We recently interviewed Misha Glenny, journalist and author of DarkMarket: How Hackers Became the New Mafia. His 2011 book explores the world of organized crime on the internet, including spearphising, carding, hacking, and how the UK government is responding to this phenomenon. In the interview, our Communications Manager, Kate Dinnison, asks him to discuss his own personal cyber hygiene, trends in cyber security today, and how technology is aiding traditional organised criminals.
Dinnison: After doing research for Dark Market, what personal cyber security practices do you now find important?
Glenny: There are very basic things to do. I still have an antivirus program as standard, even though I use a Mac. Increasingly I use a VPN as well. But the most important I think for me is approach to email. Two things: the first one is simply that I don’t consider email to be a private form of communication. I consider it a public form of communication and so I am polite, courteous, and above all else I don’t put anything sensitive in there. This is the big lesson from Podesta and the DNC hacks. Everyone’s going on about how it was appalling they were hacked. And what’s really appalling is that they are sending sensitive material over email. If anyone has got that message after the Sony hack of 2014, then they shouldn’t really be using a computer. The second thing about emails is that you have to know how to read your messages. And that means being able to read a header. That means automatically being able to detect the type of language that is being used and is that language appropriate to the type of person that is sending it to you. And if there are any links and if they’re disguised links, run your cursor over it and see what that link really is. If you have any doubt about it, you just don’t go for it for attachments or links. There are some things you cannot avoid. You should have within your antivirus software a browser scanner built in as well so that anything that looks at all dodgy is blocked by your antivirus programme or that they at least ask you if you want to the site or not.
And those are the major things that I do. Because I am a member of a family I make sure that everyone else is also taking some of these security measures. Because you can be as careful as you like but if you get a bug on your network then you’re vulnerable. And also I change passwords on routers so it’s not the default password. Another thing I do is I use a master password, basically a password accumulator so that I don’t have to worry about that. Now there are problems with those programs. For logins that are not important, where you’re not storing personal data, where you’re not storing debit or credit card data, where there’s nothing sensitive, you can then use ’password’ or ‘123456’ or whatever it is you want as an easy password provided you don’t use that password on any sensitive things. I suggest basic domestic hygiene really.
Dinnison: I imagine the same as in a family, the same goes for when you’re operating in a business environment. Everyone must practice these security measures.
When it comes to corporate, it’s very different. There you need active engagement from the Infosec department and the risk management department. Some companies will have a fraud department and above all else you need the board to be fully engaged with it. If the board is not fully engaged, then what usually happens is that InfoSec and IT security are unable to spread a culture of appropriate cyber hygiene through the company and that means you’re riddled with potential vulnerabilities. I keep track of various surveys that are made of IT security and board members on what their engagement with cyber security is. And what we see, even now, in 2017, we still see something the range of 50% of CEOs and other board members not engaged with the issue of cyber. This means you don’t get the vertical and horizontal communication that you need in organizations. These are corporations that have the type of money to invest in this. You have other things like government institutions but also NGOs and charities are extremely vulnerable because they don’t have the cash to put in any digital solutions and often don’t understand the culture required that all employees or members should be working with.
Dinnison: That was the excuse of the DNC.
Glenny: It’s not an excuse, it’s a failure. It’s a complete management failure.
Dinnison: The industrialization of cybercrime poses a big challenge to not only individuals but law enforcement. You illustrate this in your book through different case studies. After interviewing these subjects for DarkMarket are there any simple policy suggestions you would pass on to the UK government?
There are a number of things. You have a problem that arises from the development of secondary markets and off the shelf malware. This means that because you can either buy malware to deploy or you can hire out botnets to launch DDOs attacks. Or you can request a team of hackers to create your own botnet, which is becoming particularly dramatic with the Internet of Things. What this means is that the government really needs to step up. Here in the UK I suspect the National Centre for Cybersecurity in Victoria, which is an offshoot of GCHQ, could be a very useful thing. Britain has been pretty advanced in terms of coordinating government, business and the public sector in terms of security. I’m a little worried that the National Cyber Security Centre has absorbed too much of the culture of secrecy that necessarily defines GCHQ. So I’ve talked to a few people who have tried to approach it for advice and media requests and they have been very, very unhelpful. And I think that’s a mistake – you need to enable and encourage people. That was the whole point of putting the National Cybersecurity Centre in the middle of London so that it would be accessible, they wouldn’t be locked up in the donut in Cheltenham.
The other thing is of course resources. This is going to require more money. The British government has been channelling a lot into cyber defences and I think that’s the right thing to do. But it also requires explaining to people why you need to take police resources away from where people feel comfortable with the old syndrome we have here in the UK of ‘the bobby on the beat’. It’s necessary to shift some of those resources toward active cyber defence because many, many people are now subject to attacks whether its credit card fraud or identity theft or the use of the computer power as a botnet. People don’t know what to do when it happens. If you ring up the police and they don’t know how to proceed if you are a victim of crime online, it starts to unnerve people. One of the things I discovered talking to victims of chronic fraud or indeed identity theft is that psychologically it is perhaps not quite as devastating as finding someone has been in your home but it really does frighten people. It triggers extreme anxiety to find out that what you thought was entirely intimate, private sphere has been violated by an unknown outsider. So you really need your enforcement officers who are capable of dealing with these victims but with a degree of psychological understanding as to what victims are going through when they report crimes. You need support for that and support requires resources. And that means these days taking it away from somewhere else.
Dinnison: Do you anticipate any changing trends in cybercrime due either to reliance on new technologies or any societal change?
Well IOT (Internet of Things) is the greatest concern. Because in a short space of time thanks largely to the mirror botnet we have seen just how powerful the IOT can make sophisticated hackers, people with real technical ability. It basically multiplies computing power by an incalculable amount and if that computing power is in the hands of competent criminals then that can be very dangerous indeed. The problem here is quite simply that innovation, our resistance to boredom, our delight of convenience drives products coming to the market and security is never thought of. And even if people start thinking of security now, the situation with routers around the world is so vulnerable. Basically, products need to come on the market with full security requirements already built-in. And that only happens in maybe 10% of the products.
The second thing that is happening is that up until now traditional organized crime and cybercrime have tended to be two very different things. If you’re involved traditional organized crime, then a sine qua non of your activity is your ability to threaten or deploy violence. And in cybercrime that is not a sine qua non. You don’t need to have a capacity for violence. This is a unique development where an entire raft of crimes will attract socioeconomic groups that are very different from what we understand by organized crime historically. The only thing which connects the two of them in terms of their makeup is the gender issue. That is about 92-93 percent of organized crime syndicates are male, and 95-96 percent of hackers are male. So this is a huge marker. But other than that, class, intellectual capability, age, because hackers start much younger as a whole, are very different. You’re dealing with a different set of motivations, different psychology. You’re dealing with different modi operandi as well.
However, the reason why these two groups have been separate up until now is because traditional organized crime is still dominated by a generation who are frightened or even dismissive of tech. The new generation of organized criminals growing up are digitally literate. This means first of all they understand how cyber can be used to make their business more efficient and accelerated in all sorts of ways. The forerunner of that were the Nigerian 419 scammers who understood the scalability of their operation through email. But now what you’re beginning to see are entire tribe organizations assuming a cyber capacity to make their work more efficient. You can see that in the accounting capability of someone like the PCC, the first capital command of Sao Paulo, the largest organized crime group in South America. You can see it in the Mexican cartels. You can see it really wherever you go in Europe.
The latest Europol organized crime threat assessment makes it very clear that organized crime is being digitalised. Now for example you now get organized crime involved in burglary. They’ll do two things before they attack a street of houses; they’ll send drones over first of all to ascertain where the vulnerabilities are in terms of breaking in. At the same time as scoping it physically though drone technology, they’ll be checking everyone’s social profile on the street so they identify who lives there, when they go to work, when they go on holiday, what sorts of things they’re involved in. Whether they have lots of computers or cameras. Then they will coordinate the actual break-in very carefully and they’ll take six to eight houses all in one go in the space of about an hour or so, and they’ll be gone across borders before anyone gets home. So that is using cyber to increase your capacity but then there is also the industrialization of cyber malfeasance. I use the word malfeasance because attribution is a big problem. You don’t know if you’re dealing with espionage, intellectual property theft or whether you’re dealing with bulk standard ransomware criminals and credit card fraudsters.
In terms of the current threat the two fastest-growing cybercrimes are ransomware and what’s called CEO fraud. It’s basically when a CEO gets a message from someone he or she knows asking for a payment to be made. It’s a very targeted attack where they authorize the transfer of money which is in fact going to fraudsters. There were two cases last year in which single transfer where a CEO of a large German electronics company called Leone and a large aerospace manufacturer in Austria called FACC. Both of them authorized the transfer of 4 million euros. This led to the FACC CEO having to resign. This is a huge industry now against American companies increasingly and the European Union as well.
Dinnison: Lastly, where do you go to keep up-to-date on cybercrime related subjects?
Glenny: I track websites like Brian Krebs’ website. I met Brian when I was researching DarkMarket and he does a fantastic job. Bruce Schneier has a fantastic blog. What Bruce does is link cybersecurity to larger security issues and geopolitical issues which is what really interests me. I’ll also look at The Register and various tech-security websites to see what’s happening and then talk to people in the industry.