attacked by

Its success enraged the US Government,

“The really difficult problem is how to

malware. If someone can seize control of your

who had been planning new laws governing access to

computer through hostile software it doesn’t matter

emails and other data.

how good your encryption is.

So just two years after its release, they

“By the early 2000s we won the ‘crypto-

moved to prosecute Phil, then 38, for export

wars’. But maybe the codemakers should have asked

of ‘munitions’ - as encryption software was

why. Cryptographers thought we had presented our

categorised at the time.

opponents with math problems.

The prosecution spent three years

“But the US National Security Agency

building their case, only for Phil to ingeniously

were able to change the problems. They realised that

escape trial when he published his entire code in

they only needed to figure out a way to get control of

a book – where its contents were protected under

the computer - then who cares how hard the math

the First Amendment.

problems are? You’re bypassing all that.

Today the same code is now the most widely

“We all knew as security professionals

used encryption software in the world, and also used

these vulnerabilities were there, but it wasn’t until

by almost every intelligence agency on the planet.

the Snowden revelations that we discovered how

breath-takingly sweeping the NSA was – it had just

Meanwhile Phil himself has turned

his hand to uncrackable phone technology, as

completely owned everything.

a founder of the Geneva-based communications

company Silent Circle.

we didn’t think it was anything like that.

In a strange turn of events, the son of a

“The enormous depth and breadth of it – “It’s like if your house has a thick steel

concrete mixer driver, has also been hailed by those

door. You might be thinking about making it thicker,

who once worked to destroy him – with the head of the

but right beside it is a glass window and all you’ve

United States National Security Agency presenting an

got to do is break through that to get in.

award to enter him into the Cyber Security Hall of Fame.

But, he adds, proudly: “If you look at


Snowden’s documents they have a list of all the

opens the door for bad guys to get into

things the NSA has ever broken into – conspicuously

our computers.

absent was anything I’ve ever worked on.

"The NSA was spying on the American

“It’s like the police saying,

‘We don’t want you to have locks on

public on a mammoth scale, not just the meta data

your doors because it’s more difficult

(the name, subject name and timing of e-mails), but

for us to come in.’ But we need the

the actual traffic. That’s the moral difference that is

locks to keep out the criminals!

producing so many whistleblowers."

He warns: “For many years, I have lectured

“Google had back doors on their

servers for law enforcement purposes, but

that Moore’s Law is a threat to privacy. The human

the Chinese used those same back doors to

population is not doubling every two years. but the

survey their dissidents.

ability for computers to keep track of us is.

“Moore’s Law is behind the cameras. There

“When you put back doors in

they will be used by other people!”

is facial recognition software behind that and Optical Character Recognition software that reads licence plates.”

Phil, who ironically says he seldom

uses email, believes governments should not be

‘Is there a perfect level of security? No, it’s an arms race!’

CYBERCRIME | THE CODEMAKER

'interfering' with computer security because “it

67


BENEATH THE SURFACE John McAfee | Creator of anti-virus software


The Underground Internet is a playground for hackers The percentage of the population that is tech savvy is higher than ever. Across the world grandmothers know how to tweet using their iPhones and they no longer make a funny face when told to “Google� something. Progress.


Our level of dependence on computer systems

one of the worst attempts – the 2012 attack on Saudi

in business and industry is deeply ingrained.

Aramco, one of the world’s largest oil companies.

Computers are everywhere and they now power

Within hours, nearly 35,000 distinct computer

the infrastructure and processes that make

systems had their functionality crippled or destroyed,

everything function. The more we come to depend

causing a massive disruption to the world’s oil supply

on these systems, the higher the stakes will be

chain. It was made possible by an employee that was

when someone tries to harm us by hacking them.

fooled into clicking a bogus link sent in an email.

This is social engineering.

Behind the internet of networked computers

that everyone sees and uses on a daily basis lies another,

deeper realm that can be collectively termed the

engineering, and it is the human elements in your

Underground Internet. This underground consists of the

organisation that are going to determine how difficult, or

Deep Web and the Dark Web.

how easy, it will be to hack you. We – the users – are the

weakest link in the chain of computing trust, imperfect

The Deep Web is the collection of

Believe it or not, 90% of hacking is social

information that is available on networked

by nature. All of the security software and hardware in

computers, but is not indexed by search engines and

the world will not keep a door shut if an authorised user

other typical data-retrieval tools.

can be convinced to open it.

The Dark Web consists of overlay networks

The good news is that there are

that use the same infrastructure as the public web but

patterns that we can look at and, in some cases,

require special tools and knowledge to access. Both lie

use to predict where the next attack may fall.

beyond the casual reach of the typical Internet user.

Experienced hackers don’t concern themselves

‘The Underground Internet is beginning to spill over into the mainstream web’

The Underground Internet is a playground

much with your firewalls, anti-spyware software,

for hackers. It has troves of information that never

anti-virus software or encryption technology. They

were intended to be publicly shared that can be used

want to know whether your management personnel

to create havoc in the physical world. It also contains

are frequently shuffled; whether your employees

a wealth of information that can be used to gain

are dissatisfied; whether nepotism is tolerated

even more sensitive data from private networks and

and whether your IT managers have stagnated in

computers – information that could fuel the most

their training and self-improvement. They want

successful hacking attacks.

to know what level of transparency exists within

the corporation and how bloated your chain of

A look at the world’s worst hacks reveals

a common pattern: these hacks were mostly not

command is. In short – they want to know how

accomplished by using sophisticated hacking tools or

healthy and nimble your organisation is.

brute force attacks on security mechanisms. Consider

While any individual or organisation is


susceptible to an attack at any time, hackers, like

THE SECURITY KING

anyone else, will tend to go after the low-hanging fruit. Why go after a tightly-knit organisation of

Internet security king John McAfee became

competent, satisfied professionals supported by a

a household name and enormously wealthy

stable IT staff unless there is a tremendous and

as his software businesses rocketed in the

unique payoff promised? There would be greater

Eighties and Nineties.

risk involved and the chances of success would be low. Instead they will target an organisation with

John McAfee, 70, worked for NASA

identified human and structural vulnerabilities.

and Lockheed before developing the first

anti-virus programme after discovering a

To make this identification, hackers have

traditionally turned to the Underground Internet.

copy of the ‘Brain’ virus. His fortune of

But recently it has started to become even easier,

$100 million (£67m) was built by giving

as the Underground Internet is beginning to spill

away his software free, but charging for

over into the mainstream web. Shocking types of

updates. He later moved to Belize in

information that used to be available only for a price

2007 to develop natural antibiotics, but

on the Dark Web can now be found using simple web

went on the run after being wanted for

searches or mobile apps and can be found by anyone.

questioning over a murder of a neighbour.

While some of this information may seem innocuous

He has since moved back to the US and

to the untrained eye, the fact is that much of it is

Belize authorities have seized his assets,

manna falling from hacker heaven.

but have not sought to pursue charges.

What this means is that protecting systems

and networks against successful attacks just got harder, and will require us to take a good look at ourselves and our organisations. IT professionals are accustomed to securing hardware and software.

But how well do you know the human side of your organisation? Is there information about your organisation out there, right now, migrating out of the Underground Internet to appear in simple web searches? Does this information make your

Answering these questions honestly and

taking the time to find out for ourselves what information is already available about us needs to become required best practice for IT security. We are accustomed to securing systems and networks against sophisticated teams of hackers. But information wants to be free; just like water it will flow freely once released from its container. Are you prepared for a world where grandma or anyone else can quickly obtain, on the wide open web, all of the necessary information for a social engineering hack? Is your

CYBERCRIME | BENEATH THE SURFACE

organisation an attractive target?

organisation prepared? 71


‘Shocking types of information that used to be available only for a price on the Dark Web can now be found using simple web searches’


DON’T FORGET TO LOCK THE BACK DOOR! THE FBI is demanding Apple unlock the security

could be used over and over again, on any

to an iPhone used by US terrorist Syed Farook, who

number of devices. In the physical world,

murdered 14 and injured 22 in December 2015.

it would be the equivalent of a master key, capable of opening hundreds of millions of

US justice officials say it is a reasonable request

locks — from restaurants and banks to stores

to gain evidence from a single phone, but Apple

and homes. No reasonable person would find

boss Tim Cook, is refusing, claiming the FBI is

that acceptable. The Government is asking

demanding “a master key” that could be used to

Apple to hack our own users and undermine

unlock hundreds of millions of iPhones.

decades of security advancements that protect our customers — including tens of millions of

Apple will fight the order to build a custom version

American citizens — from sophisticated hackers

of the company’s famous iOS software all the way to

and cyber criminals.

the Supreme Court, he says. The same engineers who built strong encryption Other top tech CEOs including Mark Zuckerberg of

into the iPhone to protect our users would,

Facebook, Sundar Pichai of Google and Jack Dorsey of

ironically, be ordered to weaken those protections

Twitter have supported Apple along with the American

and make our users less safe. In spite of the FBI’s

Civil Liberties Union. But Microsoft’s Bill Gates

claim that it would protect the back door, we

has sided with the US Government saying: “This is

all know that’s impossible. There are bad apples

a specific case where the Government is asking for

everywhere, and there only needs to be one in the

access to information. They are not asking for some

US Government. Then a few million dollars, some

general thing, they are asking for a particular case.”

beautiful women (or men), and a yacht trip to the have full access to our secrets.

“It has finally come to this. After years of arguments

With all due respect to Tim Cook and Apple,

by virtually every industry specialist that back doors

I work with a team of the best hackers on the

will be a bigger boon to hackers and to our nation’s

planet. I would eat my shoe on the Neil Cavuto

enemies than publishing our nuclear codes and

show if we could not break the encryption on

giving the keys to all of our military weapons to

the San Bernardino phone. This is a pure and

the Russians and the Chinese, our Government has

simple fact. So here is my offer to the FBI. I

chosen, once again, not to listen to the minds that

will, free of charge, decrypt the information on

have created the glue that holds this world together.

the San Bernardino phone, with my team. We will primarily use social engineering, and it will

The US Government has ordered a disarmament

take us three weeks. If you accept my offer, then

of our already ancient cyber security and cyber

you will not need to ask Apple to place a back

defense systems, and it is asking us to take a

door in its product, which will be the beginning

walk into that near horizon where cyber war is

of the end of America.”

unquestionably waiting, with nothing more than

CYBERCRIME | BENEATH THE SURFACE

Caribbean might be all it takes for our enemies to Here John McAfee gives his view:

harsh words as a weapon and the hope that our enemies will take pity at our unarmed condition and treat us fairly. Once created, the technique

73


f

e d k c Of a H

Lauri Love | Hacker

Hackers can turn off your pacemaker Lauri Love is a hacker. He is alleged to have infiltrated the websites of the United States Federal Reserve, NASA, the Environmental Protection Agency, the US Missile Defence Agency and accessed the personal information of 104,000 employees of the US Department of Energy. In June 2016 he faces a hearing which will decide whether he is extradited to the United States to face trial. The 30-year-old has Asperger’s and lives with his parents in Stradishall, Suffolk. Here, he warns that millions of us are sleepwalking towards a society where we can be spied on by our fridges and our toasters and where a teenage hacker could turn off your pacemaker for a prank. He argues the time has come for us to welcome hackers back into the mainstream of society and steer them on a course that makes the most of their talents.


Kids will always play pranks. In previous years the

records that racist conversation and

worst it might be was wrapping toilet roll around the

plays it to your boss. So there are risks

teacher’s house on Halloween. Now kids have the

emerging at a fast rate.

means to play pranks on a massive level.

So a 16-year-old kid somewhere around the

not possible yet, but give it a couple

world can find out the flight that the CEO of Sony

of years, and they will be. There are

Video Games is on and have that flight grounded

people already being spied on by their

because they make a bomb threat.

baby monitors. Somebody can get your

This might be good fun for them, but we

WiFi password from your doorbell

can’t live in a world where flights are arbitrarily

because someone decided your doorbell

grounded because kids think it’s funny.

needs to be on the internet.

We can’t really live in a world where

There is a twitter account

Xbox Live or Playstation gets bombarded into not

which is full of examples of

working on Christmas Day because some kid finds it

manufacturers taking an ordinary gadget

humorous.

that does a regular task and putting a

computer in it, but not realising it now

Eventually someone is going to think

it’s funny to turn off the electricity in a hospital.

does a whole lot of other things that

While these systems have some resilence, the

people might not want it to.

more connected, the more complex they get,

eventually somebody’s idea of a joke is not going

actors. Once something has been proven

to be funny in a very tragic way.

and there’s a big media storm over it,

We are getting to the point that we have an

unsustainable situation in terms of internet security.

We are addicted to the shiny things that

People are not always rational

they will react and stop buying it. But the media can’t keep up with the number of insecure things that are happening. So

technology allows us to do, things that were not

there will be people in the street I live on

possible before, things that are very alluring, but the

now who will be using insecure software,

risks are less transparent and they are often hidden.

but who just haven’t got the memo that it

So you can get a pacemaker, which you

is insecure - that’s because the people who

can control with software and that’s great, and it can

are actually interested in this stuff can’t

adapt to the patient’s heart rate. But now somebody

convey the message to the entire world.

can turn it off. If they just take the time to read

it and understand it and because somebody didn’t

internet have released advisories in the past

appreciate that you have to put in difficult, strong,

year for products of several well-known

robust security measures, somebody’s life has been

brands, running on software that could

put in the hands of one of these 15-year-old kids.

enable people to take over your computer

The more that technology infiltrates our

Some people I chat to on the

if the vendors made a mistake. But you

world, the more this will go on. We have the Internet

probably won’t have heard about it unless

of Things where your toaster has a webserver on it.

you read the tech blogs - and again not

Your fridge will keep stock for you and order more

everyone has the time to do that.

beer when you need it. But the people who make

fridges don’t know how to make secure software,

crash then people will be hesitant to

and the people who make toasters aren’t paid to

buy it (as with the cheating software in

understand that attackers can turn that toaster into

Volkswagen's cars) but for every product

a spy that listens to your conversations and then

failure you hear about, there’s nine or 10

informs your wife that you’re having an affair, or

you don’t.

If a product has a major car

CYBERCRIME | HACKED OFF

Some of these things are

75


The concept of the hacker has attracted

- but also in the sense that if you have a youth club

a lot of different connotations in recent years. It

you provide a place for children to congregate. If you

tends to bring up a lot of different associations

close that youth club because of budget cuts, children

in people’s minds. In the culture I’m in, it tends

are still going to congregate, but they’ll congregate

to be somebody who understands technology,

in the park and they’ll drink cheap cider and they’ll

likes technology and makes it do new things.

have teen pregnancies and get into drug abuse.

Tim Berners Lee, who created the World Wide

Web, was a hacker. But more recently, it also

that drives people towards a certain relationship

means a person who commits computer crime,

between their technological interest and their

which has more negative connotations.

abilities and proficiencies. Some people are doing

this a lot better than us, especially in the Nordic

I am a hacker. I like technology and I

would like to use it to make the world a better

So what you can do is facilitate a culture

and Baltic States.

place. I also believe there’s a lot to be done that

could help bring many of our brightest and best

right to take an interest in culture and we have a

kids back into society.

Culture Secretary for that. But online culture has

The first thing is for people in the

At the moment the Government is

developed faster than the Government can react,

Government to realise that you can’t prosecute your

because it is a large institution that takes time to

way out of this problem. Just like with the drugs

understand technology.

problem, people thought ‘If you arrest enough people

then they would stop using drugs’ and that didn’t

respond to technological developments than any large

work, although it has taken about 60 years for people

monolithic entity - so the Government struggles, and

to start realising this. Locking people up is not going

I don’t know if they will get better at it.

to help them.

So we must change the attitudes of people

Individuals are simply a lot faster to

Large corporations and private industry

accept that people will mess around with their

who are drawn towards experimentation because of

websites and find ways of hacking them. So they’ve

their curiosity. Most of what might be considered

come to the conclusion that if it is inevitable -

‘illegal hacking’ is conducted without any criminal

they’ll pay the same people to protect them, which

motive, any attempt to cheat or make malicious gain,

is easier them doing it than being hacked by some

but rather, it's the natural human desire and drive to

Eastern European cyber criminals.

understand the world in which we find ourselves.

These people could be drawn together in a

So they come almost universally to a

consensus behind models called ‘bug bounties.’

way that gives them an environment to develop these

Right now, today, you can go and hack American

skills so that they can be productively harnessed. (That’s

Airlines for free Airmiles, or you can get several

not to say we should be drafting teenage hackers to work

thousand dollars in hard cash from Facebook, or

in GCHQ to keep us safe from the terrorists).

Google, or Yahoo for pointing out exactly, and

Obviously school provision is not sufficient

clearly, where they screwed up.

and we could have more ‘hacker spaces’. I’d define

these as a self-organised space, where people come

next generation. This is something I’m exploring

together to work on different projects. It’s generally

now. I’m working with a start-up called My Hacker

a space where the rent is paid for by the people who

House - the idea is to build a space for people that

use it, or they will have some whip round.

might be apprehensive or have difficulties getting

The Government might even want to

Certainly we need to think about the

employment or cyber security training in the formal

consider sponsoring these places, seeing them as an

sense because they might be too young, or have had

investment in talent. This means not just bringing

run-ins with the law.

up people who could go on to work in cyber security

The idea is to give them a space to


have their talents nurtured in a less judgemental

environment but also with a bit of mentorship. On

people because we need them - and we are

the other side of the equation it means working

facing great challenges. The internet itself

with corporations and government to say what

is creaking and groaning and it needs to

can you bring to the table in terms of these young

be almost redesigned from the ground up.

talented people, and what can they provide the

The best analogy is that it’s quite easy to

Government in terms of security services.

build a ship. But once you’re in a ship it

There’s certainly a desperate need for help.

With luck we can harness these

is quite hard to redesign it when you’re in

Pretty much any large corporation realises it needs

the ocean. It is the same with shoring up

to spend money making things more secure, and it’s

the internet so it can cope with the ever

that bit between spending money and making things

increasing burden that is going to be put

more secure that is difficult at the moment.

on it by society.

It requires some of this talent - and

We need these people and we

there’s a lot of talent out there - so we need to build

need a system where they can reach

bridges. We need to create that space where people

their potential and avoid any friction

can come together and overcome some of the mutual

in the process. We also need people

distrust and find a constructive way to move forward

not to be drawn into either serious

- this is how I aim to nurture future talent.

financial crime or anti-social activities

Without doubt we have great, great

minds in the UK. They are at risk of not being

because they are the only people that take their gift seriously.

harnessed because the traditional system by which

people end up in particular roles in society hasn’t

build this better approach.

It’s a win-win situation if we

‘I am a hacker. I do like technology and I would like to use it to make the world a better place’

CYBERCRIME | HACKED OFF

quite caught up with this change in society.

77


To Protect And Serve We’re safer than we’ve ever been Dan Jones | Consumer Editor, The Sun

Crime is one of our biggest fears - and that doesn’t change when we log onto our computer or smartphone. Thankfully, cybercrime rarely ends in physical harm. But it can mean losing the contents of our bank balance or our deepest secrets being spilled. But how likely is that? And are things getting better or worse?

While crime figures are only just accounting for the

of a well-known company that has your email and

jump in cybercrime, it’s my view that online banking,

password - as happened with eBay in 2014.

shopping and communication are now safer than

they have ever been. For example, so-called two-step

other accounts because many of us use the same login

authentication where you confirm a log in with a

details across multiple accounts.

code sent to your mobile is a big help, and only a

But there are two reasons not to worry overly.

minor inconvenience.

Firstly, big hacks are less and less likely since

firms are quickly becoming aware that the reputational

More and more sites now encourage us to

They can then use these details to get into

come up with complex passwords and change them often.

damage can be crippling, so have upped security.

Yes, it can be annoying. But we must think

Second, if you follow the advice to have

of protecting ourselves online in the same way we

separate logins for all your accounts (which is

would in the real world. You wouldn’t leave your

admittedly annoying) then you avoid making yourself

windows open when going on holiday.

more vulnerable than you need to be.

As we all go online more or even for the

first time - to buy our shopping, to bank or get car tax or travel insurance - the incentive for crooks grows so they are investing more and more in finding loopholes.

It means there are more potential victims - and

in particular targets who are likely to slip up on security.

The good news is that with better and

better security, if you avoid simple passwords and make use of extra security measures you will be fine.

Sure, crooks could hack into the computers


CYBERCRIME | TO PROTECT AND SERVE

12 4 3 56

79


WHAT’S THE CATCH? Emma Watson | Vishing Scam Victim

Vishing and smishing scams


Sophisticated criminals have a host of ways of scamming consumers out of their hard-won finances once they have a few basic details, including 'vishing' (voice phishing) and 'smishing' (SMS phishing). Nursery owner Emma Watson became a victim when she was conned out of £104,000 last June after being duped by an official sounding call from the ‘NatWest fraud team.’ Emma, from Wandsworth, London, had recently received a large sum into her account - but was persuaded to switch money into new accounts in her own name by a fraudster.

Although the bulk of the money was sent to the

but none of the transactions had gone through.

accounts of other NatWest customers, Emma and

her husband Alexander were later told they stand to

I thought later that it sounded like somebody who

“It was very convincing. It was so professional

only get a fraction of the money back, unless they

genuinely had been working in that role for a bank.

take legal action against the receiving banks. Police

They must have studied it in minute detail.

admit the twin scams of extorting money by 'vishing'

(voice phishing over the phone) and 'smishing'

she asked if I had any joint accounts. I thought

(SMS phishing over text message) are rapidly

she had access to one, but wasn’t seeing the

increasing, while the number of stolen or fictitious

others. When I told her I did, she wanted to call

bank accounts opening doubled to 23,000 last year,

my father too who shares an account with me to

according to fraud prevention bureau Cifas.

let him know. So I gave her his number and she

rang him on a withheld number.

“When the call came, it sounded so genuine,”

"'Angela' went through my accounts and

Emma says. “It was my landline, which is a number I

rarely give out. The woman I spoke to said: ‘This is the

didn’t take calls from numbers he didn’t know,

fraud team at NatWest, I’m very sorry to say we have

so she told him to look at the back of his bank

detected some unusual activity on your account.

card and she would call back on that - the bank’s

“She knew my name and that I banked

“When she got through, he told her he

number - which she did.

with NatWest and told me her name was Angela. She

gave me the impression she was looking at my account

and said to me, 'What a lovely man.'

"She called me back after the conversation

information in front of her. It was the exact patter you

would expect from a bank call. She had a slight Scottish

computer fraud on my account and she would be sending

accent just like a NatWest call centre person would. There

out a new anti-virus CD with software that the banks

was none of those crackly lines and fumbling around.

themselves use, so I shouldn’t have any more trouble.

“She asked me if I had recently shopped

"'Angela' told me there had been some

“She warned me that because the fraudsters

at Argos and Tesco and I said ‘No, I haven’t’ and she

had my account details, I would need to move my

said: ‘Yes, I can see that you don’t usually shop there.’

funds. She said: ‘I’ll call you back in 10 minutes, I’m

“She said the bank had been alerted to

just setting up your temporary accounts.’

some attempted payments saying somebody had

made three separate attempts to take money from my

across, and also on the Saturday and on the Monday

“On that day, a Friday, I moved some money

account - first £1,000, then £600 and finally £400 -

morning. I did say to her at the time: ‘Why can’t the bank


just do this - why do I have to make all these transfers?’

called back to say ‘We’ve set the account

up so you can transfer the money in

a single transfer until the sum got down to a

now’ they were just queuing up people

certain amount.

to get ready to take it out, so as soon as

“I was under a bit of pressure with my

that money was transferred, they were

business and everything else I was doing at the

at the other end taking it out in Euros

time and I kept saying: ‘Isn’t there another way,

or Thomas Cook money orders for

because I’ve got all these calls every hour or so

several hundred pounds at a time and

and I’ve just go so much to do,’ and she reassured

the accounts were really in the name of

me that they would be able to complete the rest of

financial mules, who will move money

the transfer on Monday.

around, but often don’t want to help the

“So I transferred the money at £15,000

police.

and £20,000 at a time. It was deposited into about

six or seven accounts, but because they were all in

morning that the penny really began to

“It was only on the Tuesday

my name, I didn’t think there was anything wrong.

drop. Angela rang again, only this time, she

It was only later I discovered that the name of the

just said: 'It’s me' and she even yawned.

account makes no difference when the bank is

making a transfer. If it wasn’t in my name I would

doesn’t sound very professional and that’s

have asked a few more questions.

when I called my father and said ‘Can

you just get hold of the bank manager and

“I had a card reader and I put in a new

“I thought: Oh gosh, that

payee, which was in my name - as each account

make sure Angela is who she says she is -

had already been set up. They were fast-track

because she sounds slightly unprofessional?

payments - you put in your name, the account

But I still didn’t think she was a fraudster.

number it’s going to, and you confirm that with a

card reader and authorise it.

was meeting up with the architect to

“Obviously, I now know that when she

“Then that morning when I

talk about the plans for the nursery, he

‘I thought later that it sounded like somebody who genuinely had been working in that role for a bank’

CYBERCRIME | WHAT’S THE CATCH?

“But she told me the bank couldn’t make

83


told me he’d been listening to a radio programme

bank’s press office and it led to the full recordings

over the weekend about fraud. When I told him

of the calls being provided.

what had happened, he said: ‘No, that’s not the

bank stopping the fraud, that call was the fraud.”

£16,000 because it didn’t act fast enough when we

Emma’s father quickly made 11 frantic

“NatWest has since agreed to pay us

first alerted them. Meanwhile the Ombudsman

phone calls to bank call centres and numbers

has told the banks that they should repay a further

without being transferred to a fraud specialist

£15,000, but we want to get the whole amount

or even confirmed if there had been a fraud,

returned. We believe the bank is holding out

although on the first call he was told the money

because the issue of the names being checked on

was secure and it wasn’t a fraud.

transfers is a security failure and they would have to

“We had been trying to get to the bank all

pay out too much money to put it right.

morning and they had been giving us conflicting

“The banks also say verification of account

advice. Strangely the fraudster I had been speaking to

holders' names would never happen, because they just

sounded more professional than the actual NatWest

want fast payments - fast movement of money.

staff I was now trying to speak to.

come up as being the same as the account payee it

“It was shortly after that we went

“I certainly thought if the name didn’t

straight to our local branch in Esher and the

would have to match, but it didn’t. The name has no

manager confirmed there had been a fraud and

bearing on the transfer at all. They ignore it.

told us, ‘you won’t get your money back.’

“That was the worst point. It was

“That money represented years of saving

and our house, which we had taken money out of.

sickening. But I still thought, it can be traced -

it’s in my name, it can’t just go. There had been

been able to set up her nursery - Sapphires - in East

nine transfers in total - all NatWest and RBS

Molesey, Surrey after opening a crowdfunding page.

accounts and one to Santander.

“We still had hope and we spoke to our

“Thankfully,” Emma says, she has still

“It wouldn’t have been possible if it wasn’t

for the generosity of people around us. It was a long-

business manager in our bank in Bury St Edmunds,

standing plan to set up a nursery,”

which is where I’ve banked for 40 years and we were

given the advice from the manager that ‘if we can

executive, adds: “I’ve been looking for premises

prove it was a fraud and if the receiving banks agree,

for around three years and everything went into

then you will get your money back.’

it. It managed to happen because of the support of

“We thought we could easily prove that,

Emma, whose husband is a marketing

everyone around us.

but it turned out that we were wrong. We wrote to

“I think it will take us about five years

the bank managers and the fraud teams of all the

to pay it back - hopefully less - but it certainly has

receiving banks that the police informed us of, but did

shaken my faith in human nature.

not receive any letter of response from any of them.

my bank, my name and phone number and how there

“We were totally stonewalled by the banks.

“I will also always be curious how they knew

Finally we got through to a very senior executive at RBS,

was money in my account in the first place.

the owners of NatWest, but he didn’t have all the right

facts and there was clearly no proper file on our case.

hit by this kind of scam.

“The bank also failed to supply on

“I don’t know how many people have been “But I have since heard that several City law

request to the Ombudsman all the recordings of

firms have been hit for millions in money transfer scams,

our telephone calls, which we believe would have

and now transfer £1 first, so the account can be checked

showed the varying advice they gave to us.

before large payments are made.”

“Having shared our story with the BBC

Moneybox Program they followed up with the

NatWest Chief Executive Ross McEwan

later wrote to the couple to apologise and admit to a


delay in the bank’s response. The bank has refused

VISHING AND SMISHING

to say why it took longer than expected to stop the fraud, but pointed out Emma had transferred most of the money by her own free will, meaning the bank had no liability.

Vishing is an abbreviation of voicephishing. It cons householders into handing over their bank or card details over the phone. Smishing - short for SMS phishing - is a similar scam worked by text messages. They often combine several common factors. KEY DETAILS - The conmen and women have hacked or discovered enough to lead you to believe they are looking at your bank account. This is likely to include your name, address, phone number and bank details - just as a genuine call would have. WAR DIALLER - This is a computer program that can be used to dial all the numbers in a locality or area or in a single institution. It is commonly used by both hackers and scammers. Sometimes they will use a text or speech synthesizer to warn of fraud on a bank card, before keying in your details on a phone keypad. REQUESTS FOR QUICK ACTION Fraudsters press upon a need for fast action, which can lead to some people not fully questioning their actions. CALLER ID SPOOFING - Conmen can disguise or change their phone number to make you believe they are calling from an official organisation by using computeraided Voice Over IP techniques. HOLDING THE LINE - If you hang up, they can keep the line open. This way

CYBERCRIME | WHAT’S THE CATCH?

‘I will also always be curious how they knew my bank, my name and phone number’

urging you to call a spoofed number and

you are actually dialling straight back to the fraudster, while background or call centre noises can be faked. 85


Mum’s The Word Tony Neate | CEO, Get Safe Online - Interview with Ben Jackson

I’m like the Queen – I have two dates of birth Tony Neate is the Chief Executive Officer of Get Safe Online - the UK’s leading source of unbiased information on online fraud, viruses and identity theft. After a 30-year career in policing, including leading the fight against crime with the Hi-Tech Crime Unit and the Serious Organised Crime Agency, he reveals why he never puts anything online he wouldn’t tell his mother and why we shouldn’t fear a ‘fib’ on social media questionnaires. Are people too open online?

18 and was going to start work on the Monday. Then the press got hold of her social media and found things

Many people are very free online and in social

she had said when she was 14 and all of a sudden she

media sites - they put everything on there. "Hello

hadn’t got a job. (Her twitter account where she posted

my name is Tony Neate - this is where I live, this is

more than 4,000 messages, included references calling

my place of birth, this is a picture of me drunk in

homosexuals ‘fags’, immigrants ‘illegals’ and travellers

the gutter, oh and by the way I hate my bosses, and

‘pikeys’, and included a tweet saying: “I really wanna

these are the people I speak to." We put it out there.

make a batch of hash brownies.”)

Your first rule online should be, if you wouldn’t say it to your mother, or a policeman, don’t say

How do you go about keeping your details private

it online. That’s the way it’s got to be. We’ve got

on social media?

to watch what we say to other people and we’ve certainly got to watch our photographs. My mantra,

especially when I talk to kids about this issue, is

birth. My real date and then the date of birth I use

"What goes online, stays online."

online. I don’t want to use the word ‘lie’ because

They need to know that if they go for a job

I’m like the Queen. I have two dates of

it’s not a lie exactly, but in the same way, when I’m

with the police and even some big businesses now -

asked to give my mother’s maiden name, I don’t. I

they will ask you to sign a form to get permission to

always give the same name, but it’s not my mother’s

look through all your social media first. So you need

maiden name because that can be discovered. You can

to be careful what you do and be careful what you say

go to ancestry.com and you can find that out.

online, because we build up a history of ourselves.

Take the example of Paris Brown. Paris was

the UK’s first youth and crime commissioner. She was

British people are very obedient, so when

there’s a form that says: ‘Where do you live,’ ‘What’s your date of birth? ‘What are your hobbies?’,


we fill it out. But we certainly don’t have to. Certainly on

offline for two weeks and gave them

social media sites, we don’t have to be as truthful as we

training in secure code, because it’s

would be otherwise.

what they had to do. That’s a lesson everyone should be making.

How should parents deal with that issue?

I’ve been banging the drum

for 15 years about people being more

We should talk about security together.

secure online, saying: “Look after your

When my children were young I got them bikes.

passwords, secure your internet,” but then

They each had a helmet, they had lights that

sometimes companies give it all away.

worked and brakes that were tested. Now, in the

same way, we should sit down with our children

Hi-Tech Crime Unit where I was head

and go through their computer security. Show

of industry liaision, I discovered some of

them what you’re doing and it might be that

the most secure companies were porn and

they know what to do better than you.

gambling, because if they lost personal data

When I was in the National

that was it for them. I saw that if they lost data, they wouldn’t sack someone. They

‘What goes online, stays online’ Are our problems with cyber security getting bigger?

would employ three more people to work with them. That was their attitude, security

Probably, yes. If everybody did the right

was the be-all and end-all for everything

thing and put the right security on their computers

that they did. That’s the attitude we have

two or three years ago we would hardly have

to have for everything we do and every

anything. But now we have the social engineering,

industry has got to do it as well.

the telephone calls, the emails purporting to be

from someone, the spear phishing that targets

yet. We say to some of these companies

individuals. Previously you might have had

that they have got to use Get Safe

received a phishing email, saying 'Dear Client,

Online. They have got to use a trusted

Dear Sir, Dear Customer', but now it’s more likely

independent organisation with integrity

to start ‘Dear Tony.’

that is going to tell them the truth.

What about the security of firms we give our

Have consumers woken up to the

information to?

threat of cybercrime?

Absolutely. We should also be secure

We haven’t reached that stage

Certainly individually and as

in our networks. It should be built-in at source

companies, people have to start taking

security. It’s not an add on. When Microsoft first

it more seriously. More and more

looked at their operating system - eight or nine

people are going online. Around 1.5

years ago - they took every one of their developers

trillion will be spent online this year

CYBERCRIME | MUM’S THE WORD

87


and three billion people will be online by the

TONY’S ‘GET SAFE ONLINE’ TIPS TO STAYING ONE STEP AHEAD

beginning of this year.

It’s what the gangster said in America

when he was asked why he robbed banks “Because that’s where the money is,” and that’s what’s happening online – from opportunists all the way up to serious crime. We still have people who break into houses. People still break into cars. Crime is crime. People will keep doing it - and we’ve got to make it harder for them. Is the Internet something to fear?

We have to be one step ahead of the criminals

and not one step behind. We’ve achieved that to date and the reason is that we all still go online.

If every time you went online you were

defrauded, you were bullied or you were scammed, you wouldn’t do it anymore. When you park your car at a certain carpark and every time you park there it gets broken into, you stop parking your car there.

The internet’s a fantastic place, it’s great and

we’ve all got to be on it, so let’s make ourselves secure!

PASSWORDS

You’ve got a number of keys and you need a

number of passwords. My advice is: “Write down the clue to your password in a notebook. I used to use my uncle’s dog’s name and my clue was ‘Uncle Brian’s dog’. Uncle Brian died 10 years ago and his dog died 20 years ago. So if anyone can work out who Uncle Brian was, never mind who his dog was, then good on them. That’s the type of thing we’ve got to do.”

A password phrase is great if the website

allows you to do phrasing, but if the site only allows you 10 characters, you can always pick a phrase you know - like ‘Tramps like us, baby we were born to run’ and take the first character from each word to get ‘tlu,bwwbtr’. You could also consider using a password creator, like: https://identitysafe.norton. com/password-generator.

Avoid substituting obvious numbers for

letters, like a 3 for an e, as criminals are wise to it, or ending your password with the numbers 1-10 or the months of the year when you have to change them regularly - if someone already has the first 99% of the password, it’s not difficult to get the rest. PASSWORD SAFES

I use a combination of two or three really

tough passwords and a password safe. But you’ve got to remember the master password. It’s like losing blood when you’ve lost that password – because it’s like losing everything else. You need to make sure the password is safe and is from an accepted and trusted source - but remember nothing is 100% in this world. SECURE WEBSITES

There are two easy ways to check a website

is secure before entering your password or credit card details. The web address ends with ‘https:’ the ‘s’ at the end stands for secure - meaning extra


WEB SEARCHES

encryption for communication between computers has been added. A padlock symbol is visible at the

Avoid ‘pharming’ by checking

side of the browser window when you log in or

the address in your browser’s address bar

register. If the padlock is on the page itself, this is

after you arrive at a website to make sure

probably a fraudulent site. Make sure you also check

it matches the address you typed. This will

for misspellings, additional words or unusual website

avoid ending up at a fake site even though

addresses, which may be a clue to a fake site.

you entered the address for the authentic one – for example ‘eebay’ instead of ‘ebay’.

AVOIDING RATS

It is more and more common for criminals

Website owners often have

a digital certificate that has been

to use spyware called a RAT – (otherwise known as a

issued by a trusted third party, such as

remote access trojan). This can allow your computer or

VeriSign or Thawte, which indicates

mobile device to be used to spy on you. This is known

that the information transmitted online

as ratting. A RAT can be downloaded with an email

from that website has been encrypted

attachment, but won’t show up in your lists of programs.

and protected from being intercepted

They can take control of your webcam and use the video

and stolen by third parties.

they take for blackmail or other purposes. So it's wise

to download updates to your programs and apps when

you do not know, look for an Extended

prompted to do so, because they often include security

Validation (or EV-SSL) certificate.

fixes.

Clicking the padlock symbol in the

Take great care about which links you click

on to and which emails you open even from people

When using websites that

browser frame will launch a pop-up containing the details.

that you know - and cover your webcam when not in PHISHING

use, whether it is a built-in or clip-on device.

Ensure you have effective and updated

Scam emails often pretend

to come from banks, credit card companies, online shops and other trusted

antivirus and antispyware software and a firewall,

organisations. They try to trick you into

particularly for Microsoft and Android phones, and

going to the site, for example to update

remember if you’re not using a secure web page, don’t

your password to avoid your account

send or receive private information on public WiFi.

being suspended. The embedded link

Business people wishing to access their corporate

in the email itself goes to a website that

network should use a secure, encrypted Virtual

looks exactly like the real thing but is

Private Network (VPN).

actually a fake designed to trick victims into entering personal information. Most

CONTACTLESS PAYMENTS

Contactless fraud is still at a low level. It uses

Microsoft and other email clients come with spam filtering as standard. Ensure

something called Near Field Communication. If your

yours is switched on. You can also allow

phone uses this technology make sure it is locked by a

filters to be set to allow emails to be

PIN, which you should change regularly. Always check

received from trusted sources.

your bank statements to ensure payments have not been taken from your account and ask your bank who

CYBERCRIME | MUM’S THE WORD

PUBLIC WI-FI

holds liability in the event of an incorrect payment. For the really determined, you can use foil, or special card sleeves, to protect the cards in your wallet.

89


THE ALPHA THREAT Glossary of terms


AS4808: A Chinese network associated

Clone phishing: The modification of

with major spying campaigns, including

an existing, legitimate email with a false

breaking into 1,000 Hotmail accounts.

link to trick the recipient into providing personal information.

Blackshades: A malicious virus software used by hackers to control computers

Denial of service attack (DoS): Used to

remotely, including accessing the webcam

take a website out of action. The attack

and logging keyboard strokes. It targets

sends so many content requests to the

Windows-based operating systems. US

site that the server overloads. Some have

officials say over 500,000 computer

described such attacks as the Internet

systems have been infected worldwide

equivalent of street protests and some

with the software which was being sold

groups, such as Anonymous, frequently

for $40. The FBI arrested 100 people who

use it as a protest tool.

Brute force attack: A brute force attack

Distributed denial of service attack

is an automated search for every possible

(DDoS): A DoS using a number of

password to a system. It is an inefficient

separate machines.

method of hacking compared to others like phishing. It’s used usually when there is no

Doxing: Discovering and publishing

alternative. The process can be made shorter

the identity of an otherwise anonymous

by focusing the attack on password elements

Internet user by tracing their online

likely to be used by a specific system.

publically available accounts, metadata, and documents like emails.

CYBERCRIME | THE ALPHA THREAT

had downloaded the virus in 2014.

91


E-crime Virus: A bogus email purporting

means of a wireless chip containing the

to be from the Metropolitan police or US

user’s payment card details, embedded in a

Department that states: “This computer

mobile phone or on a payment card.

has been locked due to illegal activity” before demanding a ransom.

Offences: Cybercrime can be defined as offences committed against individuals

Firewalls: Personal firewalls -

or groups with a criminal motive to

sometimes known as ‘software firewalls’

intentionally harm the reputation of

or ‘desktop firewalls’.

the victim or cause physical or mental harm or loss to the victim, using modern

Grey hat hacker: Someone who breaks

telecommunication networks such as the

the law in the pursuit of a hack, but does

Internet (Chat rooms, emails, notice boards

not do so maliciously or for personal gain.

and groups) or mobile phones.

Hacktivist: A hacker whose goals are

Paste Bin: The first signs of an online

social or political.

service being compromised is often when attackers publish part or all of the hacked

IRC: Internet relay chat, a protocol used

data on this site.

by hackers for one-on-one conversations to communicate or share files.

Pharming: ending up at a fake site even though you entered the address for the

Jurisdiction: What makes cybercrime

authentic one.

detection so hard to enforce. Quarantine: Where anti-virus software KVM: A keyboard video mouse. A gadget

stores a virus.

which fits into the back of a bank's cash machine to allow a thief to transfer cash

Ratting: Remote Access Trojans (RATs)

from its computer systems while he sits

are usually invisibly downloaded with a

at home.

program requested by you – for example a game – or an email attachment. They

Logic Bombs: A device, virus, or

are often used to take control of webcams

programme designed to cause damage at a

with the objective of the resulting video

time of the attacker's choosing.

or images being used for blackmail or inappropriate uses.

Malware: A software program designed to

Script kiddie: A would-be cracker

hijack, damage, or steal information from

without technical skills. Script kiddies use

a device or system. Examples include

purchased or downloaded cracking tools to

spyware, adware, rootkits, viruses and

attack systems and deface them, often just to

keyloggers. The software can be delivered

appear cool to their friends.

in a number of ways, from decoy websites and spam to USB drives.

Social engineering: Conning people into giving you confidential information, such as

Near Field Communication: Otherwise known as contactless payment. Works by

passwords to their accounts.


Spoofing: Altering the header of an email so that it appears to come from elsewhere - like a bank. Trojan: A Trojan is a type of malware that is disguised as a desirable piece of software and usually installs a back door in the infected machine. United States Cyber Command: Synchronises defence of US military networks Vishing: Voice phishing - fraudulently obtaining personal details by phone, often having already hacked or intercepted personal information Whaling: Spear-phishing that targets the big fish in companies for higher gains or to cause maximum embarrassment. Waking Shark: Bank Of England investigation into the cyber security of Britain’s banks. Xbox and Playstation networks were both taken offline in attacks by a group of hackers called Lizard Squad - who included a 13-year-old.

major source of revenue for the world’s top 5 crime gangs - Solntsevskaya Bratva (The Russian Mafia) Yamaguchi Gumi (Yakuza), Camorra (Naples-based mafia) 'Ndrangheta' (Calabria-based mafia) and the Sinaloa Cartel, Mexico’s largest drug cartel. Zero day exploit: A zero day attack is a previously unknown vulnerability in a

CYBERCRIME | THE ALPHA THREAT

Yakuza: Cybercrime is becoming a

system. It is the first such exploitation of a weak spot by a hacker. 93


The Brewery | Cybercrime  
Read more
Read more
Similar to
Popular now
Just for you