Transcript: Hacking and irrational actors in Redfern

Back in February I spoke at the “Freedom of Information? panel held in Redfern by Recordkeeping Roundtable. I’ve previously posted the audio of my contribution. Here’s a transcript.

Recordkeeping Roundtable’s website has the raw transcript as supplied, but I’ve decided to edit it up a little to make it more readable. Enjoy.

CASSIE FINDLAY: So our first speaker, who has been launched into first position, and I don’t know we’ll just see if I can remember. I have a whole… like a proper, formal bio for Stil but he told me an abbreviated one that I’m going to remember now, which is Stilgherrian is a journalist and — you’ll just have to remind me — information security expert, journalist, blogger, troublemaker, speaker and shall be our first speaker tonight. Thank you.


STILGHERRIAN: Thanks Cass, thanks everyone. Yes, it’s somehow appropriate we start this, I think, with the disorderly side of accessing information. What I’d like to tell you about tonight, to kick this off, is the fact that we hear about all these information tools available to us as being something that will democratise access to information, and I think it’s more it’s going to “anarchise” that access, if I can put it in those terms. Because the tools are available now not just to the rational actors of government and parties and organisations and so on. These tools are now available to the rational actors of smaller groups or individuals, they’re now also available to the irrational actors — and I don’t mean crazy peopl,e although add them into the list too if you want, I mean actors large and small who do not necessarily have a well-defined or coherent aim for what they’re doing. And I will put Wikileaks and the random people who put the label ‘Anonymous’ on themselves under that label of irrational actors.

And if you think that’s unfair I’m not, again, I must stress, I’m not calling those people crazy. They’re often very sharp and very focused people. But if you stop and think about what is the actual aim here? What is the purpose of their activity? And it’s a little hard to pin down, particularly with the people who label themselves ‘Anonymous’. It seems to be ‘something big business, government, secret, awful, stop them, ha-ha-ha’. Well that’s perhaps unfair, but if you’ve got a better one, by all means publish it.

And the problem for existing holders of information — which by definition therefore means existing holders of power — is that what on earth are these people going to do next? And who is going to do it next? Because, as I say, the tools are now available to everyone, and it’s like the kiddies are loose in the chocolate factory — and again, “kiddies” because they are not part of what the existing powers consider to be, well, I suppose the ‘old boys’ club’.

If we hark back to something like the Cold War, and we were all in very, very grave danger of something going seriously wrong and we would be vapour the next morning. You know, we ran very close to the edge on a number of occasions over a 40 year period, let’s say, to pick a number from the air. The thing that stopped us going all the way, the thing that stopped the button being pressed, was that along the way there were actual rational people who said “No, actually, let’s not blow up the entire world, that might be a bad thing.” And that’s why we hear now about rogue states and nuclear terrorism and so on, because maybe not everyone has that same approach to pressing the button.

The same is the case in the battle for information. Now we’re not going to get vapourised because someone gets a copy of an email, but what happens is that a government party might lose power, an organisation such as a business might thoroughly go out of business — so in a sense it’s vapourisation for them — although, again, I don’t want to push that analogy too far because I find that whole equation of terrorism and nuclear things, it’s wrong. We’re talking about information. No-one physically gets hurt.

And that’s why the whole recent Stratfor thing is an interesting case, because although Stratfor is not a government organisation, it has strong links to government, it operates with information that’s the kind of information that governments have, and the kind of mistakes they made and the impact the breach has had upon them is perhaps similar.

Now the points I guess I want to make — and Cass has asked me to do a quick run through of this — who before all this news had ever heard of Stratfor, anyone? One, two… Okay, that’s… and Dr Dorling. That’s actually a really high proportion. Because I was on the list. Malcolm Turnbull had obviously heard of them — he was a subscriber. I’d subscribed to their newsletters once because my email address is in that big dumped database as well and things.

But essentially their job, if we take them at their word initially, ‘cos we’ve got some emails to read to find out some more — five million emails –– but they were a private intelligence organisation supposedly dealing with open source information to provide strategic advice and risk analysis for the private sector mostly, but some government.

So the kind of client and job that we imagined that they had until the last few weeks was things like an oil company has got to spend a couple of billion dollars in building a new oil refinery; shall we build it in the south of newly liberated Iraq or shall we build it in Pakistan, or where shall we build this because we need to look 30 years ahead.

George Friedman, the founder of Stratfor is big in the world of geopolitical analysis. His book The Next 100 Years is just that, essentially explaining how America will rule the world for the next century and the risks it faces in doing so, especially in Central Asia, and that’s the kind of thing.

Now some of the people who used the label “Anonymous” — and I keep phrasing it that way because there is no leader of Anonymous, there is no centre, there is no plan, anyone can say “I subscribe to their world view and I’m now doing things in the name of Anonymous.” So I will now just go to the short-cut way of saying that and say “Anonymous did” and “Anonymous said”, even though that is wrong and I know you’re all adults and will follow me on that. But in March last year Anonymous hacked into a company called H B Gary Federal which did information security for various bits of the United States government. And it turned out that H B Gary Federal was both incompetent and possibly even corrupt in the way it did that and, well, Anonymous took them down and in the last few days it is now being revealed that H B Gary Federal is being chopped up, sold off and that’s the end of their business.

Along the way they got of H B Gary’s emails. Apparently some of those emails mention Stratfor. And apparently some of them mentioned things that Stratfor did that Anonymous thought were wrong, corrupt, evil, nasty, whatever it might be. So they decided to have a look at what Stratfor was doing.

Over a number of weeks leading up to Christmas they did manage to break into Stratfor’s, servers and over a period of a few weeks exfiltrated, as the jargon goes, 200 gigabytes of data. Their entire email archive going back a decade. Everything sent and received. Yes, that does mean that they were moving, say, several gig of data out of their network without them noticing the extra traffic. Lucky them or incompetent them, however you look at it.

I have received word that apparently Stratfor had become, or started to become, aware that the chap doing their network was perhaps not as competent as he had told them and had recently been replaced, and they were in the process of maybe doing something about a new security person, but clearly too late.

So that all came into the news around Christmas time and, again, I want to use that phrase “the kids loose in the chocolate factory”, because hacking an organisation like that is a multi-person task. You need to bring a number of skills to bear, and they can’t all be found in the one person very often. So it’s a bit like the heist movies, you know, someone knows how to break down the door, someone knows how to deprogram the security cameras and all of that kind of stuff, with a little less action and a lot more sitting at computer terminals. They got in.

Now what focused everyone’s attention at Christmas was they found that Stratfor had not only allowed these guys to get in — but I’ll come back to that — they found that they’d kept all of the names, addresses and credit card numbers of all of their subscribers unencrypted in a database that had no password on it. So, what happens next? Well those credit card numbers start being spent, and Anonymous people sort of say “Well we’re doing a Robin Hood thing, we’re making donations to the Red Cross and Medicines sans Frontieres” etc, etc.

Except, well you know, the real reason was to get at that email archive. Well that’s what’s started to be published in the last few days through WikiLeaks, although WikiLeaks have said they don’t know where they got this email from, they just happen to have 200 gigabytes of email from Stratfor, but it’s just magically arrived.

So that’s where we’re up to and we’re up to the point where as this slowly gets released we are seeing things like an email which suggests founder George Friedman was talking to Goldman Sachs about how you could set up a separate corporate structure so that it would look like an independent advice organisation, so therefore technically it’s not insider trading, etc, etc. And I didn’t find that in George Friedman’s book anywhere. I didn’t see the bit that said “Start insider trading company” but, look, lots more will come out over the next few days.

Now this could happen to any organisation, any organisation you’re involved with, tomorrow because there are two things to point out.

One is that no-one ever gets their information security perfect. It’s just impossible, it is too hard. You just have to make one mistake, you just have to have one employee who makes a mistake, and the bad guys can get in. There are guys who do this for a living on the good side called penetration testers. They’re hired by banks, insurance companies, the military, whoever, to test their defences. If you have a beer with these guys, even if you don’t have a beer with these guys, ask them how many times they fail to get in. The answer is always zero. They never fail to get in. And often it’s, well, often it’s by manipulating people rather than anything technical.

The other thing to mention is that all of the tools that are available to do this are freely downloadable from the internet, either free or at a very low price from your friendly local Russian mafia. They come with technical support that is better than the technical support for most commercial software products. Well actually they are commercial software products, they come with good support and I’ve had the very great pleasure of one of the information security companies running me through a training session in one of these. They’re very easy to use. This training session took 90 minutes. At the end of it I knew how to get a bit of software, weaponise it, create a fake email convincing someone to download the weaponised software, install it on their computer and I now have control of that computer. All right, I was working from a cheat sheet. But I was also told that if I did not have this cheat sheet, any competent systems administrator could nut it out within two days. But as I say, if they want to pay the US$200 they’ll get the technical support and someone will talk them through it.

So it’s lovely stuff, and when I talk about the kind of tools available to you, this is absolutely complete control of the computers that you infect. You can turn on the camera without turning on the red light to say that it’s recording You can turn on the microphone,. You can take screenshots. You can record what’s happening on the keyboard,. You can do absolutely anything. You can then install software — this is off the topic of information attacks really — but should you wish to get access to their financial information, well, you can install something like the Zeus anti-banking trojan which recognises the top 200 or 300 banks in the world, will notice when your web browser has logged into your net banking for that bank — so it’s still showing you the Secure Sockets Layer padlock icon, you have a secure link — but in the background while that secure link is open it can start doing funds transfer commands, on its own, without them showing up on the screen. If it notices that you’ve set things up to notify you of transactions by say email to a Hotmail or Gmail account, it will quickly log into said account and delete that email before you get a chance to see it, etc, etc.

It’s really very, very clever stuff and hats off to some of the finest software developers that the Russian mafia has managed to find.

Now where does that leave us?

Screwed basically.

I mean I don’t wish to paint it all doom and gloom but right now, today, if I can use the Cold War analogy again, while all that was happening in the background we had many people doing things to make sure that the bad stuff didn’t happen. We had radar operators sitting at their consoles, we had fighter jets on standby, we had missiles ready to be launched and so on.

Well today we have a similar kind of battle going on We don’t hear much about it because most of it’s actually run by the commercial sector, oddly enough. It’s organisations like Microsoft and McAfee and Symantec and Kaspersky out of Russia and AVG out of Prague and all of these people who are running the defensive systems. All of these companies have their people operating in the black market and grey market to keep in touch with what the bad guys might be doing next to buy the software and show it to people like me so we’re all aware of how it works and what’s going on and so they know what they’re defending against.

And Stratfor is there –– that’s an example that’s very public now. We had so many hacks last year of Sony — I forget, did we get up to 100 million in credit card records stolen? I mean it’s got to the point now where this is all churning along. So many people in the cybercrime area have pointed to this year as being very significant because there were all of these attacks last year and yet there’s a sense of no-one’s doing anything with this data yet. It’s almost the calm before the storm.

And then finally, if I can kind of wrap up, in organisations or non-organisations like Anonymous, who’s really running this?

I mean we hear about … there are people doing things and they’re the public face. We hear about people occasionally being arrested. But I have had someone who worked for an acronymic intelligence agency — I’d better not say which one — but said relatively recently, “The fact that anyone can call themselves Anonymous is quite handy.”

That were his words, “quite handy”.

I don’t think it’s all doom and gloom but, as I say, there are people who are doing the defensive stuff and are on top of this. But it does create all of those issues for society. Who now will have the balance of power? Because we are eroding some of the exclusive access to information. We do have the sense where anyone with a grudge can decide that they will reveal information without a lot of thought about the collateral damage caused by that information coming out.

I mean, the people who broke into Stratfor didn’t really care about what happened to the credit card numbers they put online, or anything in the emails. Who knows what the fallout from that bout might be? They don’t really care.

And then there’s the long term. Who creates the narrative of our history? But that’s one I better leave for another time or we’ll be here all night. Obviously you’ll have a chance to ask questions. Thank you.