Jake Davis, known as Topiary, breaks down the Travelex hack amongst others, and explains why the government’s repeated attempts to outlaw end-to-end encryption will never work
Jake Davis, the former hacker known as ‘Topiary’ and senior member of hacktivist groups Anonymous and Lulzsec has spoken about the scale of the ransomware challenge facing organisations today, and given his tips for staying secure.
Speaking at Computing‘s recent Cyber Security Festival, Davis began by outlining his history as a hacktivist before his capture and arrest in 2011.
“I’m a former hacktivist, I was involved in Anonymous and Lulzsec. I was involved in hacking the Westboro Baptist Church, which is a homophobic and racist group. W e would target groups like this and take them down. That also shows the silly mistakes I made when I was a hacker.
“Obviously I’m not one now because I’m showing my face – I got caught! I used my real voice like an idiot during the live broadcast of the hack on YouTube in 2010.”
He also discussed his history with Lulzsec.
“I was also involved in Lulzsec – we were a meta hacking group that tried to make fun of hacking groups who took themselves seriously. Our naive teenage goal was to expose the lack of global security posture by hacking everything in existence. With immediate hindsight that was very reckless. Someone dared us on Twitter to take down the CIA website, so we took it down for the afternoon.”
His groups were also involved in several attacks on well-known newspapers.
“We pioneered this real fake news strategy where we’d highlight security flaws in major newspaper websites by hacking into them and posting stories as if they were from their own editorial team – like Tupac and Biggy are alive in New Zealand.
“We also went after News International in 2011 in the midst of the phone hacking scandal, where journalists from the Sun and News of the World and others were getting away with hacking the voicemails of celebrities, whilst hacktivists were prosecuted. They had very good lawyers so they were getting away with it, so we hacked them in response.”
But events soon spiralled out of control.
“Things got a little out of hand. We were 17 and 18 at the time. We didn’t realise the scope of how the real world would respond, until we saw our ridiculous imagery of a man in a top hat sipping wine with a cat flying through space, on the front page of the Wall Street Journal. The headline was ‘Hackers broaden their attacks’.
“People started to dress like us, and we were trending on Twitter with boy band One Direction at number two. We realised things have gone too far and we were doomed. And indeed we were.”
Davis outlined the details of his arrest and prosecution.
“I was arrested in a joint Met Police operation with the FBI. I was sentenced to two years in a young offenders institute. Luckily I didn’t need to spend anything like two years though because for the previous two years I’d been in home detention with an electronic tag, because it took so long to go to trial. In 2011 prosecuting this type of attack was so novel, the legal teams and judges didn’t know how to get to grips with it.
“I spent five years until 2018 banned from encryption. Which makes no sense, the law made no sense. I spoke to someone from the serious crime prevention squad to explain I needed to draw some money from the bank. Technically I’m using encryption when I put the card in, because you enter your PIN, that goes to the bank and it’s encrypted. If I turn on my computer, that’s encryption.”
Today Davis works in the cyber security industry.
“I do some traditional cyber work, some bug bounty hunting, creative consultancy for TV, movies and theatre. I talk to universities and schools and encouraging the next generation of hackers not to be like Lulzsec, but to think critically and to use their skills to make the world a more secure place.
“If I had to compare 2021 to 2011 – there’s a lot of negativity around hacker groups now because they’ve moved more towards financial gain, especially with ransomware. That’s what I hear about the most.”
He explained that he is a big fan of bug bounties, with some companies encourage ethical hacking where hackers privately expose the vulnerabilities they have discovered in corporate sites in exchange for money, so that the organisation can fix the problem before a more malicious actor has the chance to exploit it.
“Bug bounties are very useful, and they did not exist in any formal way when I was hacking ten years ago. There were some companies ten years ago we hacked who we decided to inform quietly rather than make public. The NHS for example. In 2011 we found flaws in NHS websites in England so we told them about it privately. The Crown Prosecution Service decided to prosecute us for this anyway which nowadays would be completely insane.
“If you’re a big company and you put out a notice saying you can hack us within this scope, there’s no way you’re going to start prosecuting hackers, you’d get laughed out of the room. We often in the UK overlook things like in Argentina if you’re a bug bounty hacker you earn 40 times more than the median salary.
“This is improving year on year in places like Argentina, where bug bounty hackers can provide for their entire families, and their skills are through the roof. If you’re Facebook and you have a $500 minimum which you pay hackers, and you pay it directly into their Paypal account that’s amazing for them.
“When ethical hackers were surveyed and asked why they hack, the number one reason was ‘To make money’. This is what motivates even the most moral and ethical hackers. That’s the same motivation for not very ethical hackers and that’s a big problem because the ability to make money through cybercrime has always existed, but it’s become very easy now.
“We like to think we’re in a world where 11 billion records have been leaked but only very high level hackers can go after those records, but the truth is that the skill floor is so ridiculously low.”
The site ‘HaveIBeenPwned.com’ lists 11.4 billion breached accounts in existence, a number which is growing by around a billion a year.
“This is a very ethical website, you put in your email address and it says you are in this many data breaches, but there are unethical versions of this site where people put in your email or phone number and they get all of your information and takes no skill to do. We don’t really know how many of these sites have been hacked.
Davis went on to explain that around $350 million was paid out in ransoms in 2020, then gave a case study around the Travelex hack in 2020.
“There’s a very specific type of software they were using which was eight months out of date. They were advised to patch this five months before by the UK government, and five months before that UK security advisors came out with a fix for this bug. So essentially they were eight months out of date on a piece of software and were hit with a ransomware attack, and ended up paying out £2.3 million.
“This is an interesting example of ransomware groups who don’t target companies but software vulnerabilities. So if there are 10,000 companies using a piece of software and the hackers know of a vulnerability in that software they go for all 10,000, and they check the net and go ‘Oh look we’ve got Travelex, let’s extort them’, and they end up paying.
“A Dutch supermarket ran out of cheese once because of ransomware. A logistics supplier got hacked. No one was specifically targeting a Dutch logistics company they just happened to be using a piece of software.
“It was the same with Wannacry. They weren’t targeting the NHS, they were targeting banks elsewhere in the world and it just so happened to hit the UK.”
He also described more advanced hacking groups like ‘Darkside’, which he said included hackers with a far higher level of skill.
“They’re very media savvy and they use double extortion. They also know what’s in the files they’ve hacked. So they can extort you for money for releasing the files, but then they go ‘We know the damage it would cause to you to release this information’, and that results in a lot of companies paying up. I saw recently a chatlog because they have their own customer support, which is really victim negotiation chat, where a victim was saying ‘I’ll pay £7 million,’ and Darkside said: ‘You’re not a bunch of children we know you have the money, give us £12 million.’ And they ended up getting it.
“These groups can also outsource to other hackers, because they have a lot of money, and a lot of cryptocurrency. So they say to another hacker ‘We’ll pay you $500,000 for a zero-day vulnerability.’ That will net them more ransomware revenue. And they’ll also offer ransomware as a service and take an affiliate percentage of it.
“A lot of them won’t be able to get that money out because it’s very traceable, but they still have millions of dollars at their disposal, but often not much skill. And that’s a scary thought when there are websites where you can buy the latest iPhone hack for a million dollars – they have that, it’s not much money to them.”
All of which is very alarming for organisations of all shapes and sizes. So what does Davis recommend that we do about it?
“You can search people’s usernames or passwords to retrieve information about an entire company. So credential management is extremely important along with enforcing unique credentials.
“Two-factor authentication is also essential. And please don’t use SMS for two-factor authentication, because basically the entire telecoms network should be destroyed and rebuilt!
“The most important thing I can leave you with on ransomware is don’t just worry about stopping ransomware hitting you, but run simulations on what would happen if ransomware did hit you. The raging debate at the moment is should you pay the ransom?
“My view is you should never pay unless you have to, so you should strive to not have to. So run these simulations so you can say if we are hit, can we position ourselves do we don’t need to pay? So you have the backups, they work and the damage can be mitigated so you can still function as a business.
“My number one piece of advice: just listen to more talks for security events.”
Davis then discussed cyber insurance, explaining that hackers today target cyber insurance companies specifically so they can get lists of clients, so they know who to hack. They then get a higher likelihood of receiving a payout.
“Cyber insurance companies now often refuse to payout ransom demands. There are 40 or so companies about the $500 million premium threshold and if only a few of those are hit and get a maximum payout then you’re looking at over half a century of premiums. At the moment it’s risky for companies getting cyber insurance but it’s also risky for the cyber insurance companies themselves.”
He sees wasted effort in cyber security, and also dislikes the extravagant claims made by some products.
“I’m very sceptical of expensive products which claim to stop 100 per cent of all hacks. You cannot say you’re 100 per cent unhackable. Companies who claim to make you invincible should be avoided. What I see a lack of is hiring good people and sticking to basic principles.
“For instance the Travelex hack could have been avoided by patching software. I wish I didn’t have to say this, if you have these core principles in place you destroy the low hanging fruit for low level hackers. What’s happened in the last decade is the low level hackers have scaled up and now you’ve got people that ten years ago couldn’t fund themselves now have access to millions of dollars in cryptocurrency and can buy the world’s greatest exploits and espionage technology and run havoc with it.
“Companies are focused on defending against the big nation-state zero-day exploiting threats, but getting knocked out by these cheeky attacks by kids. And they don’t admit it, because it would look bad to say we forgot to lock this door, but this is what most hacks are, and it will continue that way until we correct this basic posture.”
Finally Davis talked about the UK government’s repeated attempts to outlaw end-to-end encryption.
“It won’t work. Banning end to end encryption is like banning maths, it won’t work. You can’t put a backdoor into end-to-end encryption for the government because as Ed Snowden says a backdoor for one is a backdoor for all.
“There’s also nothing wrong with encrypting your data. Lots of threat actors will say you’re hiding something. The classic line is you have nothing to fear if you have nothing to hide, which I don’t agree with at all. It’s not about hiding something it’s about your basic fundamental human right to privacy.
“I travel around with a lot of sensitive work-related information on my laptop, and I take pride in full-disc encrypting it. This is something we can all do.
“Governments find most success in taking over entire infrastructure. If you look at end-to-end encrypted messenger apps which are designed specifically for crime like ‘EncroChat’, they just get completely taken over by governments.
“I agree with targeted surveillance, going after specific people, but mass surveillance and going after end-to-end encryption is a very slippery slope, so my advice is to encrypt everything.”
Former Anonymous and Lulzsec hacker discusses his criminal past and gives his top tips for avoiding ransomware Source link Former Anonymous and Lulzsec hacker discusses his criminal past and gives his top tips for avoiding ransomware