by Misha Glenny
DarkMarket
CyberThieves, CyberCops, and You
Misha Glenny
For Miljan, Alexandra and Callum
Copyright © 2011 Misha Glenny
All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher.
Distribution of this electronic edition via the Internet or any other means without the permission of the publisher is illegal. Please do not participate in electronic piracy of copyrighted material; purchase only authorized electronic editions. We appreciate your support of the author’s rights.
This edition published in 2011 by
House of Anansi Press Inc.
110 Spadina Avenue, Suite 801
Toronto, ON, M5V 2K4
Tel. 416-363-4343
Fax 416-363-1017
www.anansi.ca
LIBRARY AND ARCHIVES CANADA CATALOGUING IN PUBLICATION
Glenny, Misha
Darkmarket : cyberthieves, cybercops and you / Misha Glenny.
Includes index.
eISBN 978-1-77089-048-0
1. Computer crimes. 2. Cyberterrorism. 3. Computer hackers.
4. Internet in espionage. I. Title. II. Title: Cyberthieves, cybercops and you.
HV6773.G53 2011 364.16’8 C2011-903101-9
We acknowledge for their financial support of our publishing program the Canada Council for the Arts, the Ontario Arts Council, and the Government of Canada through the Canada Book Fund.
PROLOGUE
[email protected]
In humanity’s relentless drive for convenience and economic growth, we have developed a dangerous level of dependency on networked systems in a very short space of time: in less than two decades, huge parts of the so-called ‘critical national infrastructure’ (CNI in geekish) in most countries have come under the control of ever more complex computer systems.
Computers guide large parts of our lives as they regulate our communications, our vehicles, our interaction with commerce and the state, our work, our leisure, our everything. At one of several cybercrime trials I have attended in recent years, Britain’s Crown Prosecution Service demanded the imposition of a so-called Prevention of Crime Order on a hacker, which would come into force after his release from prison. The Order would block him from accessing the Internet except for one hour a week under the supervision of a police officer. ‘By the time my client completes his sentence,’ the defendant’s lawyer remarked at the hearing, ‘there will barely be a single human activity that will not somehow be mediated by the Internet. How is my client supposed to live a normal life under such circumstances?’ he asked rhetorically.
How indeed. Those who have left their mobile phone at home even for a few hours usually notice an intense irritation and a sense of loss, akin to cold turkey among more dependent users. Interestingly, when deprived of the device for three days, this corrosive feeling of unease is often replaced by a rush of liberation as one is transported back to a world, not so far away, where we neither had nor needed mobile phones and we arranged our lives accordingly. Today most people feel they cannot live without these tiny portable computers.
Perhaps the nearest comparison to computers is the motor vehicle. As cars became a standard family item from the 1940s onwards, only a minority of drivers really understood what was going on under the bonnet. Nonetheless that was still quite a number who could fix their vehicle whatever the cause of breakdown, still more who could tweak the carburettor in order to limp home, and most could at least change a flat tyre.
These days if it’s only a flat tyre, you can still probably reach your destination. But a growing number of breakdowns are now the result of a computer failure in the control box – the black plastic housing usually located behind the engine. If it is a control-box issue, then even if you are an experienced tank mechanic you won’t be able to get the car moving. If you are lucky, a computer engineer will be able to fix it. But in most cases you will need to replace the unit.
Computer systems are so much more complex and fragile than internal combustion engines that only the very tiniest group of people can begin to deal with a problem beyond the familiar mantra, ‘Have you tried rebooting it?’
We now find ourselves in a situation where this minuscule elite (call them geeks, technos, hackers, coders, securocrats, or what you will) has a profound understanding of a technology that every day directs our lives more intensively and extensively, while most of the rest of us understand absolutely zip about it. I had first begun to appreciate the significance of this when researching my previous book on global organised crime, McMafia. I travelled to Brazil in order to investigate cybercrime because this absorbing country is, among its many positive qualities, a major centre of bad stuff on the Web – though this was little known at the time.
Here I met cyber thieves who had engineered a spectacularly successful phishing scam. Phishing remains one of the most dependable pillars of criminality on the Internet. There are two simple variants. The victim opens a spam email. The attachment may contain a virus, which enables a computer somewhere else in the world to monitor all activity on the affected computer, including the input of bank passwords. The other trick lies in designing an email that appears to have been sent by a bank or other institution, requesting confirmation of login and password details. If the recipient falls for the ruse, then the spammer can use these to access some or all of your Internet accounts. The Brazilian hackers demonstrated step-by-step how they secured tens of millions of dollars for themselves from bank accounts in Brazil, Spain, Portugal, the United Kingdom and the United States.
I then visited the cybercops in Brasilia who had busted four other members of their criminal group (although at least twice that number were never tracked down by the police), and then I interviewed the chief of X-Force, the covert-operations department of the American computer security company, ISS. In the space of about a week I realised that conventional or traditional organised crime, colourful and varied though it was, carried with it significantly greater risks for the perpetrators than for those engaged in cybercrime.
Old-fashioned organised-crime groups, attached to the technology and means of the twentieth century, need to overcome two daunting hurdles if they are to make a success of their chosen profession. The police represent their primary business risk. The efficacy of law enforcement varies both geographically and in time. Organised-crime groups adapt themselves to these changing conditions and choose one of a number of methods of dealing with the forces of law and order. They can attempt to outmuscle them; they can corrupt them; they can corrupt politicians exercising authority over the police; or they can evade detection.
Then they face a second problem: threats posed by the competition, other bad guys trawling for prey in the same waters. Here again they can attempt to outmuscle them; they can suggest forming an alliance; or they might agree to be absorbed by them.
In neither case, however, can the criminal syndicate simply ignore them – that way lies failure, with sometimes fatal results. Key to survival and prosperity is the ability to communicate with your fellow criminals and with the police – and, indeed, to send the correct messages to both groups.
In Brazil, I learned very quickly that twenty-first-century crime is different.
Most importantly, it is much much harder to identify when people are up to no good on the Web. Laws governing the Internet vary greatly from country to country. This matters because in general a criminal act over the Web will be perpetrated from an IP (Internet Protocol) address in one country against an individual or
corporation in a second country, before being realised (or cashed out) in a third. A police officer in Colombia, for example, may be able to identify that the IP address coordinating an assault on a Colombian bank emanates from Kazakhstan. But then he discovers that this is not considered a crime in Kazakhstan, and so his opposite number in the Kazakh capital will have no reason to investigate the crime.
Many cyber criminals have the intelligence to research and exploit such discrepancies. ‘I never use American credit or debit cards,’ one of Sweden’s most successful ‘carders’ told me, ‘because that would put me under the legal jurisdiction of the United States wherever I am on the planet. So I just do European and Canadian cards, and I feel both happy and safe with that – they will never catch me.’
The divide separating the United States from Europe and Canada is most important, as these are the areas where the highest concentration of cybercrime victims live. The latter territories have much stronger laws in force to protect individual liberties and rights on the Web. Successive US governments have granted greater powers to law enforcement than most European governments would contemplate, allowing officers easier access to data from private companies, in the name of fighting crime and terrorism.
The implications of this are both profound and, for the moment, impenetrable. Concerns about crime, surveillance, privacy, the accumulation of data by both private and state institutions, freedom of speech (step forward WikiLeaks), ease of access to websites (the so-called net neutrality debate), social networking as a political tool, and national-security interests constantly bump up against one another in cyberspace.
One might argue, for example, that Google’s multi-platform, multitasking omnipresence violates the principles of America’s anti-trust legislation and that the agglomeration of all that personal data is both an opportunity for criminals and a threat to civil liberties. Yet Google might well respond that the very essence of its genius and success lies in its multi-platform, multitasking omnipresence and that this in itself promotes America’s commercial and security interests. If it wishes, the US government can access Google’s data using legal procedures within hours and, because Google gathers data from all over the world, this gives Washington an immense strategic advantage. Other governments should be so lucky. Unlike its Chinese, Russian or Middle Eastern counterparts, the American government does not need to hack Google to explore its secrets. It can get a court order instead. Would you really give that up in the name of anti-trust legislation?
The Internet is one big-bubble theory – you solve one problem affecting it, but another, seemingly intractable, pops up elsewhere.
And the biggest problem of all for law enforcement is anonymity. For the moment, it remains perfectly possible for anybody accessing the Internet with the requisite and learnable knowledge to mask the physical location of a computer.
There are two primary ways of doing this – the first cyber wall is the VPN or Virtual Private Network, whereby a group of computers can share a single IP address. Usually the IP address relates to a single machine, but with a VPN several computers in entirely different places around the world can appear to be situated in Botswana, for example.
For those who are not satisfied with the VPN as protection, they may also build a second cyber wall by using so-called proxy servers. A computer that is located in the Seychelles could be using a proxy in, say, China or Guatemala. The proxy does not reveal that the original IP is transmitting from the Seychelles, and in any event that computer is part of a VPN based in Greenland.
Setting all this up does require advanced computer skills and so these techniques tend to be used by only two groups involved in cybercrime – real hackers and real criminals. But these high-end operators who represent a new type of serious organised crime are a small minority of those involved in computer crime.
That leaves the small-time players who deal individually with relatively trivial sums of cash, effectively petty thieves who are barely worth hunting down, given the paucity of resources available to law enforcement. Even if these characters cannot be bothered to set up VPNs, proxies and a host of other masking techniques, they can still make life very difficult for police officers by encrypting their communications.
Software that guarantees the encryption of your written (and even voice and video) communications is widely available on the Web for free, most notably PGP, an acronym for the cheerfully colloquial Pretty Good Privacy.
Encryption is a powerful tool that plays an important role in cyber security. It is a way of scrambling language using digitally generated keys, the permutations of which are so astronomical mathematically that it can only be revealed if you know the password. For the moment, encrypted documents are effectively secure, although Washington’s National Security Agency (NSA), the most powerful digital spy agency in the world, is always working on ways to crack them. Among the cyber-criminal fraternity, rumours already abound that the NSA and its intelligence-gathering partners in Canada, Britain, Australia and New Zealand possess the ability to break these public encryption systems using its Orwellian Echelon system. Echelon, it has been reported, can access phone, email and satellite communications anywhere in the world.
The political implications of digital encryption are so immense that the government of the United States started to classify encryption software in the 1990s as ‘munitions’, while in Russia should the police or KGB ever find a single encrypted file on your computer, you could be liable for several years in jail, even if the document only contains your weekly shopping list. As governments and corporations amass ever more personal information about their citizens or clients, encryption is one of the few defences left to individuals to secure their privacy. It is also an invaluable instrument for those involved in criminal activity on the Web.
Just as traditional criminals have to develop ways of talking to each other to identify friends, foes, cops or rivals, so the cyber villains face the permanent challenge of trying to establish the bona-fide credentials of anybody they chat to online. Part of the story of this book tells how they developed methods to identify one another, and how police forces around the world have attempted to counter the hackers’ ability to spot law-enforcement agents and so-called Confidential Informants (CIs) on the Web.
During the 1990s, the simplest way of preventing unwanted guests prying into criminal activity lay in the introduction of a strict vetting and membership system for websites devoted to discussing malfeasance on the Internet. Notwithstanding these security measures, it was only a matter of months before law enforcement like the US Secret Service or intelligence agencies such as the KGB’s successor, the FSB, were crawling all over the sites, having gained access by patiently posing as criminals or by persuading informants to work on their behalf.
The performance of some agents was so convincing that some law-enforcement agencies have even devoted resources to chasing undercover cops from their sister organisations, on the assumption that they were real criminals.
As a result of their efforts, police forces and spies have, over the last decade, built up a large database of criminal hackers: their nicknames, their actual or presumed locations, the type of activity they engage in and whom they communicate with most frequently. The lowest level of cyber criminals have had their data crunched down to a pulp. Yet despite all this information, it remains extremely hard to prosecute cyber criminals.
This is where the very nature of the Web – in particular its interconnectedness – creates an enormous headache for the forces of law and order: nobody is ever 100 per cent certain whom they are communicating with on the Web. Are you dealing with a common-or-garden criminal hacker? Or are you dealing with somebody who has friends in higher places? Are you talking to a criminal? Or a spook? Or a military researcher assessing the value of criminal hacking techniques? Are you watching your interlocutor or is he watching you? Is he trying to make money for himself? Or for al-Qaeda?
/>
‘This is like a game of seven-dimensional chess,’ the futurologist Bruno Guissani has remarked, ‘in which you are never certain of who your opponent is at any one time.’
Arriving at Google’s headquarters in Mountain View, California, was not quite like clapping eyes on the Taj Mahal for the first time, but I nonetheless felt a spasm of awe as I parked on Charleston Avenue in front of the multicoloured sign proclaiming one of the wonders of the post-industrial world.
The speed with which Google has melted into our consciousness, with all the highs and lows associated with a controlled narcotic substance, has no precedent. Its only rivals are cousins in the family of digital behemoths, like Facebook, Microsoft and Amazon. But not even these three are quite able to boast the success that Google can, in assisting, guiding and monitoring our lives as its cavernous servers spit out gazillions of bytes of requested information while slurping up and storing individual and collective data profiles of billions of humans. This data, of course, reveals much more about us than we know ourselves. One shudders to think what might happen if the information fell into the wrong hands. Maybe it already has . . .
The jolly pastel mix of primary and secondary colours, familiar from Google’s logo, is replicated throughout the ‘campus’. Often they use soft, rounded edges to define the large objects scattered around the place with precision higgledy-pigglediness. The sculptures are designed for sitting on, looking at or playing with, so that the entire complex resembles either a vast kindergarten or, depending on your anxiety and paranoia levels, the bizarre toytown village from the 1960s TV show The Prisoner, whither national-security risks were sent and whence there was no escape. Is it my imagination or does everyone I see on the campus, from cleaners to senior management, sport a trance-like smile? This both strengthens the paranoid interpretation of Google’s essence and gives the impression that they are all working a little too hard on not being evil. I cannot quite gauge whether this is a dream or a nightmare.