Jake Davis, known as Topiary, breaks down the Travelex hack amongst others, and explains why the governments repeated attempts to outlaw end-to-end encryption will never work
Jake Davis, the former hacker known as Topiary and senior member of hacktivist groups Anonymous and Lulzsec has spoken about the scale of the ransomware challenge facing organisations today, and given his tips for staying secure.
Speaking at Computings recent Cyber Security Festival, Davis began by outlining his history as a hacktivist before his capture and arrest in 2011.
Im a former hacktivist, I was involved in Anonymous and Lulzsec. I was involved in hacking the Westboro Baptist Church, which is a homophobic and racist group. W e would target groups like this and take them down. That also shows the silly mistakes I made when I was a hacker.
Obviously Im not one now because Im showing my face I got caught! I used my real voice like an idiot during the live broadcast of the hack on YouTube in 2010.
He also discussed his history with Lulzsec.
I was also involved in Lulzsec we were a meta hacking group that tried to make fun of hacking groups who took themselves seriously. Our naive teenage goal was to expose the lack of global security posture by hacking everything in existence. With immediate hindsight that was very reckless. Someone dared us on Twitter to take down the CIA website, so we took it down for the afternoon.
His groups were also involved in several attacks on well-known newspapers.
We pioneered this real fake news strategy where wed highlight security flaws in major newspaper websites by hacking into them and posting stories as if they were from their own editorial team like Tupac and Biggy are alive in New Zealand.
We also went after News International in 2011 in the midst of the phone hacking scandal, where journalists from the Sun and News of the World and others were getting away with hacking the voicemails of celebrities, whilst hacktivists were prosecuted. They had very good lawyers so they were getting away with it, so we hacked them in response.
But events soon spiralled out of control.
Things got a little out of hand. We were 17 and 18 at the time. We didnt realise the scope of how the real world would respond, until we saw our ridiculous imagery of a man in a top hat sipping wine with a cat flying through space, on the front page of the Wall Street Journal. The headline was Hackers broaden their attacks.
People started to dress like us, and we were trending on Twitter with boy band One Direction at number two. We realised things have gone too far and we were doomed. And indeed we were.
Davis outlined the details of his arrest and prosecution.
I was arrested in a joint Met Police operation with the FBI. I was sentenced to two years in a young offenders institute. Luckily I didnt need to spend anything like two years though because for the previous two years Id been in home detention with an electronic tag, because it took so long to go to trial. In 2011 prosecuting this type of attack was so novel, the legal teams and judges didnt know how to get to grips with it.
I spent five years until 2018 banned from encryption. Which makes no sense, the law made no sense. I spoke to someone from the serious crime prevention squad to explain I needed to draw some money from the bank. Technically Im using encryption when I put the card in, because you enter your PIN, that goes to the bank and its encrypted. If I turn on my computer, thats encryption.
Today Davis works in the cyber security industry.
I do some traditional cyber work, some bug bounty hunting, creative consultancy for TV, movies and theatre. I talk to universities and schools and encouraging the next generation of hackers not to be like Lulzsec, but to think critically and to use their skills to make the world a more secure place.
If I had to compare 2021 to 2011 theres a lot of negativity around hacker groups now because theyve moved more towards financial gain, especially with ransomware. Thats what I hear about the most.
He explained that he is a big fan of bug bounties, with some companies encourage ethical hacking where hackers privately expose the vulnerabilities they have discovered in corporate sites in exchange for money, so that the organisation can fix the problem before a more malicious actor has the chance to exploit it.
Bug bounties are very useful, and they did not exist in any formal way when I was hacking ten years ago. There were some companies ten years ago we hacked who we decided to inform quietly rather than make public. The NHS for example. In 2011 we found flaws in NHS websites in England so we told them about it privately. The Crown Prosecution Service decided to prosecute us for this anyway which nowadays would be completely insane.
If youre a big company and you put out a notice saying you can hack us within this scope, theres no way youre going to start prosecuting hackers, youd get laughed out of the room. We often in the UK overlook things like in Argentina if youre a bug bounty hacker you earn 40 times more than the median salary.
This is improving year on year in places like Argentina, where bug bounty hackers can provide for their entire families, and their skills are through the roof. If youre Facebook and you have a $500 minimum which you pay hackers, and you pay it directly into their Paypal account thats amazing for them.
When ethical hackers were surveyed and asked why they hack, the number one reason was To make money. This is what motivates even the most moral and ethical hackers. Thats the same motivation for not very ethical hackers and thats a big problem because the ability to make money through cybercrime has always existed, but its become very easy now.
We like to think were in a world where 11 billion records have been leaked but only very high level hackers can go after those records, but the truth is that the skill floor is so ridiculously low.
The site HaveIBeenPwned.com lists 11.4 billion breached accounts in existence, a number which is growing by around a billion a year.
This is a very ethical website, you put in your email address and it says you are in this many data breaches, but there are unethical versions of this site where people put in your email or phone number and they get all of your information and takes no skill to do. We dont really know how many of these sites have been hacked.
Davis went on to explain that around $350 million was paid out in ransoms in 2020, then gave a case study around the Travelex hack in 2020.
Theres a very specific type of software they were using which was eight months out of date. They were advised to patch this five months before by the UK government, and five months before that UK security advisors came out with a fix for this bug. So essentially they were eight months out of date on a piece of software and were hit with a ransomware attack, and ended up paying out 2.3 million.
This is an interesting example of ransomware groups who dont target companies but software vulnerabilities. So if there are 10,000 companies using a piece of software and the hackers know of a vulnerability in that software they go for all 10,000, and they check the net and go Oh look weve got Travelex, lets extort them, and they end up paying.
A Dutch supermarket ran out of cheese once because of ransomware. A logistics supplier got hacked. No one was specifically targeting a Dutch logistics company they just happened to be using a piece of software.
It was the same with Wannacry. They werent targeting the NHS, they were targeting banks elsewhere in the world and it just so happened to hit the UK.
He also described more advanced hacking groups like Darkside, which he said included hackers with a far higher level of skill.
Theyre very media savvy and they use double extortion. They also know whats in the files theyve hacked. So they can extort you for money for releasing the files, but then they go We know the damage it would cause to you to release this information, and that results in a lot of companies paying up. I saw recently a chatlog because they have their own customer support, which is really victim negotiation chat, where a victim was saying Ill pay 7 million, and Darkside said: Youre not a bunch of children we know you have the money, give us 12 million. And they ended up getting it.
These groups can also outsource to other hackers, because they have a lot of money, and a lot of cryptocurrency. So they say to another hacker Well pay you $500,000 for a zero-day vulnerability. That will net them more ransomware revenue. And theyll also offer ransomware as a service and take an affiliate percentage of it.
A lot of them wont be able to get that money out because its very traceable, but they still have millions of dollars at their disposal, but often not much skill. And thats a scary thought when there are websites where you can buy the latest iPhone hack for a million dollars they have that, its not much money to them.
All of which is very alarming for organisations of all shapes and sizes. So what does Davis recommend that we do about it?
You can search peoples usernames or passwords to retrieve information about an entire company. So credential management is extremely important along with enforcing unique credentials.
Two-factor authentication is also essential. And please dont use SMS for two-factor authentication, because basically the entire telecoms network should be destroyed and rebuilt!
The most important thing I can leave you with on ransomware is dont just worry about stopping ransomware hitting you, but run simulations on what would happen if ransomware did hit you. The raging debate at the moment is should you pay the ransom?
My view is you should never pay unless you have to, so you should strive to not have to. So run these simulations so you can say if we are hit, can we position ourselves do we dont need to pay? So you have the backups, they work and the damage can be mitigated so you can still function as a business.
My number one piece of advice: just listen to more talks for security events.
Davis then discussed cyber insurance, explaining that hackers today target cyber insurance companies specifically so they can get lists of clients, so they know who to hack. They then get a higher likelihood of receiving a payout.
Cyber insurance companies now often refuse to payout ransom demands. There are 40 or so companies about the $500 million premium threshold and if only a few of those are hit and get a maximum payout then youre looking at over half a century of premiums. At the moment its risky for companies getting cyber insurance but its also risky for the cyber insurance companies themselves.
He sees wasted effort in cyber security, and also dislikes the extravagant claims made by some products.
Im very sceptical of expensive products which claim to stop 100 per cent of all hacks. You cannot say youre 100 per cent unhackable. Companies who claim to make you invincible should be avoided. What I see a lack of is hiring good people and sticking to basic principles.
For instance the Travelex hack could have been avoided by patching software. I wish I didnt have to say this, if you have these core principles in place you destroy the low hanging fruit for low level hackers. Whats happened in the last decade is the low level hackers have scaled up and now youve got people that ten years ago couldnt fund themselves now have access to millions of dollars in cryptocurrency and can buy the worlds greatest exploits and espionage technology and run havoc with it.
Companies are focused on defending against the big nation-state zero-day exploiting threats, but getting knocked out by these cheeky attacks by kids. And they dont admit it, because it would look bad to say we forgot to lock this door, but this is what most hacks are, and it will continue that way until we correct this basic posture.
Finally Davis talked about the UK governments repeated attempts to outlaw end-to-end encryption.
It wont work. Banning end to end encryption is like banning maths, it wont work. You cant put a backdoor into end-to-end encryption for the government because as Ed Snowden says a backdoor for one is a backdoor for all.
Theres also nothing wrong with encrypting your data. Lots of threat actors will say youre hiding something. The classic line is you have nothing to fear if you have nothing to hide, which I dont agree with at all. Its not about hiding something its about your basic fundamental human right to privacy.
I travel around with a lot of sensitive work-related information on my laptop, and I take pride in full-disc encrypting it. This is something we can all do.
Governments find most success in taking over entire infrastructure. If you look at end-to-end encrypted messenger apps which are designed specifically for crime like EncroChat, they just get completely taken over by governments.
I agree with targeted surveillance, going after specific people, but mass surveillance and going after end-to-end encryption is a very slippery slope, so my advice is to encrypt everything.
Former Anonymous and Lulzsec hacker discusses his criminal past and gives his top tips for avoiding ransomware Source link Former Anonymous and Lulzsec hacker discusses his criminal past and gives his top tips for avoiding ransomware
- WhatsApp rolls out encryption for chats backed up in the cloud - Mashable - October 17th, 2021
- WhatsApp now lets users encrypt their chat backups in the cloud - TechCrunch - October 17th, 2021
- Meet the Alliance for Encryption in Latin America and the Caribbean - EFF - October 17th, 2021
- Apples plan to scan images will allow governments into smartphones - The Guardian - October 17th, 2021
- WhatsApp to bring in encryption for backup chats after privacy fears - The Guardian - October 15th, 2021
- WhatsApp end-to-end encrypted backups are rolling out on both Android and iOS - GSMArena.com news - GSMArena.com - October 15th, 2021
- Encryption: Why security threats coast under the radar - Philstar.com - October 15th, 2021
- Encryption Management Solutions Market 2021 : Industry Analysis ,Size, Share, Revenue, Prominent Players, Developing Technologies, Tendencies and... - October 15th, 2021
- TLS Support Redis - October 12th, 2021
- Signal >> Documentation - October 12th, 2021
- Encryption Consulting announces their first-ever virtual conference - "Encryption Consulting Virtual conference 2021." - Tyler Morning... - October 12th, 2021
- [Update: Rolling out] WhatsApp adds end-to-end encryption for Android cloud backups - 9to5Google - October 12th, 2021
- Homomorphic Encryption Market New Coming Industry to Witness Great Growth Opportunities in Coming Years From 2021 to 2027: Microsoft (US), IBM... - October 12th, 2021
- SmartKargo Incorporates EDIfly Advanced Aviation Messaging At No Cost for Customers of its E-Commerce Logistics Solution - Yahoo Finance - October 12th, 2021
- No outages, no data leaks: The new WhatsApp killer built on the blockchain creates privacy-focused encrypted messenger - Cointelegraph - October 12th, 2021
- Mosyle's $ 16M Series A Drives Growth by Launching the Mosyle Business with the Market's First Encrypted DNS Filtering and Security Solution -... - October 6th, 2021
- Tips to Secure and Encrypt your WIFI Network Security - H2S Media - October 6th, 2021
- Data Encryption Standard (DES)? - All You Need to Know | Techfunnel - TechFunnel - October 4th, 2021
- XSOC CORP Recognized by CyberSecurity Breakthrough Awards Program for Overall Encryption Solution of the Year - Business Wire - October 4th, 2021
- Encryption: Why security threats coast under the radar - Express Computer - October 4th, 2021
- Hardware Encryption Devices Market 2021 Technology Development, Key Manufacturers, Forecast Based on Major Drivers and Trends Up to 2027 - Digital... - October 4th, 2021
- Container security without governance is neither secure nor governed - The Register - October 4th, 2021
- Sectigo Certificate Manager Wins 2021 CyberSecurity Breakthrough Award for Overall Encryption Solution Provider of the Year - PRNewswire - October 4th, 2021
- Customs and Border Protection Signs Major Contract With Amazon-Owned Encrypted Chat App Wickr - Gizmodo - October 4th, 2021
- Encryption cant be used as excuse to deny sharing details to law enforcement: Govt - The Financial Express - October 4th, 2021
- Facebook announces WhatsApp end-to-end encrypted (E2EE) backups - Techiexpert.com - TechiExpert.com - October 4th, 2021
- Bluefin Issues New Payment Security Brief on PCI-validated P2PE for Petroleum and Convenience Stores - PR Web - October 4th, 2021
- Get a lifetime of easy, automatic encryption for all of the files on your computer for just $30 - ZDNet - September 24th, 2021
- Tide encryption is ready to end the cyber breach pandemic - TechCrunch - September 24th, 2021
- The FBI has kept the presence of the encryption key secret from Casey for three weeks. - Cheraw Chronicle - September 24th, 2021
- Braves non-tracking, browser-based video conferencing tool is out of beta - TechCrunch - September 24th, 2021
- 5 ways to stay ahead of government-targeted ransomware - GCN.com - September 24th, 2021
- Encryption Software Market expectation surges with rising demand and changing trends by industry analysis through 2026 Stillwater Current -... - September 24th, 2021
- What Is a Hardware Security Module? HSMs Explained - Hashed Out by The SSL Store - September 24th, 2021
- Making the Most from WEP - Wi-FiPlanet.com - Wi-Fi Planet - September 24th, 2021
- Brave, the startup behind untracked browser-based video conferencing tool is out of beta - Security News - BollyInside - September 24th, 2021
- Hardware Encryption Devices Market Is Expected To Witness Healthy Growth At A CAGR Of More Than 40% - Herefordshire Live - Herefordshire Live - September 24th, 2021
- WhatsApp launches encryption in iCloud and Google Drive backups - InTallaght - September 24th, 2021
- WhatsApp boosts end-to-end encryption - BusinessTech - September 17th, 2021
- WhatsApp to offer encryption on cloud backups: Heres all you need to know - India Today - September 17th, 2021
- London's Top Cop Says 'Big Tech,' Encryption Are Letting The Terrorists Win - Techdirt - September 17th, 2021
- Zoom unveils new security features including end-to-end encryption for Zoom Phone, verified identities and... - ZDNet - September 15th, 2021
- Insights on the Hardware Encryption Global Market to 2026 - by Algorithm & Standard, Architecture, Product, Application and Region - PRNewswire - September 15th, 2021
- Light Start: WhatsApp rolls out backup encryption, LG is more attractive, Google goes dark and iPhones only laak gud vaabs Stuff - Stuff Magazines - September 15th, 2021
- Revenant REvil. WhatsApp offers encryption. Hortum spyware in Turkey. Update on the UN data breach. Healthcare breaches disclosed. - The CyberWire - September 15th, 2021
- How a glitch in the Matrix led to apps potentially exposing encrypted chats - The Register - September 15th, 2021
- Secure cloud storage: which are the most secure providers? - ITProPortal - September 15th, 2021
- WhatsApp is finally allowing users to encrypt chat backups uploaded to iCloud and Google Drive - Buzz.ie - September 15th, 2021
- WhatsApp is adding encrypted backups - The Verge - September 11th, 2021
- What Is Fully Homomorphic Encryption (FHE)? - CIO Insight - September 11th, 2021
- WhatsApp end-to-end encrypted messages arent that private after all - Ars Technica - September 11th, 2021
- UK government backs Apple, and wants to scan encrypted messages for CSAM - 9to5Mac - September 11th, 2021
- VPN and Email Encryption Provider, WiTopia, Inc., Is Now Raising Capital Via StartEngine - PRNewswire - September 11th, 2021
- Future in the cloud for encryption - Capacity Media - September 8th, 2021
- WhatsApps Claims Of End-To-End Encryption Might Be Entirely True - Ubergizmo - September 8th, 2021
- Debunking Wi-Fi Security Myths: Wi-Fi Encryption Is Weak - TechSpective - September 8th, 2021
- WhatsApp Flaw Casts Doubt on End-to-End Encryption - Security Boulevard - September 8th, 2021
- Bluefin Receives U.S. Patent on Systems for Vaultless Tokenization and Encryption - WFMZ Allentown - September 8th, 2021
- Priti Patel backs ad campaign that criticises Facebook's stance on end-to-end encryption - Graham Cluley Security News - September 8th, 2021
- EXCLUSIVE: What's in the new zero-trust strategy - Politico - September 8th, 2021
- 3 ways to protect yourself from cyberattacks in the midst of an IT security skill shortage - Help Net Security - September 8th, 2021
- Apple Has Betrayed Its Privacy Legacy and Will Undermine End-to-end Encryption Everywhere - Privacy News Online - September 8th, 2021
- IBM's first 7nm Power10 chip arrives in E1080 server system with a wealth of shiny features - The Register - September 8th, 2021
- The adoption of multi-cloud drives the need for better data protection and management of encryption keys an... - Security Boulevard - August 26th, 2021
- Cryptomator Vs. BoxCryptor: Which One Is The Best Encryption Software? - Analytics Insight - August 26th, 2021
- Why you should encrypt your data on your computer and how to do it - The Star Online - August 26th, 2021
- Video end-to-end encryption on Ring to be available worldwide - ITP.net - August 26th, 2021
- What is a Vocoder? How an audio encryption device used in WW2 became the sound of electro and modern pop - Mixdown - August 26th, 2021
- Privacera partners with StreamSets to strengthen data security for ETL processing in the cloud - Help Net Security - August 26th, 2021
- R400m cocaine-in-a-boat accused used encryption app to communicate - TimesLIVE - August 26th, 2021
- Evervaults encryption as a service is now open access - TechCrunch - August 24th, 2021
- How to Encrypt Your Own Windows and Mac Devices (and Why You Need To) - Lifehacker - August 24th, 2021
- Why encryption is the key to digital fitness, according to Thales - iTnews - August 24th, 2021
- How to check each of your WhatsApp chats are ACTUALLY private right now and not being intercepted by h... - The Sun - August 24th, 2021
- WebCam: How Australia paved the way for Apple's encryption backflip - Crikey - August 24th, 2021
- Staggering 400% rise in child sexual abuse images detected by Facebook as fears over encryption plans g... - The Sun - August 24th, 2021
- Hardware-based Full Disk Encryption Market 2021 and Analysis to 2027 Micron Technology Inc, Seagate Technology PLC, Toshiba, Intel - The Market... - August 24th, 2021
- WhatsApp could soon have an iPad app for the first time - Engadget - August 24th, 2021
- Facebook is bringing end-to-end encryption to Messenger calls and Instagram DMs - TechCrunch - August 14th, 2021
- Apple opens the encryption Pandora's box - Axios - August 14th, 2021