Security Panel – The Cybersecurity Show – S1Ep6 Part 1
NAYOKA OWARE [00:00:29] Hello and welcome to episode six of Security Panel. I am Nayoka Oware and today I am joined by an amazing guest by the name of Sandip Patel QC. He is a barrister and the Chief Legal Advisor at OSP Cyber Academy. Welcome, Sandip. How are you?
SANDIP PATEL [00:00:48] Thank you. I’m very well. Thank you for having me.
NAYOKA OWARE [00:00:49] Good. I’m glad to hear that. Thank you for joining me. Tell me a bit about yourself.
SANDIP PATEL [00:00:53] Right. I’m a barrister and I’m also head of the data protection team at SCARMANS, which means that I do all things data protection, cybersecurity and so forth. I am also a cyber crime prosecutor. And in the past, I’ve been involved in some fascinating cases described in the popular media as the Facebook hacker, the boy who almost broke the Internet, according to The Washington Post. And I also was involved in the prosecution for the first time with members of Anonymous, the hacktivist organization that targeted governments, government agencies and private organizations, including the FBI, CIA, Hear, CS Organized Crime Agency, PayPal, Visa. The list is endless of the attacks.
NAYOKA OWARE [00:01:38] And what is your appraisal of the current cyber landscape?
SANDIP PATEL [00:01:42] That’s a that’s a very good question. Complex, challenging and fascinating in equal measures. So far as the cyber threat landscape is concerned, 2018 mail and phishing messages remain the primary malware attack vectors. That’s without doubt. There’s also been an upsurge in what’s called crypto jacking or crypto mining, which has resulted in the monetization vendor vector for cyber criminals. Also, there’s been we’ve seen a surge in state sponsored agents. So in 2018, a Chinese group called APT APT 10, sponsored by the state, carried out attacks on organizations in Europe and America challenge attacking intellectual property organizations to steal their IP. Also, there has been the cyber threat intelligence or CTI. Cyber criminals have been working on that in relation to automated attacks. And so there has to be a response in relation to that. And also the emergence of IoT environments, which has caused all sorts of problems, regulatory and so forth. So far as malware is concerned, which I’ve mentioned, it’s quite clear that although that’s been the chief attack vector for cyber criminals for some years and according to the ENISA, which is the European Network and Information Security Agency, remains number one on their list in 2018. And the reasons for that are quite obvious. There are on any given day, nearly 1 million new pieces of malware introduced into the cyberspace environment, of which 79 percent of them target Windows operating systems and they’ve proved extremely useful to the criminals. Now I mentioned crypto jacking. 2018 could be characterized as the year of crypto jacking. Crypto jacking is a new term that refers to programs that use the victim’s device CPU to mine crypto currencies without the victim’s consent. And so be my computer. Your computer could be used and might well be used by a crypto minor in order to use the processing power to solve crypto puzzle cryptographic puzzles that are recording the block chain, which in due course can be changed into real world money after legal exchanges and transactions. And so that is a real upsurge in that. Also compromised e-mail phishing spam fear spear phishing dominates the sector. 93 percent of all malware involves compromised e-mail. Also, which is quite important, is in 2017. There was an upsurge in the identification of vulnerabilities in programs, which is most important. In 2018, it topped the identification of vulnerabilities the year before, and we anticipate in 2019 companies will find more vulnerabilities in their programs than ever before. So there is a fertile environment for cyber hackers there already. Beyond the threat landscape, there’s a Cyber Security Act. The European Cyber Security Act, which is adopted by the European Parliament early this year. ENISA will be we’ll see a permanent mandate and also be in charge of certification process for in particular, IoT devices. And that’s something to look forward to. Also, we have on the news agenda, Facebook, Cambridge Analytica fined five billion US dollars. In my view, that’s a drop in the ocean. When one looks at Facebook revenue and I’m not sure that’s going to have the desired effect in due course, but we’ll have to wait and see. And then Facebook also launching its own cryptocurrency, Libra, which had a base to do in 2020, which will be in direct competition to Bitcoin. But they’ll have the advantages of having the backing of Facebook and all its financial firepower and also will be pitched to 1.7 Billion people around the world who do not have bank accounts and was said to be the next generation of PayPal. So that again. So that’s the cyber landscape in summary at the moment.
NAYOKA OWARE [00:06:26] Right. You say it’s called Libra?
SANDIP PATEL [00:06:27] Libra.
NAYOKA OWARE [00:06:29] Do you have any faith in it? Do you think it will be a success?
SANDIP PATEL [00:06:31] It’s difficult to say. It’s Facebook have been extremely successful in being successful.
NAYOKA OWARE [00:06:37] This is true.
SANDIP PATEL [00:06:38] And it’ll be an interesting conversation between the regulators and Facebook as to how this becomes a crypto currency in equivalent to a fiat currency backed by a central bank. So but I anticipate that there is a real appetite for it. Otherwise, Facebook would not have launched it.
NAYOKA OWARE [00:06:59] Exactly.
SANDIP PATEL [00:07:00] But we’ll see whether it will be ready in 2020. I have my doubts.
NAYOKA OWARE [00:07:05] You do already. You mentioned crypto jacking. Is there anything that we could do to prevent ourselves from falling prey and becoming victims of crypto jacking?
SANDIP PATEL [00:07:15] Yes, we’ll obviously maintain good cyber hygiene. Say, for example, the 10 steps, which is the National Cyber Security Agency’s mantra, 10 steps. So have good policies of password policy for yourself. Encryption, good antivirus software. And this is just the individual. I’m not talking about the organization, so it’s different. And if you do that, you’ll be pretty much protected and always always maintain those patches on your system. So when there is an upgrade hit the upgrade.
NAYOKA OWARE [00:07:56] Thank you for that. I will ensure that I do that as soon as I get home. What do you believe is the biggest motivator for cyber attackers?
SANDIP PATEL [00:08:04] Right. It still remains financial gain. In 2018, cyber criminals, as I described it, remain the most active threat agent group in cyberspace and accounted for 80 percent of all cyber incidents. And cyber criminals will obviously do only act in order to gain some monetary advantage. What I’ve also noticed is their sophistication is increased with the complexity of viruses being distributed. But when we look at the facts and figures, for example, I mentioned email and phishing and so forth, which account for 90 percent of cyber attacks. Business email compromise since 2013 has result in the loss of 12 billion US dollars. So you see there’s a lot of money to be made out there. So 12 billion dollars and in 2018, crypto currencies as a result of attacks by crypto currency attacks result in losses of eight hundred and eighty million US dollars. And that was in 2018 alone. And I’ve also mentioned the nation state activity, APT 10, but predominantly it’s financial gain.
NAYOKA OWARE [00:09:24] Wow, I could never imagine being a cybercriminal. Why would I ever want to be I know there’s financial game. That’s just not for me, really. You’ve been involved in a number of high profile cyber security court cases.
SANDIP PATEL [00:09:37] Yes.
NAYOKA OWARE [00:09:38] What is involved in gathering the evidence to prosecute hackers?
SANDIP PATEL [00:09:43] Yes. Well, this is the fundamental challenge, because by the nature of cyber crime, it being transport and multi jurisdictional, the evidence may be all over the world. And in my experience, when I’ve been prosecuting, for example, Anonymous and so forth, we dealt with 26 jurisdictions. And so we had to obtain evidence from various countries and so forth. Prosecuting them. These were the first type cases appear before the courts in this country, so we’re in uncharted waters. And what was fundamental to the success of those prosecutions was a workable mutual assistance between various countries and the authorities here, without which these prosecutions could not have succeeded. And they did succeed. I’m glad to say so for example, Anonymous. You will remember they were pretty much in the news a few years ago. We are legion. We are everywhere with the Guido Fawkes mask and everything. And they were very adept at publicizing their activities. When I mentioned some of the targets, the victims, their campaigns, I was involved in the prosecution, a number of these members of Anonymous. And just by way of one example, one of the defendants, Christopher Weatherhead, was a university student. He was also known as Nerdo online. But when we had to consider whether we could prove that Nerdo was Christopher Weatherhead and vice versa, for example, we had to. And when I say we, the police together working with me had to look at hundreds of thousands of chat evidence in order to identify whether it was Nerdo and prove the case against him. These are challenges which have never come before the courts before. When we police have had the existence of smart devices and the amount of data that is recorded them. And so these are all new challenges. Secondly, may I mentioned just the Facebook hacker. In 2011, Glenn Mangum was 26, hacked into Facebook servers and stole the source code. I’m not going to get into how he did it. It’s quite complicated.
NAYOKA OWARE [00:11:57] But you do know how he did it.
SANDIP PATEL [00:11:59] We do know how he did it eventually. He because he was very keen to tell the police when he was interviewed how he did it, even though the police and there were some technical experts in the interviews were at a loss to understand whether this was possible or not. In any event, he managed to do it and steal the source code. At the time, it was described as the most egregious and extensive case of social hacking ever by the courts. The US authorities at the time were livid and very alarmed. They thought it was the Chinese and it was industrial espionage because it was just before that 100 billion dollar public flotation of Facebook. So they thought this must be state sponsored. In fact, it was just Glenn Mangum acting on his own with an ordinary computer. He managed to tape steal the source code and he did it for the intellectual challenge. He didn’t do it for financial gain.
NAYOKA OWARE [00:12:53] Unbelievable.
SANDIP PATEL [00:12:54] And so when the police went to his house, they found the source code on a memory disk, which he had kept. If he’d sold it, he could have sold it for hundreds of millions of pounds. But that was not his motivation. The challenges were that Facebook were not co-operative originally because they were concerned about secrecy and about this getting out. And so the most they would accept is that he stole intellectual property, not the source code. And so it was a funny moment when I was in the Court of Appeal in front of their Lordships when they asked me what’s source code, Mr. Patel? And I thought, well, I gave the technical answer. And they said, no. You can do better. So then I compared it to the Coca-Cola recipe. And I’m glad to say that I stopped myself from likening it to Colonel Sanders secret KFC recipe, because I don’t think that would have gone down well at all.
NAYOKA OWARE [00:13:55] Probably not.
SANDIP PATEL [00:13:56] But that was an extraordinary case. It was challenging because the US authorities want to extradite Glenn and and said that he would receive a sentence if measured in tens of years, up to 100 years. Now, bearing in mind his motivation was not greed but intellectual challenge and what he would intend to do was just tell Facebook I’ve been able to exploit a vulnerability in your systems. But that was an extraordinary case.
NAYOKA OWARE [00:14:27] Yeah, sounds like it was. How did you feel working that case?
SANDIP PATEL [00:14:31] I mean, I felt very privileged to work on that case, especially because I was surrounded by some extraordinary people, team and experts and so forth. And it was all a team effort in any event. So it was it was it was fascinating, as I say, to be involved in it.
NAYOKA OWARE [00:14:48] I can imagine. What are the biggest obstacles you face when prosecuting a hack?
SANDIP PATEL [00:14:54] Right yes. The biggest obstacle is proving the person in the dock was the hacker because it’s called the attribution problem. There was always evidence of the hack. But the question is, can the prosecution prove that the person, the dock was responsible and so I’ll give you an example. I prosecuted a young Sri Lankan man many years ago called Rennie Subramanian. He he was the administrator of what’s called Dark Market, an online forum for criminals, Facebook for criminals in effect. One could access dark market and gain access to drugs, weapons, whatever. And he administered this site from Internet cafes. He’s very careful and his online persona was Gilsy. Now we had to prove that Gilsy. Excuse me. Gilsy was Rennie Subramanian. How do we do that? The Americans are involved and they infiltrated the dark markets, some FBI, covert operatives and so forth. There are numerous strands of the evidence. But what is the clincher was that we were able to de encrypt passwords, which he used before he became a criminal. With the passwords which Gilsy used.
NAYOKA OWARE [00:16:20] Not very smart.
SANDIP PATEL [00:16:21] Now we were able to do that with technology which wasn’t available in the private market, we were able to gain access to certain authorities which were able to assist us in that. And if anyone wants to. If anyone wants to know more about it, Misha Glenny wrote a book about it called Dark Market. But fundamentally, the biggest obstacle is there was a lack of an international evidence sharing agreement. And so very often, as I found, servers were located in countries such as Russia, which are beyond the reach of law enforcement agencies. Second example to summarize is the boy who broke the Internet, Seth Nolan McDonough. In 2013, he carried out that attack and anti junk mail group called Spam House, which result in the slowing of the Internet. And again, that was hugely technical. His online alias was Narco. He was also a hired gun for assassin. But what we found when the police went in was that his computer was open, showing numerous channels to virtual machines around the world, including Ukraine, data extraction. Police extracted data from his devices took 36 hours and that yielded two terabytes of material. He had 43 IP addresses with IP spoofing. He rented servers in countries, let’s say without mutual assistance. The police, not me, had to review one million lines of chat evidence and they’re all the face of use multiple online identities. But I’m glad to say we were able to prove that it was Narco was the defendant.
NAYOKA OWARE [00:18:05] How long did it take to break or figure out that whole case? How long was the process?
SANDIP PATEL [00:18:10] Oh, well, that took a good year and a half. For the process to build, to understand the evidence and then to build the case. But the huge challenge is you can appreciate by simply that some of the facts that I provided.
NAYOKA OWARE [00:18:23] Of course, of course. Given your involvement in cyber criminal prosecutions, have you noticed a shift in the type of attacks taking place around the globe?
SANDIP PATEL [00:18:34] Yes. There has been a clear trend for cyber criminals to move from ransomware to crypto mining, which I’ve mentioned because the simple economics of crypto jacking or crypto mining as it’s also known. So, for example, according to one statistic, in the first six months of 2018, it was estimated the crypto miners had monetized for their users more than two and a half billion US dollars.
NAYOKA OWARE [00:19:01] That’s an awful lot of money.
SANDIP PATEL [00:19:03] Now there is a mining botnet called Smominru, which infected half a million Windows machines, which has already mined Monero, Monero is another crypto currency. And it’s less difficult to mine compared to Bitcoin. And so it’s very popular with criminals and the mining capability of this botnet. According to statistics, has shown that it’s up. It can mine up to four million US dollars at any given time. So that the economics of crypto jacking are there. One can see, well, why not become a crypto minor crypto tracking with the prevalence of crypto currencies. And so, for example, in Monero, I’ve just given you an example, an adversary controlling 2000 victim computer systems with Monero miners can generate 500 US dollars a day. So that’s about one hundred eighty three thousand US dollars a year. And that’s just and 2000 victim computer systems is small change. So I’ve seen a definite shift from ransomware to crypto jacking in the last year and I only see that increasing as the years go forward.
NAYOKA OWARE [00:20:24] Join us next time for another episode of Security Panel. I have been Nayoka Oware and I hope that you’ve enjoyed this discussion just as much as we have. Thank you for watching.