CYBERCRIME | THE BREWERY
THE BREWERY JOURNAL Editor in Chief
For any Brewery Journal enquiries contact: firstname.lastname@example.org
The Brewery Journal is published by The Brewery at freuds The Brewery at freuds is a strategic communications consultancy. We partner with corporations, brands, governments and individuals to build and protect reputation and help them to better connect with the world around them. The brewery at freuds was founded on the belief that good communications can make the world a better place. We exist to raise that bar.
THE BREWERY DIRECTORS Managing Director
DR ARLO BRADY
Issues and Crisis
ELEANOR COATES For new business enquiries contact:
email@example.com | www.thebrewery.com
For general enquiries contact: firstname.lastname@example.org Follow freuds: @insidefreuds | www.freuds.com
freuds, 1 Stephen Street, London, W1T 1AL
Copyright © The Brewery (London) Ltd 2016. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or any information storage or retrieval system, without the prior permission in writing from the owner. The greatest care has been taken to ensure accuracy but the publisher can accept no responsibility for errors or omissions, nor for any liability occasioned by relying on its content.
6 8 14 19 24 28 32 36 40 48 52 56 58 64 68 74 78 80 86 90
Editorial The Online Frontline Dido Harding | CEO, TalkTalk The Year Of Living Dangerously 12 Months of Internet Attacks Digital Defenders Ciaran Martin, Director-General of Cyber Security & Dr Ian Levy, Technical Director of Cyber Security, GCHQ Villains Of The Piece Adrian Leppard | Retired Commissioner, City of London Police and Director, Templar Executives Stealth Management Dr Adrian Nish | Head of Cyber Threat Intelligence, BAE Systems Cat Burglars Dr Liam Fox MP | Conservative Party Crime Hoppers Chi Onwurah MP | Shadow Culture & Digital Economy Minister, Labour Party Cybercrime Statistics Not Kidding Mary Aiken | Cyberpsychologist and Professor of Cyber Analytics The Strong, Silent Type Janis Sharp | Mother of Gary McKinnon Space Invaders Mum of 13 Year Old Schoolboy Duck And Cover Luke Harder | Hacker, Anonymous The Codemaker Phil Zimmermann | Silent Circle and Blackphone Coder Beneath The Surface John McAfee | Creator of Anti-Virus Software Hacked Off Lauri Love | Hacker To Protect And Serve Dan Jones | Consumer Editor, The Sun What’s The Catch? Emma Watson | Vishing Scam Victim Mum’s The Word Tony Neate | CEO, Get Safe Online The Alpha Threat Glossary of Terms
EDITORIAL Never before in human history has technology wrought such a rapid change in the way we live as the internet has achieved in a couple of decades. Most remarkable about this shift is the way in which it has inserted itself into nearly every aspect of our lives. We now communicate online, shop online, find partners online and work online.
As a result we now share intimate and
important details about our personal and financial lives with a wide variety of companies and organisations. We do so because of the exciting new opportunities that this sharing makes possible, but it does also include an element of risk.
Criminals of all kinds – individuals,
organised crime syndicates, state sponsored groups – have followed us onto the internet, and are seeking to obtain our information and use it for malicious ends. We are therefore all of us – consumers, companies, and government agencies – engaged in what Liam Fox describes in this Journal as a hidden war.
The true nature and extent of the
threats, and the ways in which we can counter them, is evolving daily. This Journal explores that battleground, with contributors from both sides of the conflict. It offers comprehensive analysis of the problem, a variety of proposals for tackling it and consideration of the motivation of those seeking to obtain our information.
The war against cyber criminals is ably
described by Adrian Leppard, the departing head of the City of London police and, in an unprecedented
interview, by two senior figures from GCHQ. The
and ideas openly and without prejudice.
private sector war on hacking is illuminated by Dr
Adrian Nish from BAE Systems, Phil Zimmerman
what is the most comprehensive look
from Silent Circle, and John McAfee, the creator of
yet undertaken at the war against cyber
the eponymous anti-virus software.
criminals is one of cautious optimism.
We are as a society placing more and
Politicians including Dr Liam Fox and
The picture that emerges from
Chi Onwurah share their political and personal
more sensitive information online, but
perspectives. Tony Neate from Get Safe Online offers
we have also now awoken to the need
individuals some advice on staying safe, while Dido
to protect it. Hackers are clever, but
Harding, Chief Executive of TalkTalk, does the same
disorganised. The right combination of
for the corporate community.
sensible personal decisions, corporate
The views of the hacking community are
investment and government intervention
represented by a contributor from the organisation
has the capacity to tip the scales in
Anonymous and by Lauri Love who faces extradition
favour of the forces of law and order.
to the United States for allegedly hacking NASA
But such optimism is only justified if we
and the US Defence department, among others. The
act together, decisively, now, taking the
motivation that drives hacking is explored by Mary
problem as seriously as it deserves, and
Aitken, professor of Cyber Analytics, and by Janis
implementing some of the compelling
Sharpe, the mother of so called ‘No.1 Black Hat
recommendations found in this Journal.
Hacker’ Gary McKinnon. The Journal has been produced by freuds
in collaboration with TalkTalk, who like nearly every major UK company, have themselves been the victim of hackers.
Its intention is not to provide the final
word on the subject because, like conventional criminal activity, this is not a war that can ever be won, but in a civilised society it’s necessary that the
CYBERCRIME | EDITORIAL
forces of law and order stay ahead of those seeking chaos and criminality. That will only happen with cybercrime if all interested parties share information
The Online Frontline Dido Harding, CEO, TalkTalk
We all have a responsibility to protect ourselves against cybercrime As the CEO of any business will tell you, there are good times and bad times. On a good day you deliver something for your customers, like Homesafe, which when we introduced it was the first free filtering service that put parents back in control of the content their children see online. Then there are bad times; days where you ask yourself: â€˜what could I have done differently, what do I need to do differently now?â€™ In all my years in business, October 2015 will stand out as one of those times.
In October 2015, TalkTalk was hacked. Like most
large corporates, we successfully defend against cyber
engaged in a war online - against criminals who
attacks every day; this was the first to succeed. It
seek to steal our information and use it against us.
wasn’t initially possible to tell how much data had
This activity comes in different forms: from nation
been taken, nor which customers had been affected.
states and organised gangs, to misguided young
But we knew an illegal raid on our online estate had
people in high-stakes games of digital ‘dare’. We must
taken place, and we knew we had to let people know,
start recognising it, and tackling it, with the same
so they could protect themselves. Over the following
determination as we do crime in the physical world.
days, weeks and months, we would wrestle with this
unfolding situation in the full glare of the media
expects it to happen to them. And no-one (myself
spotlight, learning as we went the harsh realities of
included) knows enough about it. Business leaders,
an event which had hitherto been a theoretical ‘risk’.
governments and charities are largely not digital
natives. Unlike teenage ‘script kiddies’, growing
There were some tough lessons for
As with crime on the streets, we’re now
Part of the problem is that nobody
TalkTalk - things I believe in hindsight we could
up immersed in technology, we’ve had to work out
have done differently, and which we are fully facing
how to live in this new world.
into now. There were also things we came to realise
were simply not well known or understood generally
temptation is to allow cyber security to operate in a
across business, consumers, or the media. Even
silo within a business. While many companies say it’s
government and law enforcement are racing to get a
a board-level issue, in reality that often means CEOs
grip on this rapidly evolving threat.
wanting to be told by their Chief Technology Officer
that everything’s under control, that ‘we’re safe’. The
I am determined, to the greatest extent
Because it’s a complex, technical area, the
possible, to share what we learned (the good and
troubling reality is that there is no such thing as
the bad) in the same spirit of transparency and
totally safe. Any Chief Technology Officer who says
openness with which we approached the cyber
otherwise is part of the problem. The only way to be
attack itself. That’s one of the reasons I am pleased
completely protected is to stop all online activity.
TalkTalk is able to support this Journal. What
happened must be both a critical driver of change
both individuals and businesses can change the
for TalkTalk, and also a wake-up call for every
way we perceive and handle the risks. As a CEO, I
other business which believes it can’t, or won’t,
have learned that the right question is not ‘Are we
happen to them. The reality check for many of
safe?’, but ‘What risks are we taking and what could
those companies is: it probably already has.
be done to mitigate them?’ That doesn’t require a
PHD, nor a knowledge of coding. You just need to
Perhaps the most important lesson for me,
So whilst we can never be totally ‘safe’,
is a real acceptance that of course the digital world
be unafraid to ask the important questions. And if
has a dark side, just like the physical world.
risk is being approached and discussed differently in
boardrooms after what happened to TalkTalk, that
Telecoms companies like TalkTalk are
passionate champions of the digital revolution. But
can only be a good thing.
like everything in life, this comes with risks as well
as rewards. I have come to understand that nobody
nobody talks about it. In the weeks following our
in business is yet spending enough time or money
attack, we were supported by several highly experienced
thinking, worrying or talking about, the anti-social
security and law enforcement organisations, all of whom
and criminal ecosystems that have naturally evolved
presented the same fact: it is far more common than
along with the online world. Centuries ago, we
anyone likes to believe, or to admit.
began to civilise our society, with values, ethics
and laws; but we are only just beginning the digital
exponentially worse. Nine out of ten large UK
equivalent of that process.
businesses have suffered a security breach, yet the
The next issue is that when it happens,
The reality is that the problem is growing
vast amount of these go unreported. Add these
Government figures to the 200 ‘major incidents’
up both reporting requirements for
GCHQ handled each month over the summer of
companies which have experienced a
2015, and it’s clear that what happened to TalkTalk
data breach, and fines for employees
was not a rare, one-off occurrence. The difference is
caught committing a crime of this
that we chose to make it public.
nature. Current rules mean that the vast
majority of these incidents go unreported
Some see this as a controversial, even
We can dramatically ramp
naive, decision. Of course it’s tempting as a CEO
– customers simply never know. This
to get yourself to a place where you believe it’s
leaves them vulnerable to scammers and
unnecessary, or won’t help. But going down
criminal gangs from the moment that
that route will only destroy customer trust and
data is stolen. Over the long term, it also
perpetuate the problem. Faced with either warning
risks undermining customer confidence
all our customers early so they could protect
in the digital economy altogether.
themselves; or waiting (in the end it took two weeks)
Transparency has to be our friend in this
before we could isolate who was affected and in
fight. A reformed reporting system, with
what way, I firmly believe we made the right choice.
proper sanctions, is a good start.
That decision came with consequences,
We can also ensure businesses,
both financial and reputational. But I hope any Chief
government and law enforcement have a
Executive faced with this choice in future will take
clear, streamlined approach to planning
courage from this fact: all independent brand metrics
for, and handling, these incidents. The
and customer feedback we have tells us we benefited
Government’s announcement of a one-
from doing the right thing. The topline message from
stop shop ‘cyber hub’ will vastly improve
customers is that yes, they’re worried about their
the current system, where businesses
data; but they don’t think what happened was our
which have suffered an attack are faced
fault, and they appreciate how we dealt with it.
with a multitude of different agencies,
with diverse objectives and protocols.
In fact, over and above any other factor, it’s
the honesty and openness with which we approached
As a telecoms company, TalkTalk was
the cyber attack which shaped customers’ attitudes to
fortunate in having strong links with
what happened. It was that decision which provided
several government agencies which were
the foundations on which we are now rebuilding
able to provide useful first points of
their trust, and which will enable TalkTalk to emerge
contact. This is not the case across all
from what happened a stronger and better business.
sectors, or sizes of business.
But being honest in admitting that the
CYBERCRIME | THE ONLINE FRONTLINE
‘I am determined, to the greatest extent possible, to share what we learned’
Companies can also do much
cyber threat is growing doesn’t mean conceding
more. More management time, more
defeat. There are things we can do to fight back.
investment, greater transparency, a
different approach to risk. These are all hard
earned lessons for TalkTalk, from which I hope
should ensure that the internet does not become a
other companies will benefit.
digital Wild West, but instead operates within the
legal, moral and social framework of a civilised
Some companies, like telcos, can actually
The combined effect of these endeavours
offer products which keep customers safe and
modern society. Even after everything that I have
make it harder for criminals to target them. For
learned and experienced in the last few months
example, the sheer amount of data now online
(or perhaps because of it), I remain optimistic that
means customers are ever more vulnerable to data-
we can do it. Of course it won’t be perfect, because
related fraud. Often (as was the case with TalkTalk)
human beings are not perfect. But a civilised digital
what the criminals get hold of is not enough on
society is possible and I’m determined that TalkTalk
its own to steal from a customer. But it might be
plays its part in helping us get there.
enough to scam customers into handing over their money themselves. Telecoms companies can block these scam calls and emails at source, and provide privacy and safety features for customers to protect themselves. But for the last two years, TalkTalk has been the only provider offering these services for free. We now block around 70 million scam calls each month. Some providers are following suit and offering these services free of charge. But the vast majority still don’t, and I would very much like to see this become an industry-wide commitment.
No technology solution is ever perfect
though. So arming customers with better information about the tactics criminals use, and how to stay safe, is also critical. We all need to think about changing our behaviour. For instance, we’ve all clicked ‘remind me later’ when our applications ask us to update the software. But without these updates, our systems become vulnerable to evolving security threats. Another example is the need to start treating people online or on the phone as we would face-to-face. When someone phones up purporting to be from an organisation, we must learn to view them with the same degree of healthy suspicion as if they’d knocked on our door.
But this isn’t a purely defensive game.
It’s time we took the fight to criminals. Last year, the Chancellor committed to giving our police and security agencies the resources they need to find, disrupt and prosecute the networks behind attacks. We should support that. It’s time to shine a light on those currently hiding in the shadows.
CYBERCRIME | THE ONLINE FRONTLINE
‘The most important lesson for me, is a real acceptance that of course the digital world has a dark side, just like the physical world’
The Year Of Living Dangerously 12 months of internet attacks In just the past year at least 130 million people have had their personal data breached or hacked - including tens of millions in the UK and hundreds of millions in the USA.
2015 • US health insurer Anthem discovers a major breach of its database which hackers have combed through for names, social security numbers and birth dates of over 78 million people.
January • Online greeting card service Moonpig suspends its app after claims a security flaw allowed access to any of its 3.6 million customer accounts. • The US Scout Association is told its database,
which holds the contact details of 450,000 youngsters
• Uber reveals that 50,000 drivers’ names and
and volunteers, is ‘insecure.’
licence plate numbers across the United States
have been made public after a hack on the cabhailing service. US site Motherboard reported thousands of drivers’ details were available on the Dark Web for $1 a time and many phantom trips were charged to other account holders. • A database of parking ticket details for almost 10,000 motorists is published online, by PaymyPCN. net, which has a direct link to the DVLA.
May • The social security information of 21 million people is stolen after the US Office of Personnel Management is hacked. The personal information of all federal employees, their social security numbers, employment history, health, criminal and financial history is all
included. The New York Times blames the attack on Chinese hackers.
• Around two million customers of Vivastreet, the owner of Mexican classified site Vivanuncious, are revealed to have had their emails, passwords, phone numbers, postcodes and IP addresses exposed prior to the site being bought by eBay. • British Airways says hackers have accessed 10,000 personal information had been viewed or stolen, but froze all affected accounts.
June • JD Wetherspoons, the FTSE 250 firm
• Health insurers including Premera Blue Cross,
and chain of 950 pubs, has its database
CareFirst BlueCross, Blue Shield and Excellus
of 656,000 customers hacked - although
Health Plan reveal breaches that have affected
it claims the details of just 100 customer
22 million people stretching back to March 2014.
credit cards are revealed. The attack was
American investigators believe China targeted
only discovered in December.
insurers in the US to see how medical coverage and insurers are set up.
• Barclays agrees to pay out half a million pounds in compensation after losing a USB stick containing personal data of about 2,000 of its customers. It offers them £250 each. Data, including jobs, salaries, debts, insurance, mortgage
CYBERCRIME | THE YEAR OF LIVING DANGEROUSLY
frequent flyer accounts. The firm maintained no
and passport details and national insurance numbers were in the hands of at least one fraudster for seven years.
• PwC find nearly nine out of 10 large organisations now suffer some form of security breach – suggesting that these incidents are now a near certainty.
September • The details of thousands of Lloyds Bank Premier customers account holders are revealed to have been lost after a data storage device is reported
August • Hackers release details of 1.2 million accounts
stolen. The data affected customers with Royal Sun Alliance emergency home cover on their premier account between 2006 and 2012.
and 25 gigabytes of company data from Ashley Madison - a website that helps users have extra
• UK government agencies and banks feature highly
marital affairs. The data includes 1,200 Saudi
on a ‘hitlist’ of 385 million email addresses that has
Arabian email addresses where adultery can be
been used by cyber criminals to spread the Dridex
punished with death. The same month a pastor and
professor at the New Orleans Baptist Theological Seminary commits suicide citing the leak that had occurred six days before. Users whose details were leaked are filing a $567 million class-action lawsuit. Analysis showed that '123456' and 'password' were the most commonly used passwords. • Mumsnet co-founder Justine Roberts is hit in a ‘swatting’ attack that saw an armed police response team sent to her house. The parenting website was also targeted in a distributed denial of service
attack. A group calling themselves @DadSecurity
• 157,000 TalkTalk customers’ personal details
claimed to be behind the attacks.
are accessed with more than 15,600 bank account numbers and sort codes stolen. The firm said 4% of
• Carphone Warehouse admits the encrypted data of
customers had sensitive data at risk and warned to
90,000 people may have been stolen, the firm warns
protect themselves from scam phone calls and emails.
its 2.4 million customers after a sophisticated attack.
Five men, including a 18-year-old from South Wales and 20-year-old from Staffordshire, were arrested and are on bail until March (2016). • The British Gas emails and passwords of 2,200 customers appear online. The company writes to those affected to apologise.
• Pharmacy2U is fined £130,000 for a data breach that saw the company try to sell the details of 20,000 customers names and addresses to marketing companies without telling them. • Hackers access the details of 1,837 Vodafone customers along with customers’ names, mobile numbers, bank sort codes, and the last four digits of their bank accounts.
December • The BBC is hit by a denial of service attack that locked millions out of iPlayer and live streaming and radio for three hours.
November • Hong Kong toymaker VTech has 727,000 children’s profiles and 560,000 parent profiles hacked, the breached accounts included selifes and audio recordings. The hack was first revealed on the website Motherboard, by a man who claimed he wanted to
• British payments company Paysafe admits details of 7.8 million customers were hacked. The listed company, formerly known as Optimal Payments, admitted the customers had their accounts hacked between 2009/2010. It said limited data was taken that didn’t include passwords, card data, or bank account information. It said 1,500 people had lost money, but had no reports of other losses. • US online takeaway service Hungry House is hit by a data breach and resets the passwords of 10,000 customers.
CYBERCRIME | THE YEAR OF LIVING DANGEROUSLY
expose the firm’s ‘s***ty security.’
Digital Defenders Ciaran Martin, Director-General of Cyber Security & Dr Ian Levy, Technical Director of Cyber Security, GCHQ - Interview with Ben Jackson
GCHQ v The Winged-Cyber-Ninja Monkeys One of the Government’s most secretive intelligence agencies is emerging from the shadows for the first time. For almost 100 years the ‘listening agency’, GCHQ, has uncovered vital information from decoded messages, detected threats through phone calls and emails - and increasingly - protected the UK from hostile cyber attacks. Now, in an unprecedented move, two of its most senior staff have agreed to be jointly interviewed to explain their wider mission to help guide firms
CYBERCRIME | DIGITAL DEFENDERS
and the public in the fight against cybercrime.
The Government’s communications agency could
services of the agency whose work has largely
never be accused of overdoing the branding. The
been kept from the eyes of the public for the best
address for our interview is an anonymous door,
part of a century.
beside a coffee shop, on an anonymous London
street. No sign indicates to passers-by the line of
inform and help,” Ciaran says. “There are some
work of anyone who might pass inside - or even if the
extremely sophisticated threats out there which
building is in use at all.
are matters of State and we are expected to act as
defenders of the State for the Government and areas
Inside an empty entrance hall betrays no
“There is much more expectation to
further clue to our location. The single exception is a
of crucial national infrastructure.
line of grey lockers along one wall. In this building
at least, the agency sometimes described as the UK’s
out for the cyber health of the UK,” he says. “It
‘digital spooks’, would prefer you to check in any
requires us to get out there and talk to people.
phones or recording devices beforehand.
allow millions to deal with the low level threats, leaving
Upstairs, on the first floor of this 1930s
“But our new role will also involve looking
“GCHQ needs to ‘project and amplify’ to
office block is a sparse room with a boardroom table
GCHQ to deal with the biggest, nastiest threat attacks -
and three disconcertingly large video monitors,
what the agency call advanced persistent threats (APT).
where two of Britain’s most senior GCHQ staff
make themselves known. Both are so utterly
threats and what we like to call those from ‘adequate
different that any preconception of this as a bland,
pernicious toe-rags,” Ian says a touch more frankly.
but secretive, civil service disappear quickly out of
the carefully-lined window.
of all kinds in the UK is on the rise. Robert
Hannigan, GCHQ’s director, has confirmed: “The
First into the room is Ciaran Martin; tall,
“We generally divide it into advanced
The number and scale of cyber attacks
measured and thoughtful with a dry wit - a former
organisation detects a wide range of cyber attacks
high-ranking Cabinet Office and Treasury official, he
every day. The threat is growing in number,
is the agency’s director-general of cyber security.
sophistication and impact.”
The second is Dr Ian Levy, bearded,
The Chancellor George Osborne revealed
more casually-dressed and outspoken, the technical
in November that GCHQ deal with 100 cyber
director of GCHQ’s cyber security mission. An
national security incidents a month - twice the
expert in his field, he once previously described
rate of the year before.
himself as ‘the evil Cheltenham security geek’ when
presenting a paper - hilariously called ‘Fighting
(an archive of hacking attacks),” Ian says. “It tells you
The Winged-Cyber-Ninja Monkeys’ - to industry
how many departments with a .gov.uk address have
professionals after describing the original title of
been hacked in the past year. At last count there were
‘cyber security’ as frankly too boring.
around 1067 - that’s not on!”
In a world where both their identity and
“Have a look at a website called Zone H,
Attacks on the private sector have also
their work has been secret for so long, the pair are
risen quickly, but Ian adds a note of warning. “A
gently stepping into the role of explaining some of
lot of the costs of an attack on business are often
what this long secret agency does - and what it can
exaggerated, and many people are reacting like
do to protect Britain in the modern cyber age.
bunnies in the headlights,“ he says.
The change came late last year when the
“Yes, being hit by a cyber attack is a big risk.
Government’s intelligence agency was tasked with
But you need to treat it the same as all other risks.”
setting up a new National Cyber Centre for the
UK “It is a big national priority” Ciaran Martin
majority of common attacks to be managed by other
says, “Transforming GCHQ.”
people, so we can concentrate our energies on national
defences. A lot can be done more straightforwardly to
The decision stands to revolutionise the
Ciaran chimes in: “We would like the
start to reduce the impact of common attacks.”
defences GCHQ has published,
Amongst the suggested
UK every day, there are ways we can suggest that
is advice to web designers and
will be reasonably effective umbrellas. They won’t
administrators not to continue to make
protect against rocks, but they will protect us against
employees and customers remember an
showers - if that works as a metaphor?" he adds with
endless sequence of passwords.
a touch of self-mockery.
mainly aimed at system designers
“We believe we can get 80% of the way -
“Our password guidance was
and the final 20% will take a lot more effort. But
mainly because they do some stupid
let’s be clear, we’re not trying to nationalise the
things,” Ian says. “Currently the
cyber security industry - the Government have just
situation is equal to the average person
tasked us with trying to produce a better national
remembering a different 660 digit
number every month. That’s terrible to
be honest, so by changing the system
“Certainly in the organised crime space,
our assessment is there are decisions made by the
they can make people’s lives easier.”
attackers, very like if they were running a big company
and using a management information dashboard. If
agency recommends is using passwords
they have a line of business and they see one kind of
made from three random words or using
attack making high margins, they will launch more
password managers and jettisoning overly
attacks, but if you make it even slightly harder then it
complex password rules in favour of systems
might be not worth their while.”
capable of detecting unauthorised activity.
Among the suggestions the
‘We generally divide it into advanced threats and what we like to call those from ‘adequate pernicious toe-rags’
CYBERCRIME | DIGITAL DEFENDERS
"While attacks are showering in across the
In future there may even be other ways to
we can’t take the public trust for granted.
identify yourself using systems like mobile payment
systems, the Trusted Platform Module (TPM), bank
cyber threats facing the UK, but people should not
credit cards and even your FitBit.
think that we’ll be trawling through their emails or
Facebook accounts. There are clear processes we have
In a single brief example, Ian highlights the
“We need to use bulk data to decipher the
scale of the digital challenges facing the UK. Recently
to go through to get warrants. We need to make the
he has been examining the £12 billion smart metering
case for each investigation in the national interest.”
system, new energy meters the Government plan to
begin installing in every home from later this year.
also helped by, “over 150 pages of advice on our
website including advice on the various methods of
“The issue,” Ian says, “is will they let
The task of putting forward their case is
someone disconnect all the power to your house? Or
encryption - so we need to nail that particular canard
can someone turn off the right number of meters in
before it gathers momentum,” he adds.
the right way to cause a collapse in the grid’s systems?
How does an agency based from a secret
“The guys making the meters are really
But the secrecy won’t help surely?
good at making the meters, but they might not
address help inform the public?
know a lot about making them secure. The guys
making head end systems know a lot about making
he responds quickly. “We even have a bus with
them secure, but not about what vulnerabilities
a sign on it waiting at the local railway station
might be being built into them.
every morning,” he says of GCHQ’s doughnut
headquarters. “We have groups of tourists turning
“In the design of the system, we’ve
“Our Cheltenham location isn’t secret,”
assumed that vulnerabilities exist in each
up thinking it’s a football stadium.”
component and designed the system so that it’s
tolerant to those weaknesses. The resilience is
will also not be top secret. “It will have the same
gained by needing three independent exploits or
security of a large corporation or a mainstream
failures to happen to cause any large scale effect.
government department,” he says.
This is all being done to protect the population
a group of intent looking staff arrive for a video
“I’m not talking about small outages here,
Parts of the new National Cyber HQ itself
Our interview is briefly interrupted as
conference - a series of faces flicker into view on
because frankly you could take out the supply cabinets
the monitors in front of us.
of 100 houses with just a hammer! So we’re working
on some wider analysis with a few universities.
on cyber security - even allowing the press to peek
behind the ‘cloak and dagger’ facade?
“Assuming attacks will come and assuming
So there will be a new culture of openness
the vulnerabilities are there - what is the impact?
This is how it works, how do I protect it?”
glance towards the street outside the anonymous-
The question of how to cope with the
“Yes, that’s right,” Ciaran adds with a
digital threat also raises questions about how so
much public and private advice can be provided
coffee shop downstairs really.”
publicly by an agency that has spent almost a century in the shadows.
While, at least a section of the public
may also fear they will be hacking their emails or listening to their phones.
“The polling we’ve done shows we are
trusted - people want to engage with us and work with us,” Ciaran says. “But there’s no question that
“We could have done this interview in the
GCHQ say dealing with the ‘simple stuff’ can mean a host of relatively straightforward solutions for firms trying to tackle cybercrime.
Getting companies to identify emails
that originate from outside the firm. “Most attacks start with an email,” Ian says. “So let’s highlight emails that come from outside the company. “If you are dealing with a request from the Chief Financial Officer about staff remuneration it will raise a question mark if that comes from somewhere else.”
Educating the administrators. “We
can’t advise everyone in an office not to open a spear phishing attack, because we know it’s likely that at least one will get through. But what we need to make sure is that when that happens the rest of the system isn’t left wide open to anyone who gets in,” Ian says. “Similar safeguards should ensure no one in the company is using their administrator account to browse the web.”
Dealing with the most common
attacks. “SQL injection and XSS or cross sites scripting are both ‘very common,’ in the world of cybercrime. They are both very easy to fix, yet the impact of not fixing them is potentially catastrophic,” Ian says. “It isn’t even necessary to be a technical expert to make websites safe - very good quality products can be purchased off the shelf,” he adds.
There needs to be an incentive model.
“You have a fixed budget as a company. Do you invest that in something intangible (like securing your existing app servers
CYBERCRIME | DIGITAL DEFENDERS
‘The threat is growing in number, sophistication and impact
THE ‘SIMPLE STUFF’
where nothing bad has happened) or do you invest in building new functionality for your users, such as integrating Apple Pay?”
Villains Of The Piece Adrian Leppard | Retired Commissioner, City of London Police and Director, Templar Executives
Why Britain is “swamped” by cybercrime In his final interview as the man in charge of policing fraud and cybercrime in the UK, retiring City of London Police Commissioner Adrian Leppard reveals why the authorities are now “swamped” by online crime and why - despite the crisis - the UK could still become a world leader in cyber security.
For the first time last year the British Crime
We have also seen the recent Dridex malware
Survey, which measures crime across the UK,
attacks, which stole £20 million from online bank
included questions on fraud and cybercrime. It
accounts. This indicates that the theft of bank
shows there are five million frauds and 2.5 million
account details from individuals and businesses is
cybercrimes taking place a year, compared to a total
a popular target for criminal gangs.
of seven million other crimes.
huge crime bureau for the country. We have the
Those are very significant figures. They
The City of London police acts like a
double crime levels in an instant - and make fraud
lead responsibility for policing economic crime and
and cybercrime the most prevalent in our society.
fraud – including cyber. Any fraud or cybercrimes
reported come to us in the UK through a fairly
The challenge we face as police is that
only a fraction of those (250,000) crimes are
clunky system called Action Fraud, which is a
actually being formally reported. So at the national
website and reporting centre, before they are then
level, we are unaware of the scale of the problem.
passed to the City of London Police.
There is also only enough capacity within British
policing to deal with around 60,000 of those crimes
volume. The major issues are largely down to factors
a year and we only get a positive outcome rate of
beyond our control. Firstly, the bulk of criminality
about 12,000. So, as you can see, the chances of
is being conducted from overseas from countries
being caught are very slim.
where we can’t reach them. The British police can’t
just walk into another country and arrest somebody.
There has been a significant surge in
It’s a good process, but we are swamped by
bank card fraud across the UK; one in five of
Second, these threats come through the internet.
us have been a victim in the past 12 months.
The traditional means by which governments protect
you and I from other crime types are borders, for
effect to your business. You need to make
cybercrime this approach does not work.
sense of the cyber threat.
We have no one standard
anywhere in the world and, in the
well-versed in preventing the more visible crimes, but
UK, there is no standard that is a
that needs to continue to evolve to meet the threat
requirement. There’s no regulatory or
posed by cybercrime, especially online fraud. There is
lawful requirement to adopt a standard
only so much that can be achieved within the limited
of security and when we look to the
resources available and the competing priorities
future we have to look to what are
police forces are seeking to deal with.
the minimum standards that business
should be adhering to. They have to
Ultimately, this new crime needs new
resources from the Government, such as a big
adhere to minimum standards in Fire
campaign to reach every household, similar to
Safety for example – but my view is we
the ‘Clunk Click’ campaign for drink driving.
should be adhering to a common set of
Campaigns of that scale reach everybody and
standards which are laid down by law
that is what is needed so people can protect
for cyber security.
themselves. I think there is a role for government
in accrediting certain services, like email, making
Government that doesn’t like to
it a more secure environment for everybody.
regulate business, we can estimate it’s
costing the UK about £30 billion a
You also start to recognise that all of
Although we have a
this threat is being hosted through industry. The
year in fraud, and other countries are
internet facilitates the benefits and health of
all grappling with these same changes.
our society, so it’s a good thing, but it is actually
So what I’d like to see Britain doing is
criminals working through ISP’s, through telecom
becoming a lead in cyber security.
providers and through the businesses at the front
end who are using the internet to facilitate a
looking at the positive advantages to the
service for their customers. They therefore hold
country and to business. You are already
the key to how we protect society.
seeing a number of FTSE 500 companies
that are bringing significant investments
So the next challenge is - how do we
What you need to do is start
find a way that businesses can adopt common
into cyber security. It would be a good
standards of information security in a way that’s
start recognising what the individual
achievable and cost effective for them and doesn’t
business growth is and, from a trading
place them in a competitive disadvantage against
perspective, what the overall growth
businesses in other countries?
could be if we became one of the leading
countries in cyber security.
Cyber health and safety should be the new
health and safety. We should know that of all the
attacks in recent years, about 60 or 70% involved an
have a well connected Government,
led through a Cabinet Office with a
security strategy. Our security agencies,
If you look at some of the PwC and
It is achievable because we
KPMG research you will see 90% of small
GCHQ in particular, have been heavily
companies are being attacked each year, while the
involved with business for a long time,
corporates will also say it costs them an awful lot
providing advice and guidance.
when they have a breach.
agencies are still quite stand-offish from
You can’t just say ‘Woe is me.’ You have
to have a conversation about a cyber breach and its
CYBERCRIME | VILLAINS OF THE PIECE
So what can we do? Certainly as I reach the
end of my policing career, I know I leave a service
Across the world, some security
business, but we’ve been working in this
area for a long time and we have gained a lot of
knowledge and expertise in cyber security. So we have
targeting their funding structures. We’ve been
the potential to turn this into a business and power
working with some of the big funding providers,
growth in the country.
such as Mastercard and Visa, to provide information
on websites selling illegal material, which in turn
The conversation we tend to have is
What we’ve been doing is effectively
always negative, about the challenge and the threat
they prevent operating by shutting down the funding
and how difficult it is.
structures they host. We have done the same with
online advertising, in order to take down advertising
But London is the world’s largest trading
centre in banking. It competes with New York so
from certain web sites.
there’s good reason for it to be the leading light
for cyber security.
still remove their ways to make money. We now
shut down 4,000 enabling structures a month.
The UK Government has a good name
If we can’t reach the offender we can
in a range of areas. We have technical skills in
For example, intellectual property websites or
cyber security. There’s the uniqueness of British
investment websites, those trying to sell you
policing in its success at preventing crime and
diamonds or trying to sell you land. We’ve found
working with communities.
Voice Over Internet Phone (VOIP) numbers used
by fraudsters, which look like they’re a British
So many countries use a fairly traditional
enforcement approach to combat crime and for
phone number but they’re not.
many decades we have led on a softer approach,
which is how to eradicate crime. By working with
stifle criminal enterprise, we therefore protect more
offenders and businesses, to see how crime might
people and prevent more crime. We estimate that we
occur, you can help to curb crime from the outset.
are saving the UK roughly £500 million a year by
I wouldn’t say this is all about prevention
If we close these things down and start to
either. If you look at enforcement, you have the
National Cybercrime Unit (NCCU), who we work
in this country is £30 billion a year and we’re only
with, then there’s the European Cyber Centre. There
preventing £500 million - that’s a big gap.
is also the US Department of Homeland Security,
the FBI and the US Secret Service. By working
individual states’ capability in this area is growing
together we can collectively set targets. For example,
quickly. Every government agency in every country is
the Eastern European countries are working very
putting more and more investment into cyber. They
effectively in cyber space because they have a
are building their own scripts that are getting on to
presence on the dark web and infiltration into
the internet that can do damage, and increasingly we
organised crime groups in the cyber world.
see criminals using hijacked scripts that have been
built by intelligence agencies.
We can’t look at that as being our only
It’s just another stat, but if you said fraud
There’s also military scoping, and
means of addressing the problem. We have got to
think in a different way. We need to be innovative.
exponentially and people’s access to the internet is
For example, we have an Intellectual Property Crime
growing. It is an arms race.
Unit within our Economic Crime Unit here and
it focuses on hard goods and, more importantly,
and we’re getting better every year. There’s a positive
virtual goods. So where people are putting albums on
journey and we can see increasing successes. My only
websites and you can buy the latest track and get it
word of caution is that it is still only a drop in the
for free, that’s a crime. Stealing intellectual property
ocean compared to the threat we are facing.
- that’s stealing people’s livelihoods.
So whilst we are growing in capability, the threat is
growing faster than us.
Often these are hosted by websites in other
countries, so what can we do to target it?
So you have state capability growing
In Britain we have good technical skills
CYBERCRIME | VILLAINS OF THE PIECE
‘If we can’t reach the offender we can still remove their ways to make money’
STEALTH MANAGEMENT Dr Adrian Nish | Head of Cyber Threat Intelligence, BAE Systems
Everything you think you know about cybercrime, you don’t When TalkTalk was hit by hackers, CEO Dido Harding confirmed the first external call she made was to cyber defence specialists at BAE Systems. Here, the head of the firm’s Cyber Threat Intelligence team, Dr Adrian Nish, details the key threats companies face - including ransom viruses and denial of service attacks - and how Russian speaking criminal gangs and UK-based money launderers are amongst those behind them. Threats are now moving so fast that “what we’ve learned can be out-of-date in six months” he warns.
As with any walk of life, technology has
investigate cyber breaches, along with
had a major impact on how criminals go about
running more traditional security
their business. The internet has become a way to
services for organisations. TalkTalk is
reach a global base of victims and illicit services
one of the few examples of customers
â€“ and its global reach makes it very attractive.
we work with whose breach is public
Conducting crime in cyber space as opposed to
knowledge, and CEO Dido Harding is
the physical world also comes with a perception of
on record saying one of the first things
anonymity and lower risk.
she did was pick up the phone to us.
Across the world we are seeing
cyber attack and fraud techniques spread fast, as criminals see what works and what is most profitable. The challenge is that anybody who wants to launch an attack can quite easily pick up readily available tools, and hide in dark corners of the web whilst using them. Much of what is reported is also just the tip of the iceberg. There are many attacks that people and companies are not even aware of, which is a big challenge both for victims and the security community.
Across the industries we work
in, not every company is looking to protect the same thing. Many customerfacing firms will be most concerned about their customersâ€™ personal and credit card information, while for others it may be sensitive data in email exchanges, or information that relates to well-known clients. Companies also care a great deal their brand, about records of upcoming mergers or acquisitions, or intellectual property, which could be of great benefit
BAE Systems is a multi-national defence,
aerospace and security company that builds military
hardware, advanced electronics and information
takes place can tell you a lot about
technology for air, land and sea forces, but now
who is behind it, so our approach to
increasingly focuses on the cyber domain and
attributing attacks depends on whatâ€™s
defending businesses. In this division of the
being targeted and who we think would
company, we have 4,200 people spread across 30
be most likely to go after it.
offices around the globe who deliver cyber security
and intelligence solutions for customers.
cards, we would look at which gangs
have a past history of stealing such
Our expertise includes Incident Response
work for companies in need of extra support to
How and where an attack
If the attacker goes after credit
data. If they are looking for sensitive
CYBERCRIME | STEALTH MANAGEMENT
about preventing reputational damage to
information or emails of a particular individual, they
some of the more sophisticated capabilities acquired
might be trying to figure out what that manager (or
from players in other regions. Equally, information
department) is working on. If it’s a big deal that’s
travels quickly through the modern media. When
worth billions, then it may be competitors in another
breaches get reported in the press we read that as
part of the world that are also interested in this.
good guys thinking, “Oh that’s how they did it,” but
Some cyber attackers may be out to make money as
are plenty of bad guys out there thinking, “I could do
quickly as possible, others will do it for some cause or
that and potentially make some money.”
political reason – and may not care about concealing
their actions. However, espionage actors – whose
provide a fortress to keep everyone out. Technology
attacks are industrial or politically driven – work
and attacks have evolved in the last five or six
hard at remaining covert. They take great care not
years. Not long ago you could just put in a firewall
to let you know there has been a breach in the first
and anti-virus software to keep most threats at bay.
place and may take clever steps to complicate and
However, those are what are called ‘technical point
misdirect attribution efforts.
solutions’ and the challenge is that the bad guy is
always able to get around a specific point.
The 16-year-old in the bedroom gets a lot
These days it’s certainly very difficult to
of the headlines because they will often publicly
announce what they’ve done, but their attacks are
more than just pure technical solutions are
certainly not the most frequent or the most significant.
needed. What’s becoming increasingly important
Most incidents we deal with are either originating
is how to identify anomalies on your systems,
from cyber spies or well established criminal gangs.
respond to them, and to train your people to spot
potential cyber attacks, such as suspicious emails.
A lot of people talk about the Russian-
Organisations are realising that much
speaking criminal underground, and that is certainly
You can’t keep everything out, so it’s making sure
a hotbed of cyber threat activity that we come across.
you respond effectively so you can mitigate the
Much of the more sophisticated criminal capability
damage that is important.
that has been built over the years comes from this
region. There is a community that goes back over
have been going through the same journey at a
a decade with a lot of their interactions taking
different pace. The financial industry has been very
place within closed forums. These are groups that
aware of the threat for many years. They track the
require vetting prior to access being granted, and the
groups behind attacks, and try to be proactive to
individuals who use them may never meet physically
work with law enforcement to go after the criminals
- it’s all done using aliases online.
wherever possible. Other industries are realising
that they also face significant threats, maybe not in
These closed criminal groups have grown
In the cyber world, different industries
into a whole ecosystem and different actors will
the same way, but are now looking at how they may
focus on different elements. Some focus on building
invest more to improve their security.
malware, (the malicious code that gets used in
attacks,) others focus on the infrastructure - the
attacks we see are from commodity, semi-automated
servers that get used to host and control the malware.
malware kits and affiliate programs.
Another segment will focus on building networks
of money launderers in order to cash out the stolen
UK now. It is a banking malware, which tries to
funds from bank accounts. It’s just like a process of
facilitate transfers from one person’s bank account to
industrialisation – divvying up the tasks to different
the criminal’s account. It waits until the user is logged
specialisations, and within those specialisations
in and then it will basically pause your banking session.
people become more proficient.
You may see a timer icon, but in the background the
malware is forwarding your banking session to the
More recently, we have been seeing West
African groups getting more organised and using
At the moment, the vast majority of
Dridex is one that is very prevalent in the
criminals so they can enter new payee information.
The money is often moved to another
hit with DDoS attacks - distributed denial
bank account in the UK - someone we call a money
of service. Again, these may be followed by
mule. These are people who the criminals recruit
a ransom note saying: ‘Unless you pay us
to work as drop points for their transfers. Often
xxx bitcoins we are going to hit your site
they are recruited through the work-from-home
harder next time and knock it offline.’ It has
type ads - the type that might say ‘Make £3,000
been around for a while, but we believe the
pounds a day, working from home.’ Sometimes that
increasing popularity of anonymous payment
can mean working for one of these types of gangs.
mechanisms such as bitcoin is enabling the
The ‘employees’ may believe they are facilitating
criminals to make such attempts.
international money transfers and are often
recruited through fake companies.
cyber threats is by improving the
sharing of information related to their
You’d have to be a little bit naïve – or
One of the best ways to fight
desperate – but it does look somewhat legit. You
activities and how to mitigate them.
receive money into your account and you may
This is already quite mature in the big
have to transfer that into your PayPal account
financial services organisations, but we
and from there you might have to transfer it to
are starting to see that trickle down into
the criminals’ account. Or you may have to cash
the other sectors and smaller industries
it out and then make an international transfer,
as well. We all need to share the best
for example using MoneyGram or Western Union.
practices that people find useful for
Usually the amounts are in thousands of pounds,
defending against threats as well as
‘How and where an attack takes place can tell you a lot about who is behind it’ but that takes place thousands of times, and large
building up that network of support, so
sums can be laundered this way.
you have somewhere to go if you need
that extra bit of expert help.
A small business legally doesn’t have the
a vast amount of advantages which
same protection, although the bank will often
outweigh the risks, but we need to avoid
compensate because they don’t want to see small
being complacent. Let’s be frank - we
businesses going bust over things like this.
are not going to win the war against
cybercrime. But we can do our best to
Recently we have been blogging about
The internet brings us such
another class of threats which is also popular at
have properly empowered, knowledgeable
the moment. They are pieces of malware, called
law enforcement and a security
ransomware, which encrypt files on your computer,
community that can shake out the most
then suddenly say ‘Pay £100 or you’ll never get your
devious activity and keep our networks
files back’. Usually the encryption they use is quite
and information secure.
good, so even with expert decryption capabilities it may still be impossible to get the files back.
CYBERCRIME | STEALTH MANAGEMENT
If you fell victim to such malware, as a
retail customer you’d be entitled to compensation.
Extortion in general is a popular technique
at the moment. Another variation is where websites are 31
Cat Burglars Dr Liam Fox MP | Conservative Party
Waging a war on cybercrime Bill Clinton said the other day that when he took office, ‘only high energy physicists had ever heard of what is called the World Wide Web… Now even my cat [Socks] has its own page.’
This exponential jump, both in computing power
cyber criminals into what they regard as a growth
(a single iPhone could have run the entire Apollo
area; small attacks by geeky teenagers are still
space progamme) and in reach (from desktop to
significant, but less strategically worrying. Nor is it
laptop to phones to the Internet of Things) has
just private sector criminality that we have to worry
touched all of our lives. In 1995, only 0.5% of the
about; there are plenty of state-sponsored cyber
world’s population were using the internet, by
criminals who not only have access to advanced
2012 that had increased to 39%.
technology, but can also use their activities to
generate extra funds through fraud and extortion.
It’s not surprising then that this
astonishingly rapid and profound change has had
many consequences, some good, a few bad. One
the kinds of attack we may face, and how to meet
of the major downsides has been the growth of
those attacks. For example, the denial of service
cybercrime, which has risen alongside the growth of
attacks which are very common on large companies
the connected world, exploiting new vulnerabilities as
are often used as a smokescreen to conceal the
security fails to keep pace with technology.
implantation of malware onto their systems. This can
then be used later to extort ransoms by threatening
The enemy is not only many headed and
As a nation we need to learn more about
driven by multiple different goals, but it is also hard
to cripple the system. Nokia were recently the victim
to identify. The ‘War of the Invisible Enemy’ has
of such an attack when blackmailers successfully
begun. Three elements encourage activity on this
persuaded the company to part with a suitcase
new criminal frontier; first, that it’s usually low
containing millions of dollars in exchange for the
risk and high return; second, it has the advantage
crucial piece of smart phone software.
of anonymity; and third, it often isn’t reported to
the authorities by companies who worry about the
demands, they may find systems data is wiped, their
reputational damage they will sustain.
files are encrypted to the point of becoming useless,
or their customer information made available to
These advantages have drawn large-scale
If the victims don’t give in to the criminals’
other criminals for use in cybercrime.
organisation and can identify who has accessed
them, may be the future.
Both the public and private sectors are
vulnerable to such attacks. In 2014, the banking
giant JP Morgan had cyber criminals sitting on their
to accelerate the process, which has already
servers for over two months before being detected. In
begun, of shifting finite resources away from
the meantime around 76 million personal accounts
conventional warfare and policing, and resourcing
were compromised along with seven million business
cyber warfare capacity.
accounts. Only a year earlier CIA contractor Edward
Snowden stole an estimated 1.7 million classified
significant changes to the law. First, all companies
documents from the US Government, significantly
â€“ not just internet service providers as at present â€“
impacting their counterintelligence capacity.
need to have an obligation to report to the relevant
authorities when they are hacked. Second, all
In the future, new areas of vulnerability are
At a national level, governments need
I also believe that there needs to be two
likely to emerge. As IT becomes ever more important
companies that do business with the Government
to healthcare, the security of the most sensitive
should have a minimum level of defined cyber
patient records is worrying. Currently you can buy
security. I accept that this would exclude some
medical records on the black market at $2000 per
smaller firms from government contracts but I
person, but in the future this might become more in
believe itâ€™s a price worth paying. Finally, the
line with credit card data, which is on sale on the
Government needs to appoint a single minister with
dark web for as little a dollar.
overall responsibility for cyber security. This is now
too important an area for us to take the risk that it
In addition to health data, even elements
of our physical identity could soon be vulnerable to
might fall between ministerial responsibilities.
hacking. During 2014, an unknown group of hackers
stole 5.6 million sets of fingerprints from the US
benefits of the extraordinary technological revolution,
Office of Personnel Management.
then we have to protect ourselves against those who
would exploit it for their own malicious ends. If the
None of this, however, is a counsel of
Overall, if we want a society to enjoy the
despair. The vulnerabilities that criminals exploit are
private sector, the Government and individuals all
often relatively easy to tackle.
step up and take control of their own cyber security
efforts, then I believe that we can and will win the
Companies are, for example, particularly
vulnerable to periods of mergers or acquisitions, when they often give new potential partners unparalleled access to their systems. Firms are also bad at vetting employees, especially junior staff like cleaners, but of course it only takes a moment to insert a USB drive into an unattended computer and infect the system with malware. Another problem is employees accessing social media through their work computers, permitting gateway access to potential saboteurs.
Relatively simple changes to security
can prevent this kind of incursion. Proper staff vetting, clear procedures to prevent easy access to secure networks, and careful consideration of vulnerabilities through supply chains are a start. More complex software, such as Glasswall, which tracks the movement of documents within an
CYBERCRIME | CAT BURGLARS
‘The War of the Invisible Enemy has begun’
CRIME HOPPERS Chi Onwurah MP | Shadow Culture & Digital Economy Minister, Labour Party
What is absolutely clear is that the levels of crime in the UK are not going down. They are just going online Crime is moving off the UK’s streets to reappear online, where the criminals find it much easier to evade the law, Labour’s Digital Minister Chi Onwurah says. The Newcastle MP was herself hacked in an attack that affected her Westminster and constituency offices for nearly a month.
moving online to where the criminals fail to get caught. It means we’re now less safe online than we are in the street.
These criminals are more
innovative, more motivated, and better financed than the good guys and yet we still don’t know the full extent of cybercrime as there’s such a huge under reporting of it.
CYBERCRIME | CRIME HOPPERS
In Britain crime is not slowing, it’s simply
I’ve had friends try to use the
UK’s anti-fraud website Action Fraud, where online crime is reported, only to
give up because it is too complicated. There’s also
but it needed to have a much higher priority on
the embarrassment of reporting it at all for many
the political agenda.
What is absolutely clear is that the levels
As things have changed I believe there are
now two other growing areas that we need to give
of crime in the UK are not going down. They are
extra consideration for the immediate future.
just going online. It’s a lot less risky for a criminal
than breaking into a bank. They can also aim at
to have much less protection than operating
many targets at once, but as a society we’ve not
systems like Windows. Ofcom have said mobile
automated our response.
security should be left entirely to mobile
operators, which I personally think is not good
What we need to do is make cybercrime
The first is mobile phones, which tend
reporting easier and use better data analysis. Most
enough. That approach was repeated when, after
of the cases reported to Action Fraud are simply
the TalkTalk breach, I asked for a government
not taken up and investigated. We also need
response to what was being done, and the answer
automated analysis to make sure identifying the
was basically, ‘It’s nothing to do with us, guv.’
people behind the small time offences is much
easier. At the moment it’s relatively risk-free
Internet of Things - the idea that household items
activity compared to storming down the high street
connected to the internet will talk to us and each
and trying to break into a bank.
other. I'm a big believer in this technology. I’ve
studied it and even built bits of it - in a previous
Even a decade ago it was obvious this
was going to happen. Back then I was head
The second threat will come from the
career I was a software and a hardware engineer
‘Once criminals have data on you, you are vulnerable to a whole series of other attacks’ of technology for Ofcom and I was sent off to
and a network engineer building mobile, fixed and
Chatham House for a conference in 2004/5 on the
wireless networks. I was also the first MP to speak
subject of internet safety and crime.
about the Internet of Things in the House. I believe
it has the potential to transform our lives more
I came back with a whole load of terms
including digibots, white hats, wizards, and some
than anything since electricity, but there are huge
words they seemed to have invented on the spot like
televiruses. When I reported back, people thought
it sounded like something out of Dungeons and
their data is being hijacked, used, stolen and breached
Dragons. But what we were all talking about then
- imagine how they will feel about their water supply
was exactly what occurred, it just didn’t get taken
being hacked? Their children’s bedrooms?
seriously at the time and that’s still the case. I went
back to that old presentation the other day and now,
is to keep its citizens safe, but it is already failing
everything is exactly as predicted.
that for citizens online. This will be a question
of standards, protocols, industry co-operation, self
In those days Ofcom, under Lord Currie,
People are already uncomfortable with how
The Government’s primary responsibility
was very clear that the internet was not within
regulation and - if necessary - legislation. Once
its regulatory remit, so nothing was done. It was
criminals have data on you, you are vulnerable to a
nobody’s responsibility, irrespective of the dangers,
whole series of other attacks.
We need much more protection for
HOW CHI’S CLAIMS STACK UP
individuals. Just 1% of the cybercrime budget is spent on consumers, with the rest spent on national
“We are less safe online than on
security and critical infrastructure, while small
businesses and consumers are left to fend for themselves. The national defence budget is two to
For the first time cybercrimes were
three times the size of the police budget, but online
counted in the latest 2015 UK Crime
we spend around nine or 10 times more on national
Survey statistics leading to a shocking
security than personal security.
107% rise in all crime – more than
double the previous level - meaning
Industry needs to change too. I recently
launched the Association of Chartered Accountants
more than half all current reported
in England and Wales (ACAEW) report on cyber
crime now takes place online.
security. They are calling for big companies and
corporations to become much more pro-active in
Bureaucratic fraud reporting
taking responsibility for the small companies in
their supply chain - and that goes for governments as well. That could mean bringing in both
Action Fraud is the online fraud reporting
reporting requirements and also insurance
website for the UK. It confirms that simply
companies reflecting this in premiums.
filling in the forms to report a cybercrime
takes “20 to 30 minutes”.
Being attacked myself last year brought
home a bit more the threats we face. We have five
people in my office which makes us about the same
Large numbers of cybercrimes are never
size as a small business. I had already spoken to staff
USB sticks, but it looks like it may have got through
In the the last full year of figures Action
by someone clicking on a legitimate advert.
Fraud ignored three out of four complaints.
It received 230,000 reports of crime of which
What happened to us wasn’t exactly a hack.
It was a malware crypto-lock virus. It’s ransom-ware.
61,000 were passed to police to ‘consider’
It locks up files and it’s serious enough – certainly if
investigation, Home Office minister Mike
you believe the ransom and pay the money - or if you
Penning told the Commons.
don’t have the right IT support behind you.
Britain spends the majority of its
Luckily enough as an MP I had enough
support to deal with it. We lost three or four days
money on fighting international
of work, although it took about a month to get
cyber threats and very little on
back to normal. We believe it may have come from
consumers and small businesses.
an advert on a web page. It certainly wouldn’t
have come through any office staff and the firewall
In a written answer to Chi, the Secretary
should have got it, but as we know viruses can
of State for Culture, Media and Sport,
change their tags 3,000 times in a single day.
Ed Vaizey revealed that just £14 million
out of a total spend of a £840 million
Collectively, we have to realise that the
internet is not free and our whole lives will have
programme is exclusively aimed at small
traces of everything we do on it.
businesses and the consumer. (The
Government plans to double its total
It is not another world. It’s not another
universe, it’s used by criminals living in the real word right now.
CYBERCRIME | CRIME HOPPERS
about their online behaviour and not bringing in
investment of the next five years). 39
CYBERCRIME | EDITORIAL
CRIMINAL ACTIVITY The estimated number of online crimes reported last year was 7.6 million. This is more than all other crimes combined. Only a fraction of online criminal activity is reported to the police, limiting the authoritiesâ€™ ability to research and set effective policy.
There were an estimated 5.1 million cybercrimes and frauds last year
...and 2.5 million offences under the Computer Misuse Act
1. The 2015 UK Crime Survey 2. City Of London Police
CYBERCRIME | CYBERCRIME STATISTICS
A total of just 250,000 cybercrimes are reported to the police each year
...of those, 60,000 are investigated - and just 12,000 result in a prosecution
Cybercrime costs the UK £27 billion a year
UK businesses are the biggest loser with an estimated total loss of £21bn
The cost of the worst breach suffered has gone up sharply for all businesses sizes from £1.46m to £3.14m for large organisations and from £75k to £311k for small organisations Criminals are trading email account data for up to US $12, credit card data for up for up to US $30 (per card) and bank account information for up to US $125
£3.14m £311k $125 $30 $12
90% 81% 74%
There has been an increase in security breaches over the past year - from 81% to 90% for large organisations
...and from 60% to 74% for small organisations
39% of large organisations and 27% of small organisations have insurance that would cover them in the event of a breach
Information Security Breaches Survey 2015 conducted by PwC in association with Infosecurity
CYBERCRIME | CYBERCRIME STATISTICS
50% of the worst breaches in 2014 were caused by inadvertent human error
â€˜The demand for the cyber security workforce is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 millionâ€™ Michael Brown, CEO, Symantec
CYBERCRIME | EDITORIAL
NOT KIDDING Mary Aiken | Cyberpsychologist and Professor of Cyber Analytics
We need a Technology Quotient â€“ to identify the most talented children early
Millions of youngsters become less inhibited online than they would be in their own daily lives, Professor Mary Aiken, the world’s first forensic cyberpsychologist argues. Here the academic advisor to the European Cybercrime Centre, and inspiration for the CBS crime show: CSI Cyber, explains that as ‘cyber delinquency’ now costs billions to the world economy and it may be time to couple better policing with identifying and supporting the most cyber skilled youngsters from an early age.
In 2015 the UK saw a series of teenagers allegedly
youth in criminal activity online. In
involved in high-profile hacking incidents. These
2015 the Australian Bureau of Crime
included a British teenager who worked as a
Statistics and Research reported that
‘hacker for hire’ and was spared a prison sentence
cyber fraud offences committed by people
after cyber attacks from his bedroom targeted
under 18 years of age had jumped by
global institutions which allegedly ‘almost broke
26% in the previous two years, and 84%
the internet.’ He was just 13 when he joined a
in the previous three years.
network of online hackers.
Many were surprised by the young age of
Squad Commander Matt Craft said: “Fraud
some of those involved in these hacking incidents,
is a growing crime category, thanks in part
but it’s not really surprising that impulsivity and
to the proliferation of internet-based fraud
risk-taking behaviour comes to the fore during the
and other cybercrime.” In a recent survey
formative teenage years.
conducted by an online security company,
roughly one in six teenagers in the US, and one in four teenagers in the UK, reported that they had tried some form of internet ‘hacking.’
Hacking is a serious and costly
cybercrime. Dido Harding, the Chief Executive of TalkTalk, said that the total bill in the wake of the TalkTalk cyber attack would cost, including profit loss and exceptional costs, around £60m. Recent statistics suggest that there is an increase in the amount of cybercrime being perpetrated worldwide.
As noted in a Europol report,
cybercrime has evolved from a few small groups of hackers to a thriving criminal industry that costs global economies between $300 billion and $1
CYBERCRIME | NOT KIDDING
The reality is that for some time there
have been reports of increasing involvement of
Acting Fraud & Cybercrime
trillion a year.
Interestingly, the Director of
the FBI has stated that, “there are only
two types of companies: those that have been hacked,
and those that will be.”
investigation of human factors in cyber security.
I argue that online behavioural effects including
What is curious to note is not necessarily
One of my specialist areas is the
how fatalistic or pessimistic that statement is –
anonymisation, invisibility, immersion, and
but how odd it would seem if it were made in
disinhibition all seem to be contributing to
the context of real world physical security. The
the increased visibility and presence of cyber
combination of emergent cyber juvenile delinquency,
criminality in contemporary societies.
the cost of cybercrime and hacking, and a somewhat
pervasive resigned approach to the inevitability of
understanding why young people behave the way they
these crimes are all causes for concern for the global
do on the internet. Understanding the link between
disinhibition online and risky, impulsive behaviour
So what can we do? The answer may lie in
Online disinhibition is important in
in adolescents is critical.
developments in the scientific community.
of the issue. Recent research examined ethical
Cyberpsychology is the study of the
It's also important to consider the morality
impact of technology on human behaviour.
belief systems regarding physical shop lifting (e.g.
Approximately 30 peer-reviewed journals now
stealing CDs) and digital ‘soft lifting’. It found that
publish an estimated one-thousand articles every
moral beliefs would prevent a person from stealing
year on topics related to cyber behaviour, a field
a CD from a record store, but the same person was
that is expected to enjoy exponential growth in coming decades due to the pervasive and profound
‘There are only two types of companies: those that have been hacked, and those that will be’
impact of technology on mankind.
Unfortunately, I cannot help but observe
that the behavioural sciences have been somewhat blindsided by rapid evolutions of online behaviour.
In terms of a scientific investigative
approach, we really need to question if traditional psychological or sociological concepts are sufficient in understanding online behaviour. As scientists, will we need to develop new theories or modify existing ones?
As a cyberpsychologist my job is to deliver
insight at the intersection between humans and technology – or as law enforcement say ‘where humans and technology collide.’ While there are substantial benefits associated with technology, it can also be problematic. Consequence is critical what happens in the cyber world can impact on the real world, and vice versa.
My research to date has focused on
applying forensic cyberpsychology to criminal behaviour, ranging from cyber stalking to technologyfacilitated human trafficking. The one thing that I have observed is that whenever technology intersects with base human inclinations, the result are amplified and accelerated.
ambivalent about downloading pirated material. This suggests that there is a disconnection between real world ethical beliefs and online behaviour. So what is the solution for a generation desensitised by the consumption of illegally downloadable music, videos, software and games? And what sort of criminal activities might a generation of ‘virtual shoplifters’ progress to?
On the other hand, it could be argued
that as certain negative online practices become normalised, it can become increasingly difficult for young people to make the right judgement calls and if so, what can we do collectively to address the issues?
First and foremost I am an academic,
an educator who cares deeply about the impact of emerging technologies on all of us, and the societies
we live in. I am particularly concerned about the
We have to ask if, as a society, we really
effect of technology on developing youth, and the lack
want to criminalise 13, 14 and 15 year-
of focus on this problem from a societal perspective.
olds who offend from their bedroom.
Alternatively, do we want to try and
area. We know a lot about real-world criminology;
understand the behaviour, engage
we know about a kid in a particular home, in
with these incredible skillsets, mentor
a particular neighbourhood, with a particular
talented youth, and try to guide them in
group of friends that may get involved in juvenile
the right direction?
delinquency. But we know very little about
cyber juvenile delinquency, - compounding this
community has long fought an uphill and
problem, we know very little about the effect of the
losing battle to recruit new talent.
minimisation and status of authority in cyber space.
EQ and CQ (Intelligence Quotient,
Interestingly, Estonia has just introduced a
Let’s not forget that the security
We have scales for IQ,
‘Web Constable’ initiative, which may in time offer
Emotional Quotient and Creativity
some insights in terms of cybercrime prevention.
Quotient), but we don’t have any
scales for TQ – ‘Technology Quotient.’
In the next few weeks, in collaboration
with the European Cybercrime Centre (EC3) at
We need to develop metrics to assess
Europol, we will be launching a research initiative
technology related skillsets at the
investigating 'Youth Pathways into Cybercrime'.
earliest possible stage, identify those
who have the potential to excel in this
The project will draw together
existing, recent evidence on online behaviour
area, and then develop this talent. This
and associations with criminal and anti-social
problem space is not confined to youth
behaviour, specifically exploring the pathways
hacking - there are wider societal
that lead to ‘cyber criminality’.
issues that provide context for the
We will be examining the behaviour of
young offenders and victims online, and producing
guidelines and information for professionals working
a new world order where privacy, national
in the prevention and intervention of online youth
security and individual rights are being
offending, as in the case of hacking.
rewritten because traditional checks on
anti-social behaviour are absent online.
Additionally, we aim to support victims
Cybercrime represents a shift to
and agencies who are susceptible to multiple
Where is the societal debate? What is the
aggressive and significant financial attacks, such as
role of governance online or cyber ethics?
members of the finance and banking sectors. We
anticipate that the research outputs will have wide
was designed to be rewarding, engaging
international relevance across the European Union
and seductive for the general population
and internationally. Crucially, the findings will aim
- but did anybody really think about the
to inform prevention, practice and policy.
impact on criminal, deviant or vulnerable
As a cyberpsychologist, I’m often asked
what the motive is to engage in hacking. It’s a broad spectrum - motives can range from hacking for profit to hacking ‘just for fun.’ We should not lose sight of the fact that hacking is in fact a
I often observe that technology CYBERCRIME | NOT KIDDING
There is a paucity of research in this
skillset; over time it has become a pejorative and negative term.
THE STRONG, SILENT TYPE Janis Sharp | Mother of Gary McKinnon
Aspergerâ€™s often means an obsession with logic and a sense of injustice
Pinksy the cat patrols silently outside, watching a
collection of recently rescued goldfish criss-cross
of high functioning autism - often have
the garden pond at the house of Janis Sharp,
an obsession with logic, a heightened
mum of Gary McKinnon.
sense of justice and an intense curiosity
The prowling feline is named in honour of
that makes them want to know everything
Pink Floyd musician David Gilmour - the rock star
about a particular subject. It's a perfect
who helped rescue this family as they faced mounting
personality match for a hacker.
psychiatric and medical bills for defending their son
Gary against a possible 60-year US jail sentence.
involved his search for a US cover-up of
Inside, Gary’s mum Janis talks
In Gary’s case the curiosity
evidence of extraterrestrial life – under
affectionately about her son, who in the past month
the hacker tag ‘Solo,’ a tag previously
has been hailed as "'number 1' on the list of black hat
used by another infamous hacker.
hackers" by renegade hacking group Anonymous.
The group say his alleged 2002 raid on
Today Janis admits she is
worried for the future of another
97 Pentagon and NASA computers where the US
similar hacker. Lauri Love, 28, is also
claimed he stole passwords, deleted files and shutdown
facing extradition for breaking into US
networks on military bases, makes him the best "black
hat" hacker ever in a list of the world’s top ten.
Strange then, that the “vulnerable” son that
“He also has Asperger’s,
is idealistic and says too much
Janis talks about actually bears more resemblance
politically,” she says.
to a famous detective than a criminal mastermind.
“Believe it or not Gary looks unbelievably like
brightest computer brains may be being
Benedict Cumberbatch,” Janis says.
wasted and criminalised when they may offer
far more skills in a cyber addicted society.
"When Sherlock was on TV, even his
She fears many of Britain’s
solicitor Karen Todner wrote to me and said:
'God, he’s Gary’s twin!'"
to get children off their computers, but
It is three years since Home Secretary
Theresa May blocked Gary’s extradition to the US on
“The shame is people are trying
they’re often so advanced. Technology is getting so fast and and moving so quickly.
the grounds of his human rights after ruling there
“Around one in 100 children
was, “no doubt he was seriously ill.”
have Asperger’s. Do we have a way of
harnessing their skills? We need an
Still instantly recognisable, Gary shuns
interviews and public places where he can be
outlet that can harness what they have
recognised. Gary’s mum says that like many others
to offer in the best possible way.”
with Asperger’s, he has a “fear of socialising,”
although he enjoys talking about UFO’s and the
of Defence Analysis at the US Naval
theories that surround them.
Postgraduate School, has argued that
“Many people with Asperger’s shut themselves
John Arquilla, Professor
winning future cyber wars may not be
away in their rooms. It’s a choice thing,” says Janis.
possible without hiring master hackers
“I remember once a girlfriend of Gary’s had arranged
who can “walk through firewalls.”
a party. Her relatives were all there. They were all
standing in one corner of the room looking not happy at
to call for Gary to be allowed to go free,
all and Gary was in the middle at this big table on his
Arquilla says the world’s best hackers
computer. I went up to him and said 'Gary, it’s a party.'
often have a “startling intelligence,
He looked at me and said 'But it’s my party too,' and I
and a deep attraction to the beauty and
said, 'Yeah, but this is not what you do!'"
complexity of cyber space.
As one of the first US figures
CYBERCRIME | THE STRONG, SILENT TYPE
People with Asperger’s - a type
“They are not motivated by a desire to
interviewed on TV following his arrest by the
disrupt: if anything, they are devoted to free, secure
National Hi-Tech crime unit in the UK that he
flows of information,” he says. He compares hackers
was diagnosed,” Janis says.
to being like “shy woodland creatures” - a description
that has them “down to a tee”, Janis says.
interviewer said 'Obviously you thought you would
Many people with Asperger’s are already
“During the TV interview, the
leave a bit of egg on their faces?' and Gary said
being employed in America. Paypal founder Peter
quizzically ‘It wasn’t egg!’”
Thiel says: “In Silicon Valley many of the more
successful entrepreneurs seem to be suffering from
you could have sent terror through the network,”
a mild form of Asperger’s, where you’re missing
and Gary, who had posted a note during his US
the socialisation gene. It happens to be a plus for
military hack saying ‘Your security is crap’ replied:
innovation and creating great companies.”
“I don’t think you can send terror through a
Janis, who wrote her autobiography ‘Saving
Then the interviewer told him: “At worst
network by leaving a note.”
Gary McKinnon: A Mother’s Story’ in 2013, adds:
“In Silicon Valley they employ loads of people
watching started calling me, a combination of
with Autism Spectrum Disorder, because they are
parents of people with Asperger’s and experts. They
attracted to the logic. They’re extremely good at their
realised Gary was taking the questions literally, and
obsession. They can talk about it until everyone is
explained, ‘he’s got Asperger’s.'”
bored out of their head,” she laughs.
lack of facial expression - also clear traits of ‘Aspies.’
“Gary is not a genius,” she says, “but simply
Janis explains: “People who had been
They also noted his monotone voice and
has a lateral way of thinking and did significantly less
Within weeks he had been diagnosed with the
than he has been accused of,” she maintains. “It is
condition by leading UK experts Simon Baron-
wrong to blame him and others for crossing over into
Cohen and Thomas Berney.
less legal computing methods.” She adds, “if you leave
a child in a room with a computer, human nature
socialise with others with the same condition. “We
means they always want to see what’s on the other
went to a Jools Holland concert for people with
side of the fence. If you tell a child not to search for
autism and Asperger’s and the autistic performers
something - of course they will, because you can find
and autistic audience all got on like a house on fire,
information on anything on the internet, and it can
Janis says, “it’s almost like an alien race who light
lure the obsessive into dangerous waters.”
up when they’re together and when they talk to each
Gary, 49, is currently living with his
Many people with ASD change when they
other. Many people with Asperger’s often say they
girlfriend Lucy Clarke, 40, who he met during
feel as though they are living on the wrong planet.
the course of his ordeal. Gary now runs a small
There’s even a website for people with ASD called
search engine optimisation business. “He’s very
young for his age, innocent but not backward,” she
The end of the 10-year campaign to block
says, “he sings, he plays songs - he’s a very good
Gary’s extradition has left Janis looking happy
musician and he cooks. They’re very different but
Lucy is good for him. They both love cats, food
and music. Lucy would like a family and Gary is
and you’re under intense pressure. The fear is awful.
amazing with kids, but I think it might be too late
Only someone who has gone through it would
for them to have children. Gary also worries about
understand it. You are actually living in terror. You
the responsibility. He can flip from job to job; if
wake up every morning with this fear and go to bed
someone says something he leaves. He can’t take
every night with it. You are imprisoned by terror.”
Prosecution Statement that says: “The evidence we
“Incredibly it was only after Gary was
She says of the experience: “You’re trapped
She is careful to point out the UK Crown
‘In Silicon Valley many of the more successful entrepreneurs seem to be suffering from a mild form of Asperger’s’ have does not come near to reflecting the criminality
says. “They quickly become part of
that is alleged by the American authorities.”
your family. When the first group we
The family say they were surprised and
fostered left we would find ourselves
hugely grateful when Pink Floyd’s David Gilmour
crying for months afterwards.
offered to help them meet their bills. “David Gilmour
wanted to help us,” Janis says, “I wouldn’t accept
the extradition debate there was a knock
money, but he insisted and paid Gary’s psychiatrist
on the door and there were two young
bills, which amounted to just under £10,000.
social workers standing outside in the
dark with a little boy and his baby
“Then he donated on our behalf, thousands
“Even when we were watching
of pounds each to Liberty, NAS, Research Autism,
brother. We knew we shouldn’t take them
Simon Baron Cohen’s ART (Autistic Research Trust)
at that point in time because there was so
plus various amounts to others who had helped us.
much going on, and so much to do, but
We had just been forced to sell our house and David
we couldn’t say no.”
Gilmour and the electronic band The Orb, who collaborated with him, really saved our lives when we were truly at rock bottom in every sense of the word.” She is also deeply thankful for the endless
support of Trudie Styler, Sting and Sting’s sister Anita Sumner and the support of thousands of others including Home Secretary Theresa May for her incredibly courageous decision to keep Gary in the UK. “The support from our rag tag Twitter army was also incredible and proved to be an awesome force,” she says.
At home, Janis and her husband of
42 years, Wilson, have fostered more than 60 children, and are currently busy caring for three children under four in their Hertfordshire home. The youngest of the three wobbles happily across the floor in front of us.
CYBERCRIME | THE STRONG, SILENT TYPE
“It’s very upsetting when the time comes
for them to move on as you can’t help worrying about their future and how they will fare.” she
SPACE INVADERS Mum of 13-Year-Old Schoolboy
My 13-year-old researches how to hack NASA A generation of millennials is exploring the Internet to a degree their parents struggle to comprehend. Here Clare, the mum of schoolboy Alex from South London, reveals how she found her son trying to connect to the Dark Web and watching an instructional video on ‘How To Hack NASA.’
I find it difficult to control Alex’s computer time. I try to keep an eye on it, but for him the online world harbours all these amazing possibilities, games and activities and hooking up with people. I’m sure it’s very relaxing for him without an adult telling him what to do all the time. He’s nice and warm curled up on the sofa in a world where he has an amount of control.
There are obviously many inherent
dangers, including the prolonged damage of just sitting down for a long time. You can’t entirely know where they are going and what they're seeing even with parental controls.
Alex spends so long on it that I have to
try hard to find other things for him to do. The computer is often a great babysitter - although I don’t say that without a twinge of guilt - and children of his age don’t want you looking over their shoulder all the time. Then, as soon as I take it away from him, he says: “But Mum- I need to go online to do my homework.”
Recently I saw Alex looking at a YouTube
video on ‘How To Access the Dark Web’ and the instructions for putting up ‘mirrors’ so he could go on there without being traced. Then on a separate occasion I noticed he was watching something about ‘How to Hack NASA.’ We talked about it and I don’t really believe it is something he’s likely to do, but he’s just very a curious boy. He has a
scattergun approach to the things he’s interested
in, so he often sees something and then loses
keep up, then I think we might need
interest, but it certainly concerned me.
another level of support, like peer
mentors to help some of the children
We’re lucky that he is quite open with us.
If parents and schools can’t
Whatever we do or say as parents, we try to make
who are most interested in technology.
sure he is honest about what he’s doing, but children
I always try to be clear about what he
will always be a step ahead. We can let them know
is doing, but you can only let them take
where to go, but they can always find the next big
you by the hand and show you.
thing before we know that the dangers exist. Parents
are just very behind. Besides, the information is out
technology as a society and, for boys like
there - if he really wants to find it, he can.
him, who are a bit socially awkward
and struggling to do their growing up in
I don’t think all the other kids are as
We all have to embrace
fascinated by computers as Alex. The teachers at
public, it’s nice if he can test things out
school are certainly a long way behind. His least
without having to worry about being face-
favourite subject at school is ICT (Information and
to-face with other people all the time.
Communications Technology). He finds it frustrating
and says he knows the answers while the teacher
I can help make it a safe environment for
is still figuring out which button to push on the
him to do that.
But for me it’s just a worry how
computer. He told me they set him a task designing a programme on Scratch (a coding site), and he knew
* Names have been changed.
how to do it straight away and he didn’t think the
‘The information is out there - if he really wants to find it, he can’
CYBER CRIME | SPACE INVADERS
teacher even knew herself.
DUCK AND COVER Luke Harder | Hacker, Anonymous - Interview with Ben Jackson
Legislation will never keep up with technology They are the world’s most infamous hackers - known for attacking ISIS with images of rubber ducks and with a long list of hacking victims that includes Donald Trump, child pornographers, The Church of Scientology and the city of Sacramento. They claim hackers can train in just five years and their simple slogan threatens: “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.” Here - using a pseudonym - 34-year-old Anonymous member Luke Harder challenges the damages companies claim they suffer after being hit by hackers. The LA-based hacker also reveals why any “High School student with a C average” is clever enough to join the underground group and why the Internet is not the answer to all the world’s problems.
So Anonymous - politically-motivated campaigners
So the humour stops it feeling like a
or the Internet’s chief mischief makers?
What the original people involved with Anonymous
A lot of times, the things Anonymous
did was pranks. There wasn't any raw fibre to it. It
does are just to attract attention. In
was just to be funny. (For the lulz). So that’s always
the grand scheme of things most of it
been a theme of people who have been with the
doesn’t have a huge effect.
organisation for a long time. If you take things too
seriously it takes the enjoyment out of it. To be
gets hacked, the damage numbers
fair, I’m not part of the group that was in it just for
are inflated on the company’s behalf.
fun. I didn’t become interested in Anonymous until
They’re collecting insurance and they’ll
it was standing up for something. It was standing
say a hack cost them $3m. Yeah, right!
up for Pirate Bay (a file sharing site) and quickly
They were already paying their IT guys
afterwards Wikileaks as well.
$67,000 a year. They pay them some
overtime to work 36 hours straight to get
When a company or institution
everything back up, maybe they had a consulting fee for $150,000 to an outside company - these things are inflated.
The real impact is the attention
and that is so much better if something is funny or fun or humorous - as opposed to some serious message. It’s like ‘Oh God, we’re sick of serious messages’ - and I’m speaking from the public’s point of view too. Think how much more entertaining it is to read an article where somebody changed someone’s website to something funny. It works much better. If you make
CYBERCRIME | DUCK AND COVER
people think it’s funny - you won’t make
people sick of it. But there’s a bit of a divide amongst
stuff together in a pile, that’s just a pile right? It’s
people in the group who insist that they’re for laughs
not organised, it’s not alphabetised, it’s not sorted by
and people who are too upset to laugh anymore.
colour. There’s no organisation, it’s just a pile!
Does that mean that attention is the guiding
That has to bring limitations. It’s hard enough
principle above everything?
getting agreement when there are just five people in a room.
More or less. There’s definitely some damage element to it too. Sometimes the goal is to hurt the enemy
But that’s just the thing. Organisation amongst
who is getting attacked, but a lot of times it’s just to
people inevitably requires a shift of power.
get some attention on the issue. Isn’t that the idea
It requires those in the lesser positions in the
with any protest? It also helps to create a brand, so
organisation to give up their power to someone else.
there’s a common theme running through all of this.
So if you abandon the organisation everyone has an equal amount of power, which is what democracy
How do you translate public sympathy into
really should be. It’s an experiment in democracy in
recruiting members? Is recruiting important?
its purest form. The only thing that can affect it is a person’s voice.
I’m not aware recruiting exists. It’s more like the
recruiting is done as a safeguard, because we know
Does that work in practice?
people are coming in and we are trying to save those people from themselves. That’s why there are guides
You tell me? Something is working - we’re talking.
for people. If you want to be Anonymous, there’s a
If you went and told your editor, “I’m really sorry,
guide on how to hide your identity, and how to use
but I p-ssed that guy off something fierce,” he’d be
Virtual Private Networks. Those guides are put out
f-cking scared right? He wouldn’t have any right to
more to save those people than for recruiting, because
be, because I’m not that type of person in general and
it would be bad for the brand if a bunch of people
it’s purely hypothetical, but I would say what we have
tried to become Anonymous and they all went to jail.
constructed or created is working quite well.
But then there’s no shortage of Anonymous
The ISIS campaign is interesting. That’s a big
members who have gone to jail.
thing to go after.
It would be interesting to compare the number of
They’re just people. Can Anonymous stop ISIS?
people who have gone to jail versus the number
No - the only effect we have is on the internet and
who have been arrested and which of those are
communications, but compared to a government
confirmed members of Anonymous. We could
agency we’ve got the manpower.
compare it to the incarceration rate of an average country. What would those numbers be? Maybe
How do you work within and without the law?
there is a shortage of people being arrested? I mean
There must be some consideration of how far you
maybe our percentage is really small!
can go or not?
But you’re not like a country. You’re an organisation.
That consideration is only weighed in risk. How badly do you want to avoid being locked up? The
You have to think about the definition of that. People
question is what are you willing to risk for this cause.
use that world wrongly. An organisation means
There are things that are not as risky to some people
there is organisation. If you just have a bunch of
as they are to others.
‘It’s an experiment in democracy in its purest form’ In terms of the technical skill level of those
So can laws help keep malicious people
working for Anonymous, is it on a par with
from doing damage on the Internet?
anything out there? Legislation will never keep up with It’s on a par with a High School student with a
technology, largely because the people
making legislation don’t know a goddamn thing about technology. There’s no way
they can make laws to contain it if they don’t understand it. It would be like
The actual technology and knowledge required to
someone who had no concept of the Laws
hide your identity fits on a single sheet of paper.
of Physics trying to make laws about how
That’s not hard. Actually hacking something, that
people can move.
requires skill. It’s going to take some practise and some quality hardware. (Anonymous training guides
Here in the UK, the Government is
suggest five years of study)
justifying the fact that they can monitor people are trying to limit your freedoms
programmes off the shelf which they can or can’t
and that governments don’t get it?
operate. Is that something you have a view on? It’s not that they don’t get it, they’re It’s tough because it’s a situation that makes a lot
terrified! We’re taking power away from
of people have a desire to create a law around it,
them. Once they gained the ability to
because it can have a malicious effect. When you study
effectively just open your mail - because
something and learn it - you learn to have a respect
that was the only communication other
for it. Much like someone who has been crafting and
than face-to-face that anybody had for a
milling revolvers for a lifetime. He’s the last person
long time - once they gained it, losing
who is going to misuse a revolver. He’s got respect for
that becomes terrifying. That gave them
it. Then when you give that revolver to somebody who
such an enormous edge, so how could you
is not very bright and doesn’t have any respect for it,
ever relinquish that?
CYBERCRIME | DUCK AND COVER
all communication. Do you believe We are increasingly seeing people renting hacking
something bad’s probably going to happen. 61
Is it the case that many types of encryption are now
And that’s why you would want to be a part of it?
beyond the security services ability to read them? I think it’s an effective tool against those who would Yes, but that’s something that constantly evolves. Ask
any locksmith. If you don’t keep up you’ll go out of business. You have to keep making a better lock. It’s
Do you like being called hacktivists?
an endless cycle. It’s the only part of capitalism that can experience endless growth. The Internet keeps
Well it’s clever. It’s a misnomer, but it’s kind of too
changing, so you have to keep updating and you have
late to change the name. I don’t really care for it, but
to keep changing your protection.
it’s like hover boards. It’s not actually a hover board, but it’s too late to change the name now. You might
That will have a bearing on the Internet of
as well get with it. I reserve the word ‘hacker’ for the
Things. Are people right to fear the possibilities?
elite. If you look at the internet as a separate society, a hacker is like a superhero – you’re able to alter
It’s like being afraid of being hit by a meteor. You can’t
reality in a way a normal citizen cannot.
walk around in fear all the time. Enjoy the technology. Your dishwasher may go awry because someone hacked
There’s a really good analogy to describe this.
it, but it’s not going to become some epidemic. If it does,
Anonymous is like a flock of birds - at any point a
those products just won’t be successful.
bird can fly up out of a tree and join the flock or go land on a street lamp. The only thing that makes the
The Internet is something we have appreciated
flock of birds a group is that they’re headed in the
and loved, but aren’t we going to have to learn to
fear it more too? I don’t know if fear is the right word. I think respect would be a better word. Why on earth do we need the Internet hooked up to the goddamn water supply? The water supply has worked fine for years, I don’t see what good that does. So we draw lines between what we do and don’t want to tamper with? Absolutely. Not so long ago there was a test on the new Jeep Grand Cherokee. Somebody driving along next to one doing a stunt for a magazine hacked into the control system from the car driving beside it. It was terrifying what was possible. Why is anything besides the radio hooked up? Do you know what I mean?
A Anonymous. Are they a force for good? As a society we generally assume that people are inherently good. It would be hard to assume that Anonymous is anything other at this point.
ANONYMOUS ATTACKS THE CHURCH OF SCIENTOLOGY
and posted a video following the death
2008 - Anonymous’ first widespread example of
of Tamir Rice, 12, a boy with a BB gun
activism came after waging war on the church -
shot by a police officer in a Cleveland
warning the group it would be ‘expelled from the
park. Anonymous also uncovered
Internet’ and launching DDoS attacks, prank-calling
the phone number and address of a
its hotline and sending black faxes to waste ink along
policeman involved in the shooting.
with thousands protesting in Guy Fawkes masks from
the film V for Vendetta.
announced a major operation against
PIRATE BAY 2009 - Anonymous
ISIS 2015 - Anonymous
ISIS after the Paris attacks, declaring,
hit back after an Indian software firm, Aiplex
“Anonymous from all over the world will
Software, was contracted by film studios to launch
hunt you down. You should know that
DDoS attacks on websites hosting pirate content,
we will find you and we will not let you
like Pirate Bay. Together they shutdown the
go.” ISIS responded with a telegram
firm’s website and then targeted the Recording
calling them “idiots,” and asking, “What
Industry Association of America and the Motion
they gonna hack?”
Picture Association of America posting the
message: ‘Payback is a bitch.’
pictures of rubber ducks in place of
WIKILEAKS 2010 - As Wikileaks
ISIS fighters, spammed twitter feeds
released hundreds of thousands of leaked US
with cat memes and replaced one site
diplomatic cables, Amazon, PayPal, MasterCard and
with an advert for Viagra. It claimed to
Visa cut off its services. Anonymous hackers brought
have taken down 3,824 pro-ISIS Twitter
down PayPal and hit Visa and MasterCard sites.
accounts - later increasing that to 20,000
SONY APRIL 2011 - Anonymous attack
although the list was later found to
Sony for trying to stop hacks into the PlayStation 3
include many inaccuracies.
consule. More than 100 million Sony accounts were
compromised and services were taken down for a
Anonymous attack the website for Trump
month apiece by cyber attacks.
Tower in New York after the Presidential
LOLITA CITY 2011 - Anonymous takes
DONALD TRUMP 2015
hopeful proposed that all Muslims be
down more than 40 illegal child pornography
blocked from entering the US.
websites. The hackers specifically targeted Lolita
City, a file-sharing site used by paedophiles,
Hackers release a video warning of
and leaked the names of the site’s 1,589 active
consequences for the city of Sacramento
members to the public.
if the city does not lift its ban on urban
TAMIR RICE 2014 - Anonymous shut
camping, a measure it called a ban on the
down the website of the police in Cleveland, Ohio
human right of sleeping – and seen as an
CYBERCRIME | DUCK AND COVER
The Codemaker Phil Zimmermann | Silent Circle and Blackphone Coder
People used to ask ‘Are you a criminal? What have you got to hide? Now they give me awards’ Phil Zimmermann is in the Internet Hall of Fame and has been named as one of the world’s top 50 tech visionaries. The code he first published as an anti-nuclear activist 25 years ago has been adopted by almost all of the world’s intelligence agencies. His latest venture, Silent Circle, makes the ultra sophisticated Blackphone, and was founded with former US Navy Seals. Yet the 62-year-old firmly believes snoopers know too much about us all – worse, their tactics may be leaving us wide open to criminals.
Phil Zimmermann is responsible for bringing privacy
to the Internet. As an anti-nuclear campaigner in the
encryption has gone from "almost forbidden to
Eighties he feared the US Government was snooping
required in America and Europe", he says.
on him and other protestors who opposed nukes.
His simple idea was to write a piece of
The incredible turnaround has come as
“We had to fight all through the 1990s. If
you were using strong crypto (code) then you had to
code that would make his communications and
explain yourself: 'Why are you using strong crypto –
files invisible to their attentions.
are you a criminal? What have you got to hide? You
His encryption was light-heartedly
must be up to no good.'
named Pretty Good Privacy and published in
1991. It took its moniker from Ralph’s Pretty
to explain. If you are a doctor or a clinic and you
Good Groceries, a fictional store on a US radio
don’t protect your patient records with encryption you
programme by Garrison Keillor.
are in violation of the law.”
But the results were better than pretty
“But today if you’re not using it, you have
Despite creating virtually uncrackable
good. Much better. The free software for encrypting
codes, the cyber world has not become more
emails worked by assigning one public key to be
secure. Phil says, “Is there a perfect level of
shared, with one private key, known only to the
security? No, It’s an arms race!
individual for decoding their emails.
It was passed around, first across anti-
“The very best cryptography is now much
stronger than the very best analysis. But the
nuclear groups in the US, before rapidly spreading
reverse is true in cyber security.
internationally across countries where dissidents of
all types feared government snooping.
prevent your computer from being attacked by
Its success enraged the US Government,
“The really difficult problem is how to
malware. If someone can seize control of your
who had been planning new laws governing access to
computer through hostile software it doesn’t matter
emails and other data.
how good your encryption is.
So just two years after its release, they
“By the early 2000s we won the ‘crypto-
moved to prosecute Phil, then 38, for export
wars’. But maybe the codemakers should have asked
of ‘munitions’ - as encryption software was
why. Cryptographers thought we had presented our
categorised at the time.
opponents with math problems.
The prosecution spent three years
“But the US National Security Agency
building their case, only for Phil to ingeniously
were able to change the problems. They realised that
escape trial when he published his entire code in
they only needed to figure out a way to get control of
a book – where its contents were protected under
the computer - then who cares how hard the math
the First Amendment.
problems are? You’re bypassing all that.
Today the same code is now the most widely
“We all knew as security professionals
used encryption software in the world, and also used
these vulnerabilities were there, but it wasn’t until
by almost every intelligence agency on the planet.
the Snowden revelations that we discovered how
breath-takingly sweeping the NSA was – it had just
Meanwhile Phil himself has turned
his hand to uncrackable phone technology, as
completely owned everything.
a founder of the Geneva-based communications
company Silent Circle.
we didn’t think it was anything like that.
In a strange turn of events, the son of a
“The enormous depth and breadth of it – “It’s like if your house has a thick steel
concrete mixer driver, has also been hailed by those
door. You might be thinking about making it thicker,
who once worked to destroy him – with the head of the
but right beside it is a glass window and all you’ve
United States National Security Agency presenting an
got to do is break through that to get in.
award to enter him into the Cyber Security Hall of Fame.
But, he adds, proudly: “If you look at
Snowden’s documents they have a list of all the
opens the door for bad guys to get into
things the NSA has ever broken into – conspicuously
absent was anything I’ve ever worked on.
"The NSA was spying on the American
“It’s like the police saying,
‘We don’t want you to have locks on
public on a mammoth scale, not just the meta data
your doors because it’s more difficult
(the name, subject name and timing of e-mails), but
for us to come in.’ But we need the
the actual traffic. That’s the moral difference that is
locks to keep out the criminals!
producing so many whistleblowers."
He warns: “For many years, I have lectured
“Google had back doors on their
servers for law enforcement purposes, but
that Moore’s Law is a threat to privacy. The human
the Chinese used those same back doors to
population is not doubling every two years. but the
survey their dissidents.
ability for computers to keep track of us is.
“Moore’s Law is behind the cameras. There
“When you put back doors in
they will be used by other people!”
is facial recognition software behind that and Optical Character Recognition software that reads licence plates.”
Phil, who ironically says he seldom
uses email, believes governments should not be
‘Is there a perfect level of security? No, it’s an arms race!’
CYBERCRIME | THE CODEMAKER
'interfering' with computer security because “it
BENEATH THE SURFACE John McAfee | Creator of anti-virus software
The Underground Internet is a playground for hackers The percentage of the population that is tech savvy is higher than ever. Across the world grandmothers know how to tweet using their iPhones and they no longer make a funny face when told to â€œGoogleâ€? something. Progress.
Our level of dependence on computer systems
one of the worst attempts – the 2012 attack on Saudi
in business and industry is deeply ingrained.
Aramco, one of the world’s largest oil companies.
Computers are everywhere and they now power
Within hours, nearly 35,000 distinct computer
the infrastructure and processes that make
systems had their functionality crippled or destroyed,
everything function. The more we come to depend
causing a massive disruption to the world’s oil supply
on these systems, the higher the stakes will be
chain. It was made possible by an employee that was
when someone tries to harm us by hacking them.
fooled into clicking a bogus link sent in an email.
This is social engineering.
Behind the internet of networked computers
that everyone sees and uses on a daily basis lies another,
deeper realm that can be collectively termed the
engineering, and it is the human elements in your
Underground Internet. This underground consists of the
organisation that are going to determine how difficult, or
Deep Web and the Dark Web.
how easy, it will be to hack you. We – the users – are the
weakest link in the chain of computing trust, imperfect
The Deep Web is the collection of
Believe it or not, 90% of hacking is social
information that is available on networked
by nature. All of the security software and hardware in
computers, but is not indexed by search engines and
the world will not keep a door shut if an authorised user
other typical data-retrieval tools.
can be convinced to open it.
The Dark Web consists of overlay networks
The good news is that there are
that use the same infrastructure as the public web but
patterns that we can look at and, in some cases,
require special tools and knowledge to access. Both lie
use to predict where the next attack may fall.
beyond the casual reach of the typical Internet user.
Experienced hackers don’t concern themselves
‘The Underground Internet is beginning to spill over into the mainstream web’
The Underground Internet is a playground
much with your firewalls, anti-spyware software,
for hackers. It has troves of information that never
anti-virus software or encryption technology. They
were intended to be publicly shared that can be used
want to know whether your management personnel
to create havoc in the physical world. It also contains
are frequently shuffled; whether your employees
a wealth of information that can be used to gain
are dissatisfied; whether nepotism is tolerated
even more sensitive data from private networks and
and whether your IT managers have stagnated in
computers – information that could fuel the most
their training and self-improvement. They want
successful hacking attacks.
to know what level of transparency exists within
the corporation and how bloated your chain of
A look at the world’s worst hacks reveals
a common pattern: these hacks were mostly not
command is. In short – they want to know how
accomplished by using sophisticated hacking tools or
healthy and nimble your organisation is.
brute force attacks on security mechanisms. Consider
While any individual or organisation is
susceptible to an attack at any time, hackers, like
THE SECURITY KING
anyone else, will tend to go after the low-hanging fruit. Why go after a tightly-knit organisation of
Internet security king John McAfee became
competent, satisfied professionals supported by a
a household name and enormously wealthy
stable IT staff unless there is a tremendous and
as his software businesses rocketed in the
unique payoff promised? There would be greater
Eighties and Nineties.
risk involved and the chances of success would be low. Instead they will target an organisation with
John McAfee, 70, worked for NASA
identified human and structural vulnerabilities.
and Lockheed before developing the first
anti-virus programme after discovering a
To make this identification, hackers have
traditionally turned to the Underground Internet.
copy of the ‘Brain’ virus. His fortune of
But recently it has started to become even easier,
$100 million (£67m) was built by giving
as the Underground Internet is beginning to spill
away his software free, but charging for
over into the mainstream web. Shocking types of
updates. He later moved to Belize in
information that used to be available only for a price
2007 to develop natural antibiotics, but
on the Dark Web can now be found using simple web
went on the run after being wanted for
searches or mobile apps and can be found by anyone.
questioning over a murder of a neighbour.
While some of this information may seem innocuous
He has since moved back to the US and
to the untrained eye, the fact is that much of it is
Belize authorities have seized his assets,
manna falling from hacker heaven.
but have not sought to pursue charges.
What this means is that protecting systems
and networks against successful attacks just got harder, and will require us to take a good look at ourselves and our organisations. IT professionals are accustomed to securing hardware and software.
But how well do you know the human side of your organisation? Is there information about your organisation out there, right now, migrating out of the Underground Internet to appear in simple web searches? Does this information make your
Answering these questions honestly and
taking the time to find out for ourselves what information is already available about us needs to become required best practice for IT security. We are accustomed to securing systems and networks against sophisticated teams of hackers. But information wants to be free; just like water it will flow freely once released from its container. Are you prepared for a world where grandma or anyone else can quickly obtain, on the wide open web, all of the necessary information for a social engineering hack? Is your
CYBERCRIME | BENEATH THE SURFACE
organisation an attractive target?
organisation prepared? 71
â€˜Shocking types of information that used to be available only for a price on the Dark Web can now be found using simple web searchesâ€™
DON’T FORGET TO LOCK THE BACK DOOR! THE FBI is demanding Apple unlock the security
could be used over and over again, on any
to an iPhone used by US terrorist Syed Farook, who
number of devices. In the physical world,
murdered 14 and injured 22 in December 2015.
it would be the equivalent of a master key, capable of opening hundreds of millions of
US justice officials say it is a reasonable request
locks — from restaurants and banks to stores
to gain evidence from a single phone, but Apple
and homes. No reasonable person would find
boss Tim Cook, is refusing, claiming the FBI is
that acceptable. The Government is asking
demanding “a master key” that could be used to
Apple to hack our own users and undermine
unlock hundreds of millions of iPhones.
decades of security advancements that protect our customers — including tens of millions of
Apple will fight the order to build a custom version
American citizens — from sophisticated hackers
of the company’s famous iOS software all the way to
and cyber criminals.
the Supreme Court, he says. The same engineers who built strong encryption Other top tech CEOs including Mark Zuckerberg of
into the iPhone to protect our users would,
Facebook, Sundar Pichai of Google and Jack Dorsey of
ironically, be ordered to weaken those protections
Twitter have supported Apple along with the American
and make our users less safe. In spite of the FBI’s
Civil Liberties Union. But Microsoft’s Bill Gates
claim that it would protect the back door, we
has sided with the US Government saying: “This is
all know that’s impossible. There are bad apples
a specific case where the Government is asking for
everywhere, and there only needs to be one in the
access to information. They are not asking for some
US Government. Then a few million dollars, some
general thing, they are asking for a particular case.”
beautiful women (or men), and a yacht trip to the have full access to our secrets.
“It has finally come to this. After years of arguments
With all due respect to Tim Cook and Apple,
by virtually every industry specialist that back doors
I work with a team of the best hackers on the
will be a bigger boon to hackers and to our nation’s
planet. I would eat my shoe on the Neil Cavuto
enemies than publishing our nuclear codes and
show if we could not break the encryption on
giving the keys to all of our military weapons to
the San Bernardino phone. This is a pure and
the Russians and the Chinese, our Government has
simple fact. So here is my offer to the FBI. I
chosen, once again, not to listen to the minds that
will, free of charge, decrypt the information on
have created the glue that holds this world together.
the San Bernardino phone, with my team. We will primarily use social engineering, and it will
The US Government has ordered a disarmament
take us three weeks. If you accept my offer, then
of our already ancient cyber security and cyber
you will not need to ask Apple to place a back
defense systems, and it is asking us to take a
door in its product, which will be the beginning
walk into that near horizon where cyber war is
of the end of America.”
unquestionably waiting, with nothing more than
CYBERCRIME | BENEATH THE SURFACE
Caribbean might be all it takes for our enemies to Here John McAfee gives his view:
harsh words as a weapon and the hope that our enemies will take pity at our unarmed condition and treat us fairly. Once created, the technique
e d k c Of a H
Lauri Love | Hacker
Hackers can turn off your pacemaker Lauri Love is a hacker. He is alleged to have infiltrated the websites of the United States Federal Reserve, NASA, the Environmental Protection Agency, the US Missile Defence Agency and accessed the personal information of 104,000 employees of the US Department of Energy. In June 2016 he faces a hearing which will decide whether he is extradited to the United States to face trial. The 30-year-old has Aspergerâ€™s and lives with his parents in Stradishall, Suffolk. Here, he warns that millions of us are sleepwalking towards a society where we can be spied on by our fridges and our toasters and where a teenage hacker could turn off your pacemaker for a prank. He argues the time has come for us to welcome hackers back into the mainstream of society and steer them on a course that makes the most of their talents.
Kids will always play pranks. In previous years the
records that racist conversation and
worst it might be was wrapping toilet roll around the
plays it to your boss. So there are risks
teacher’s house on Halloween. Now kids have the
emerging at a fast rate.
means to play pranks on a massive level.
So a 16-year-old kid somewhere around the
not possible yet, but give it a couple
world can find out the flight that the CEO of Sony
of years, and they will be. There are
Video Games is on and have that flight grounded
people already being spied on by their
because they make a bomb threat.
baby monitors. Somebody can get your
This might be good fun for them, but we
WiFi password from your doorbell
can’t live in a world where flights are arbitrarily
because someone decided your doorbell
grounded because kids think it’s funny.
needs to be on the internet.
We can’t really live in a world where
There is a twitter account
Xbox Live or Playstation gets bombarded into not
which is full of examples of
working on Christmas Day because some kid finds it
manufacturers taking an ordinary gadget
that does a regular task and putting a
computer in it, but not realising it now
Eventually someone is going to think
it’s funny to turn off the electricity in a hospital.
does a whole lot of other things that
While these systems have some resilence, the
people might not want it to.
more connected, the more complex they get,
eventually somebody’s idea of a joke is not going
actors. Once something has been proven
to be funny in a very tragic way.
and there’s a big media storm over it,
We are getting to the point that we have an
unsustainable situation in terms of internet security.
We are addicted to the shiny things that
People are not always rational
they will react and stop buying it. But the media can’t keep up with the number of insecure things that are happening. So
technology allows us to do, things that were not
there will be people in the street I live on
possible before, things that are very alluring, but the
now who will be using insecure software,
risks are less transparent and they are often hidden.
but who just haven’t got the memo that it
So you can get a pacemaker, which you
is insecure - that’s because the people who
can control with software and that’s great, and it can
are actually interested in this stuff can’t
adapt to the patient’s heart rate. But now somebody
convey the message to the entire world.
can turn it off. If they just take the time to read
it and understand it and because somebody didn’t
internet have released advisories in the past
appreciate that you have to put in difficult, strong,
year for products of several well-known
robust security measures, somebody’s life has been
brands, running on software that could
put in the hands of one of these 15-year-old kids.
enable people to take over your computer
The more that technology infiltrates our
Some people I chat to on the
if the vendors made a mistake. But you
world, the more this will go on. We have the Internet
probably won’t have heard about it unless
of Things where your toaster has a webserver on it.
you read the tech blogs - and again not
Your fridge will keep stock for you and order more
everyone has the time to do that.
beer when you need it. But the people who make
fridges don’t know how to make secure software,
crash then people will be hesitant to
and the people who make toasters aren’t paid to
buy it (as with the cheating software in
understand that attackers can turn that toaster into
Volkswagen's cars) but for every product
a spy that listens to your conversations and then
failure you hear about, there’s nine or 10
informs your wife that you’re having an affair, or
If a product has a major car
CYBERCRIME | HACKED OFF
Some of these things are
The concept of the hacker has attracted
- but also in the sense that if you have a youth club
a lot of different connotations in recent years. It
you provide a place for children to congregate. If you
tends to bring up a lot of different associations
close that youth club because of budget cuts, children
in people’s minds. In the culture I’m in, it tends
are still going to congregate, but they’ll congregate
to be somebody who understands technology,
in the park and they’ll drink cheap cider and they’ll
likes technology and makes it do new things.
have teen pregnancies and get into drug abuse.
Tim Berners Lee, who created the World Wide
Web, was a hacker. But more recently, it also
that drives people towards a certain relationship
means a person who commits computer crime,
between their technological interest and their
which has more negative connotations.
abilities and proficiencies. Some people are doing
this a lot better than us, especially in the Nordic
I am a hacker. I like technology and I
would like to use it to make the world a better
So what you can do is facilitate a culture
and Baltic States.
place. I also believe there’s a lot to be done that
could help bring many of our brightest and best
right to take an interest in culture and we have a
kids back into society.
Culture Secretary for that. But online culture has
The first thing is for people in the
At the moment the Government is
developed faster than the Government can react,
Government to realise that you can’t prosecute your
because it is a large institution that takes time to
way out of this problem. Just like with the drugs
problem, people thought ‘If you arrest enough people
then they would stop using drugs’ and that didn’t
respond to technological developments than any large
work, although it has taken about 60 years for people
monolithic entity - so the Government struggles, and
to start realising this. Locking people up is not going
I don’t know if they will get better at it.
to help them.
So we must change the attitudes of people
Individuals are simply a lot faster to
Large corporations and private industry
accept that people will mess around with their
who are drawn towards experimentation because of
websites and find ways of hacking them. So they’ve
their curiosity. Most of what might be considered
come to the conclusion that if it is inevitable -
‘illegal hacking’ is conducted without any criminal
they’ll pay the same people to protect them, which
motive, any attempt to cheat or make malicious gain,
is easier them doing it than being hacked by some
but rather, it's the natural human desire and drive to
Eastern European cyber criminals.
understand the world in which we find ourselves.
These people could be drawn together in a
So they come almost universally to a
consensus behind models called ‘bug bounties.’
way that gives them an environment to develop these
Right now, today, you can go and hack American
skills so that they can be productively harnessed. (That’s
Airlines for free Airmiles, or you can get several
not to say we should be drafting teenage hackers to work
thousand dollars in hard cash from Facebook, or
in GCHQ to keep us safe from the terrorists).
Google, or Yahoo for pointing out exactly, and
Obviously school provision is not sufficient
clearly, where they screwed up.
and we could have more ‘hacker spaces’. I’d define
these as a self-organised space, where people come
next generation. This is something I’m exploring
together to work on different projects. It’s generally
now. I’m working with a start-up called My Hacker
a space where the rent is paid for by the people who
House - the idea is to build a space for people that
use it, or they will have some whip round.
might be apprehensive or have difficulties getting
The Government might even want to
Certainly we need to think about the
employment or cyber security training in the formal
consider sponsoring these places, seeing them as an
sense because they might be too young, or have had
investment in talent. This means not just bringing
run-ins with the law.
up people who could go on to work in cyber security
The idea is to give them a space to
have their talents nurtured in a less judgemental
environment but also with a bit of mentorship. On
people because we need them - and we are
the other side of the equation it means working
facing great challenges. The internet itself
with corporations and government to say what
is creaking and groaning and it needs to
can you bring to the table in terms of these young
be almost redesigned from the ground up.
talented people, and what can they provide the
The best analogy is that it’s quite easy to
Government in terms of security services.
build a ship. But once you’re in a ship it
There’s certainly a desperate need for help.
With luck we can harness these
is quite hard to redesign it when you’re in
Pretty much any large corporation realises it needs
the ocean. It is the same with shoring up
to spend money making things more secure, and it’s
the internet so it can cope with the ever
that bit between spending money and making things
increasing burden that is going to be put
more secure that is difficult at the moment.
on it by society.
It requires some of this talent - and
We need these people and we
there’s a lot of talent out there - so we need to build
need a system where they can reach
bridges. We need to create that space where people
their potential and avoid any friction
can come together and overcome some of the mutual
in the process. We also need people
distrust and find a constructive way to move forward
not to be drawn into either serious
- this is how I aim to nurture future talent.
financial crime or anti-social activities
Without doubt we have great, great
minds in the UK. They are at risk of not being
because they are the only people that take their gift seriously.
harnessed because the traditional system by which
people end up in particular roles in society hasn’t
build this better approach.
It’s a win-win situation if we
‘I am a hacker. I do like technology and I would like to use it to make the world a better place’
CYBERCRIME | HACKED OFF
quite caught up with this change in society.
To Protect And Serve We’re safer than we’ve ever been Dan Jones | Consumer Editor, The Sun
Crime is one of our biggest fears - and that doesn’t change when we log onto our computer or smartphone. Thankfully, cybercrime rarely ends in physical harm. But it can mean losing the contents of our bank balance or our deepest secrets being spilled. But how likely is that? And are things getting better or worse?
While crime figures are only just accounting for the
of a well-known company that has your email and
jump in cybercrime, it’s my view that online banking,
password - as happened with eBay in 2014.
shopping and communication are now safer than
they have ever been. For example, so-called two-step
other accounts because many of us use the same login
authentication where you confirm a log in with a
details across multiple accounts.
code sent to your mobile is a big help, and only a
But there are two reasons not to worry overly.
Firstly, big hacks are less and less likely since
firms are quickly becoming aware that the reputational
More and more sites now encourage us to
They can then use these details to get into
come up with complex passwords and change them often.
damage can be crippling, so have upped security.
Yes, it can be annoying. But we must think
Second, if you follow the advice to have
of protecting ourselves online in the same way we
separate logins for all your accounts (which is
would in the real world. You wouldn’t leave your
admittedly annoying) then you avoid making yourself
windows open when going on holiday.
more vulnerable than you need to be.
As we all go online more or even for the
first time - to buy our shopping, to bank or get car tax or travel insurance - the incentive for crooks grows so they are investing more and more in finding loopholes.
It means there are more potential victims - and
in particular targets who are likely to slip up on security.
The good news is that with better and
better security, if you avoid simple passwords and make use of extra security measures you will be fine.
Sure, crooks could hack into the computers
CYBERCRIME | TO PROTECT AND SERVE
12 4 3 56
WHATâ€™S THE CATCH? Emma Watson | Vishing Scam Victim
Vishing and smishing scams
Sophisticated criminals have a host of ways of scamming consumers out of their hard-won finances once they have a few basic details, including 'vishing' (voice phishing) and 'smishing' (SMS phishing). Nursery owner Emma Watson became a victim when she was conned out of £104,000 last June after being duped by an official sounding call from the ‘NatWest fraud team.’ Emma, from Wandsworth, London, had recently received a large sum into her account - but was persuaded to switch money into new accounts in her own name by a fraudster.
Although the bulk of the money was sent to the
but none of the transactions had gone through.
accounts of other NatWest customers, Emma and
her husband Alexander were later told they stand to
I thought later that it sounded like somebody who
“It was very convincing. It was so professional
only get a fraction of the money back, unless they
genuinely had been working in that role for a bank.
take legal action against the receiving banks. Police
They must have studied it in minute detail.
admit the twin scams of extorting money by 'vishing'
(voice phishing over the phone) and 'smishing'
she asked if I had any joint accounts. I thought
(SMS phishing over text message) are rapidly
she had access to one, but wasn’t seeing the
increasing, while the number of stolen or fictitious
others. When I told her I did, she wanted to call
bank accounts opening doubled to 23,000 last year,
my father too who shares an account with me to
according to fraud prevention bureau Cifas.
let him know. So I gave her his number and she
rang him on a withheld number.
“When the call came, it sounded so genuine,”
"'Angela' went through my accounts and
Emma says. “It was my landline, which is a number I
rarely give out. The woman I spoke to said: ‘This is the
didn’t take calls from numbers he didn’t know,
fraud team at NatWest, I’m very sorry to say we have
so she told him to look at the back of his bank
detected some unusual activity on your account.
card and she would call back on that - the bank’s
“She knew my name and that I banked
“When she got through, he told her he
number - which she did.
with NatWest and told me her name was Angela. She
gave me the impression she was looking at my account
and said to me, 'What a lovely man.'
"She called me back after the conversation
information in front of her. It was the exact patter you
would expect from a bank call. She had a slight Scottish
computer fraud on my account and she would be sending
accent just like a NatWest call centre person would. There
out a new anti-virus CD with software that the banks
was none of those crackly lines and fumbling around.
themselves use, so I shouldn’t have any more trouble.
“She asked me if I had recently shopped
"'Angela' told me there had been some
“She warned me that because the fraudsters
at Argos and Tesco and I said ‘No, I haven’t’ and she
had my account details, I would need to move my
said: ‘Yes, I can see that you don’t usually shop there.’
funds. She said: ‘I’ll call you back in 10 minutes, I’m
“She said the bank had been alerted to
just setting up your temporary accounts.’
some attempted payments saying somebody had
made three separate attempts to take money from my
across, and also on the Saturday and on the Monday
“On that day, a Friday, I moved some money
account - first £1,000, then £600 and finally £400 -
morning. I did say to her at the time: ‘Why can’t the bank
just do this - why do I have to make all these transfers?’
called back to say ‘We’ve set the account
up so you can transfer the money in
a single transfer until the sum got down to a
now’ they were just queuing up people
to get ready to take it out, so as soon as
“I was under a bit of pressure with my
that money was transferred, they were
business and everything else I was doing at the
at the other end taking it out in Euros
time and I kept saying: ‘Isn’t there another way,
or Thomas Cook money orders for
because I’ve got all these calls every hour or so
several hundred pounds at a time and
and I’ve just go so much to do,’ and she reassured
the accounts were really in the name of
me that they would be able to complete the rest of
financial mules, who will move money
the transfer on Monday.
around, but often don’t want to help the
“So I transferred the money at £15,000
and £20,000 at a time. It was deposited into about
six or seven accounts, but because they were all in
morning that the penny really began to
“It was only on the Tuesday
my name, I didn’t think there was anything wrong.
drop. Angela rang again, only this time, she
It was only later I discovered that the name of the
just said: 'It’s me' and she even yawned.
account makes no difference when the bank is
making a transfer. If it wasn’t in my name I would
doesn’t sound very professional and that’s
have asked a few more questions.
when I called my father and said ‘Can
you just get hold of the bank manager and
“I had a card reader and I put in a new
“I thought: Oh gosh, that
payee, which was in my name - as each account
make sure Angela is who she says she is -
had already been set up. They were fast-track
because she sounds slightly unprofessional?
payments - you put in your name, the account
But I still didn’t think she was a fraudster.
number it’s going to, and you confirm that with a
card reader and authorise it.
was meeting up with the architect to
“Obviously, I now know that when she
“Then that morning when I
talk about the plans for the nursery, he
‘I thought later that it sounded like somebody who genuinely had been working in that role for a bank’
CYBERCRIME | WHAT’S THE CATCH?
“But she told me the bank couldn’t make
told me he’d been listening to a radio programme
bank’s press office and it led to the full recordings
over the weekend about fraud. When I told him
of the calls being provided.
what had happened, he said: ‘No, that’s not the
bank stopping the fraud, that call was the fraud.”
£16,000 because it didn’t act fast enough when we
Emma’s father quickly made 11 frantic
“NatWest has since agreed to pay us
first alerted them. Meanwhile the Ombudsman
phone calls to bank call centres and numbers
has told the banks that they should repay a further
without being transferred to a fraud specialist
£15,000, but we want to get the whole amount
or even confirmed if there had been a fraud,
returned. We believe the bank is holding out
although on the first call he was told the money
because the issue of the names being checked on
was secure and it wasn’t a fraud.
transfers is a security failure and they would have to
“We had been trying to get to the bank all
pay out too much money to put it right.
morning and they had been giving us conflicting
“The banks also say verification of account
advice. Strangely the fraudster I had been speaking to
holders' names would never happen, because they just
sounded more professional than the actual NatWest
want fast payments - fast movement of money.
staff I was now trying to speak to.
come up as being the same as the account payee it
“It was shortly after that we went
“I certainly thought if the name didn’t
straight to our local branch in Esher and the
would have to match, but it didn’t. The name has no
manager confirmed there had been a fraud and
bearing on the transfer at all. They ignore it.
told us, ‘you won’t get your money back.’
“That was the worst point. It was
“That money represented years of saving
and our house, which we had taken money out of.
sickening. But I still thought, it can be traced -
it’s in my name, it can’t just go. There had been
been able to set up her nursery - Sapphires - in East
nine transfers in total - all NatWest and RBS
Molesey, Surrey after opening a crowdfunding page.
accounts and one to Santander.
“We still had hope and we spoke to our
“Thankfully,” Emma says, she has still
“It wouldn’t have been possible if it wasn’t
for the generosity of people around us. It was a long-
business manager in our bank in Bury St Edmunds,
standing plan to set up a nursery,”
which is where I’ve banked for 40 years and we were
given the advice from the manager that ‘if we can
executive, adds: “I’ve been looking for premises
prove it was a fraud and if the receiving banks agree,
for around three years and everything went into
then you will get your money back.’
it. It managed to happen because of the support of
“We thought we could easily prove that,
Emma, whose husband is a marketing
everyone around us.
but it turned out that we were wrong. We wrote to
“I think it will take us about five years
the bank managers and the fraud teams of all the
to pay it back - hopefully less - but it certainly has
receiving banks that the police informed us of, but did
shaken my faith in human nature.
not receive any letter of response from any of them.
my bank, my name and phone number and how there
“We were totally stonewalled by the banks.
“I will also always be curious how they knew
Finally we got through to a very senior executive at RBS,
was money in my account in the first place.
the owners of NatWest, but he didn’t have all the right
facts and there was clearly no proper file on our case.
hit by this kind of scam.
“The bank also failed to supply on
“I don’t know how many people have been “But I have since heard that several City law
request to the Ombudsman all the recordings of
firms have been hit for millions in money transfer scams,
our telephone calls, which we believe would have
and now transfer £1 first, so the account can be checked
showed the varying advice they gave to us.
before large payments are made.”
“Having shared our story with the BBC
Moneybox Program they followed up with the
NatWest Chief Executive Ross McEwan
later wrote to the couple to apologise and admit to a
delay in the bank’s response. The bank has refused
VISHING AND SMISHING
to say why it took longer than expected to stop the fraud, but pointed out Emma had transferred most of the money by her own free will, meaning the bank had no liability.
Vishing is an abbreviation of voicephishing. It cons householders into handing over their bank or card details over the phone. Smishing - short for SMS phishing - is a similar scam worked by text messages. They often combine several common factors. KEY DETAILS - The conmen and women have hacked or discovered enough to lead you to believe they are looking at your bank account. This is likely to include your name, address, phone number and bank details - just as a genuine call would have. WAR DIALLER - This is a computer program that can be used to dial all the numbers in a locality or area or in a single institution. It is commonly used by both hackers and scammers. Sometimes they will use a text or speech synthesizer to warn of fraud on a bank card, before keying in your details on a phone keypad. REQUESTS FOR QUICK ACTION Fraudsters press upon a need for fast action, which can lead to some people not fully questioning their actions. CALLER ID SPOOFING - Conmen can disguise or change their phone number to make you believe they are calling from an official organisation by using computeraided Voice Over IP techniques. HOLDING THE LINE - If you hang up, they can keep the line open. This way
CYBERCRIME | WHAT’S THE CATCH?
‘I will also always be curious how they knew my bank, my name and phone number’
urging you to call a spoofed number and
you are actually dialling straight back to the fraudster, while background or call centre noises can be faked. 85
Mum’s The Word Tony Neate | CEO, Get Safe Online - Interview with Ben Jackson
I’m like the Queen – I have two dates of birth Tony Neate is the Chief Executive Officer of Get Safe Online - the UK’s leading source of unbiased information on online fraud, viruses and identity theft. After a 30-year career in policing, including leading the fight against crime with the Hi-Tech Crime Unit and the Serious Organised Crime Agency, he reveals why he never puts anything online he wouldn’t tell his mother and why we shouldn’t fear a ‘fib’ on social media questionnaires. Are people too open online?
18 and was going to start work on the Monday. Then the press got hold of her social media and found things
Many people are very free online and in social
she had said when she was 14 and all of a sudden she
media sites - they put everything on there. "Hello
hadn’t got a job. (Her twitter account where she posted
my name is Tony Neate - this is where I live, this is
more than 4,000 messages, included references calling
my place of birth, this is a picture of me drunk in
homosexuals ‘fags’, immigrants ‘illegals’ and travellers
the gutter, oh and by the way I hate my bosses, and
‘pikeys’, and included a tweet saying: “I really wanna
these are the people I speak to." We put it out there.
make a batch of hash brownies.”)
Your first rule online should be, if you wouldn’t say it to your mother, or a policeman, don’t say
How do you go about keeping your details private
it online. That’s the way it’s got to be. We’ve got
on social media?
to watch what we say to other people and we’ve certainly got to watch our photographs. My mantra,
especially when I talk to kids about this issue, is
birth. My real date and then the date of birth I use
"What goes online, stays online."
online. I don’t want to use the word ‘lie’ because
They need to know that if they go for a job
I’m like the Queen. I have two dates of
it’s not a lie exactly, but in the same way, when I’m
with the police and even some big businesses now -
asked to give my mother’s maiden name, I don’t. I
they will ask you to sign a form to get permission to
always give the same name, but it’s not my mother’s
look through all your social media first. So you need
maiden name because that can be discovered. You can
to be careful what you do and be careful what you say
go to ancestry.com and you can find that out.
online, because we build up a history of ourselves.
Take the example of Paris Brown. Paris was
the UK’s first youth and crime commissioner. She was
British people are very obedient, so when
there’s a form that says: ‘Where do you live,’ ‘What’s your date of birth? ‘What are your hobbies?’,
we fill it out. But we certainly don’t have to. Certainly on
offline for two weeks and gave them
social media sites, we don’t have to be as truthful as we
training in secure code, because it’s
would be otherwise.
what they had to do. That’s a lesson everyone should be making.
How should parents deal with that issue?
I’ve been banging the drum
for 15 years about people being more
We should talk about security together.
secure online, saying: “Look after your
When my children were young I got them bikes.
passwords, secure your internet,” but then
They each had a helmet, they had lights that
sometimes companies give it all away.
worked and brakes that were tested. Now, in the
same way, we should sit down with our children
Hi-Tech Crime Unit where I was head
and go through their computer security. Show
of industry liaision, I discovered some of
them what you’re doing and it might be that
the most secure companies were porn and
they know what to do better than you.
gambling, because if they lost personal data
When I was in the National
that was it for them. I saw that if they lost data, they wouldn’t sack someone. They
‘What goes online, stays online’ Are our problems with cyber security getting bigger?
would employ three more people to work with them. That was their attitude, security
Probably, yes. If everybody did the right
was the be-all and end-all for everything
thing and put the right security on their computers
that they did. That’s the attitude we have
two or three years ago we would hardly have
to have for everything we do and every
anything. But now we have the social engineering,
industry has got to do it as well.
the telephone calls, the emails purporting to be
from someone, the spear phishing that targets
yet. We say to some of these companies
individuals. Previously you might have had
that they have got to use Get Safe
received a phishing email, saying 'Dear Client,
Online. They have got to use a trusted
Dear Sir, Dear Customer', but now it’s more likely
independent organisation with integrity
to start ‘Dear Tony.’
that is going to tell them the truth.
What about the security of firms we give our
Have consumers woken up to the
threat of cybercrime?
Absolutely. We should also be secure
We haven’t reached that stage
Certainly individually and as
in our networks. It should be built-in at source
companies, people have to start taking
security. It’s not an add on. When Microsoft first
it more seriously. More and more
looked at their operating system - eight or nine
people are going online. Around 1.5
years ago - they took every one of their developers
trillion will be spent online this year
CYBERCRIME | MUM’S THE WORD
and three billion people will be online by the
TONY’S ‘GET SAFE ONLINE’ TIPS TO STAYING ONE STEP AHEAD
beginning of this year.
It’s what the gangster said in America
when he was asked why he robbed banks “Because that’s where the money is,” and that’s what’s happening online – from opportunists all the way up to serious crime. We still have people who break into houses. People still break into cars. Crime is crime. People will keep doing it - and we’ve got to make it harder for them. Is the Internet something to fear?
We have to be one step ahead of the criminals
and not one step behind. We’ve achieved that to date and the reason is that we all still go online.
If every time you went online you were
defrauded, you were bullied or you were scammed, you wouldn’t do it anymore. When you park your car at a certain carpark and every time you park there it gets broken into, you stop parking your car there.
The internet’s a fantastic place, it’s great and
we’ve all got to be on it, so let’s make ourselves secure!
You’ve got a number of keys and you need a
number of passwords. My advice is: “Write down the clue to your password in a notebook. I used to use my uncle’s dog’s name and my clue was ‘Uncle Brian’s dog’. Uncle Brian died 10 years ago and his dog died 20 years ago. So if anyone can work out who Uncle Brian was, never mind who his dog was, then good on them. That’s the type of thing we’ve got to do.”
A password phrase is great if the website
allows you to do phrasing, but if the site only allows you 10 characters, you can always pick a phrase you know - like ‘Tramps like us, baby we were born to run’ and take the first character from each word to get ‘tlu,bwwbtr’. You could also consider using a password creator, like: https://identitysafe.norton. com/password-generator.
Avoid substituting obvious numbers for
letters, like a 3 for an e, as criminals are wise to it, or ending your password with the numbers 1-10 or the months of the year when you have to change them regularly - if someone already has the first 99% of the password, it’s not difficult to get the rest. PASSWORD SAFES
I use a combination of two or three really
tough passwords and a password safe. But you’ve got to remember the master password. It’s like losing blood when you’ve lost that password – because it’s like losing everything else. You need to make sure the password is safe and is from an accepted and trusted source - but remember nothing is 100% in this world. SECURE WEBSITES
There are two easy ways to check a website
is secure before entering your password or credit card details. The web address ends with ‘https:’ the ‘s’ at the end stands for secure - meaning extra
encryption for communication between computers has been added. A padlock symbol is visible at the
Avoid ‘pharming’ by checking
side of the browser window when you log in or
the address in your browser’s address bar
register. If the padlock is on the page itself, this is
after you arrive at a website to make sure
probably a fraudulent site. Make sure you also check
it matches the address you typed. This will
for misspellings, additional words or unusual website
avoid ending up at a fake site even though
addresses, which may be a clue to a fake site.
you entered the address for the authentic one – for example ‘eebay’ instead of ‘ebay’.
It is more and more common for criminals
Website owners often have
a digital certificate that has been
to use spyware called a RAT – (otherwise known as a
issued by a trusted third party, such as
remote access trojan). This can allow your computer or
VeriSign or Thawte, which indicates
mobile device to be used to spy on you. This is known
that the information transmitted online
as ratting. A RAT can be downloaded with an email
from that website has been encrypted
attachment, but won’t show up in your lists of programs.
and protected from being intercepted
They can take control of your webcam and use the video
and stolen by third parties.
they take for blackmail or other purposes. So it's wise
to download updates to your programs and apps when
you do not know, look for an Extended
prompted to do so, because they often include security
Validation (or EV-SSL) certificate.
Clicking the padlock symbol in the
Take great care about which links you click
on to and which emails you open even from people
When using websites that
browser frame will launch a pop-up containing the details.
that you know - and cover your webcam when not in PHISHING
use, whether it is a built-in or clip-on device.
Ensure you have effective and updated
Scam emails often pretend
to come from banks, credit card companies, online shops and other trusted
antivirus and antispyware software and a firewall,
organisations. They try to trick you into
particularly for Microsoft and Android phones, and
going to the site, for example to update
remember if you’re not using a secure web page, don’t
your password to avoid your account
send or receive private information on public WiFi.
being suspended. The embedded link
Business people wishing to access their corporate
in the email itself goes to a website that
network should use a secure, encrypted Virtual
looks exactly like the real thing but is
Private Network (VPN).
actually a fake designed to trick victims into entering personal information. Most
Contactless fraud is still at a low level. It uses
Microsoft and other email clients come with spam filtering as standard. Ensure
something called Near Field Communication. If your
yours is switched on. You can also allow
phone uses this technology make sure it is locked by a
filters to be set to allow emails to be
PIN, which you should change regularly. Always check
received from trusted sources.
your bank statements to ensure payments have not been taken from your account and ask your bank who
CYBERCRIME | MUM’S THE WORD
holds liability in the event of an incorrect payment. For the really determined, you can use foil, or special card sleeves, to protect the cards in your wallet.
THE ALPHA THREAT Glossary of terms
AS4808: A Chinese network associated
Clone phishing: The modification of
with major spying campaigns, including
an existing, legitimate email with a false
breaking into 1,000 Hotmail accounts.
link to trick the recipient into providing personal information.
Blackshades: A malicious virus software used by hackers to control computers
Denial of service attack (DoS): Used to
remotely, including accessing the webcam
take a website out of action. The attack
and logging keyboard strokes. It targets
sends so many content requests to the
Windows-based operating systems. US
site that the server overloads. Some have
officials say over 500,000 computer
described such attacks as the Internet
systems have been infected worldwide
equivalent of street protests and some
with the software which was being sold
groups, such as Anonymous, frequently
for $40. The FBI arrested 100 people who
use it as a protest tool.
Brute force attack: A brute force attack
Distributed denial of service attack
is an automated search for every possible
(DDoS): A DoS using a number of
password to a system. It is an inefficient
method of hacking compared to others like phishing. Itâ€™s used usually when there is no
Doxing: Discovering and publishing
alternative. The process can be made shorter
the identity of an otherwise anonymous
by focusing the attack on password elements
Internet user by tracing their online
likely to be used by a specific system.
publically available accounts, metadata, and documents like emails.
CYBERCRIME | THE ALPHA THREAT
had downloaded the virus in 2014.
E-crime Virus: A bogus email purporting
means of a wireless chip containing the
to be from the Metropolitan police or US
user’s payment card details, embedded in a
Department that states: “This computer
mobile phone or on a payment card.
has been locked due to illegal activity” before demanding a ransom.
Offences: Cybercrime can be defined as offences committed against individuals
Firewalls: Personal firewalls -
or groups with a criminal motive to
sometimes known as ‘software firewalls’
intentionally harm the reputation of
or ‘desktop firewalls’.
the victim or cause physical or mental harm or loss to the victim, using modern
Grey hat hacker: Someone who breaks
telecommunication networks such as the
the law in the pursuit of a hack, but does
Internet (Chat rooms, emails, notice boards
not do so maliciously or for personal gain.
and groups) or mobile phones.
Hacktivist: A hacker whose goals are
Paste Bin: The first signs of an online
social or political.
service being compromised is often when attackers publish part or all of the hacked
IRC: Internet relay chat, a protocol used
data on this site.
by hackers for one-on-one conversations to communicate or share files.
Pharming: ending up at a fake site even though you entered the address for the
Jurisdiction: What makes cybercrime
detection so hard to enforce. Quarantine: Where anti-virus software KVM: A keyboard video mouse. A gadget
stores a virus.
which fits into the back of a bank's cash machine to allow a thief to transfer cash
Ratting: Remote Access Trojans (RATs)
from its computer systems while he sits
are usually invisibly downloaded with a
program requested by you – for example a game – or an email attachment. They
Logic Bombs: A device, virus, or
are often used to take control of webcams
programme designed to cause damage at a
with the objective of the resulting video
time of the attacker's choosing.
or images being used for blackmail or inappropriate uses.
Malware: A software program designed to
Script kiddie: A would-be cracker
hijack, damage, or steal information from
without technical skills. Script kiddies use
a device or system. Examples include
purchased or downloaded cracking tools to
spyware, adware, rootkits, viruses and
attack systems and deface them, often just to
keyloggers. The software can be delivered
appear cool to their friends.
in a number of ways, from decoy websites and spam to USB drives.
Social engineering: Conning people into giving you confidential information, such as
Near Field Communication: Otherwise known as contactless payment. Works by
passwords to their accounts.
Spoofing: Altering the header of an email so that it appears to come from elsewhere - like a bank. Trojan: A Trojan is a type of malware that is disguised as a desirable piece of software and usually installs a back door in the infected machine. United States Cyber Command: Synchronises defence of US military networks Vishing: Voice phishing - fraudulently obtaining personal details by phone, often having already hacked or intercepted personal information Whaling: Spear-phishing that targets the big fish in companies for higher gains or to cause maximum embarrassment. Waking Shark: Bank Of England investigation into the cyber security of Britain’s banks. Xbox and Playstation networks were both taken offline in attacks by a group of hackers called Lizard Squad - who included a 13-year-old.
major source of revenue for the world’s top 5 crime gangs - Solntsevskaya Bratva (The Russian Mafia) Yamaguchi Gumi (Yakuza), Camorra (Naples-based mafia) 'Ndrangheta' (Calabria-based mafia) and the Sinaloa Cartel, Mexico’s largest drug cartel. Zero day exploit: A zero day attack is a previously unknown vulnerability in a
CYBERCRIME | THE ALPHA THREAT
Yakuza: Cybercrime is becoming a
system. It is the first such exploitation of a weak spot by a hacker. 93