Home

SMEs are Achilles heel for ASEAN security The monthly magazine from Computer Weekly focusing on business IT in Southeast Asia NOVEMBER 2016 Mobile devices feed CWASEAN card fraud in ASEAN

The problem of passwords and how to deal with it Security weakness Hackers are using small, unsecured companies for easy Lauri Love: the access to the secure networks of large organizations student accused of hacking the US

computerweekly.com MACH/FOTOLIA VÁCLAV cw asean november 2016 1 DATA BREACHES

Home

SMEs are Achilles heel for ASEAN security SMEs are Achilles heel for ASEAN security

Mobile devices feed card fraud in ASEAN Small to medium-sized enterprises in the ASEAN region could be serving as gateways for cyber criminals to gain access to large enterprises unless they improve their security, writes Ai Lei Tao The problem of passwords and how to deal with it mall and medium-sized enterprises (SMEs) have become personal details of 2,000 foreign nationals living in southern the preferred targets for cyber criminals. Not only are they Thailand during the testing stages. The data contained people’s Lauri Love: the often easy prey, but they offer a stepping stone to larger, names, addresses, professions and passport numbers. student accused S of hacking the US more lucrative corporate and government targets. While large enterprises have the resources and often place a According to Bill Chang, CEO group enterprise at Singapore priority on investing in shoring up their defenses, SMEs’ priori- Telecommunications giant Singtel, SMEs are “an entry point into ties can be very different. Most SMEs feel they are too small to the large organizations that are part of their supply chain”. attract the interest of a hacker or are unaware how best to protect The figures back this up. Smaller companies have been expe- themselves. They also lack the IT staff to ensure their systems riencing a steady increase in cyber attacks in the past five years, and networks are protected. according to Symantec’s 2016 Internet Security Report. The report found that 43% of all attacks in 2015 were targeted at small busi- Attacks are cheaper nesses with fewer than 250 employees. An SME owner’s assumption that the business is too insignifi- “Every partner that plugs into an enterprise environment brings cant to interest cyber criminals may have been true in the past, in a fresh set of vulnerabilities, which results in security lapses,” but that is no longer the case. The decreasing cost of compute said Nikhil Batra, research manager, telecommunications at IDC power and growth of automation allows cyber criminals to mass Asia-Pacific. “Hackers and malware developers are constantly on produce attacks at a fraction of what it used to cost. the lookout for such partner ecosystems, where they can creep “The cost of compute power has gone down and we can assume into a secure network through an unsecured partner.” this will continue,” said Mark McLaughlin, CEO at Palo Alto For example, in Thailand earlier this year, a third-party devel- Networks. “The advantage goes to the attacker as it means they oper commissioned by the immigration police briefly leaked the can launch bigger and more sophisticated attacks at less cost.

cw asean november 2016 2 DATA BREACHES

Home

“When the cost of an attack goes down, the number of success- “In 2015, the median time it took the typical Asia-Pacific organi- SMEs are Achilles heel for ASEAN security ful attacks will go up at an alarming and exponential rate.” zation to know it had been compromised was 520 days – about Singtel’s Chang said: “This is a major issue as large enterprises 17 months,” he said. “The global figure is only 146 days and in have funding and resources to build or leverage security service Europe, the Middle East and Africa, it’s 469 days, according to the Mobile devices feed card fraud in ASEAN providers to increase their level of defenses, but SMEs either do 2016 Mandiant M-Trends Asia Pacific report.” not have the resources or do not bother.” The problem is compounded by the fact that Southeast Asia It is a popular myth that attackers have to force their way into is significantly more exposed to targeted attacks than the global The problem of passwords and how organizations. In fact, most breaches occur when attackers trick average. “In the second half of 2015, 27% of the organizations we to deal with it employees into letting them inside the organization, said Alex Lei, observed in Southeast Asia were exposed to at least one targeted regional director for Southeast Asia at FireEye. attack. This is almost double the global average of 15%,” said Lei. Lauri Love: the A particular challenge is the fact that most breaches in the Asia- student accused of hacking the US Pacific region never become public, as governments and industry- “Large enterprises have funding governing bodies may lack effective disclosure laws, according to the Mandiant M-Trends report. Also, SMEs are less likely to under- to increase their defenses, but stand attacks and report them to authorities. SMEs either do not have the Breach losses not revealed resources or do not bother” Symantec’s 2016 Internet Security Report found that in 2015, more companies chose not to reveal the full extent of the breaches Bill Chang, Singtel they experienced, with an 85% increase in the number of firms that chose not to report the number of records lost. For instance, in January 2014, an employee of a contractor “In ASEAN, a lot of [cyber security] breaches are not shared,” engaged by KB Kookmin Card, Lotte Card and NH NongHyup said Chang. “But increasingly, countries will mandate that noti- Card used a portable hard drive device to steal credit card data, fication is mandatory when there is loss of customer, citizen and according to prosecutors in South Korea. Some 20 million cus- public data. Due diligence will take cyber security measures to a tomers were reportedly affected by the firms’ data breach. different level.” An added challenge, said Lei, is that Asia as a whole and Regulatory requirements can be a deterrent. For instance, Southeast Asia in particular are playing catch-up in cyber security. Singapore’s Computer Misuse and Cybersecurity Act (CMCA)

cw asean november 2016 3 DATA BREACHES

Home

gives law enforcement agencies the power to investigate and and conduct surveillance work, monitor cyber threats and test the SMEs are Achilles heel for ASEAN security apprehend individuals or entities behind cyber crime. ability of supervised institutions to manage cyber security issues. Data protection laws can also encourage organizations to ensure Meanwhile, the Monetary Authority of Singapore took “appro- their IT infrastructure is secure enough to protect data. ASEAN priate supervisory actions” against Standard Chartered after the Mobile devices feed card fraud in ASEAN nations Malaysia, Singapore and the Philippines have introduced data of 647 of the bank’s wealthy clients was stolen in Singapore. comprehensive data protection regimes in the past five years. The data was taken from a server hired by Standard Chartered at Singapore has started to enforce this legislation, with the Personal a Fuji Xerox printing facility to print bank statements. The problem of passwords and how Data Protection Commission imposing a fine of S$50,000 on to deal with it karaoke chain K Box Entertainment Group for not having suffi- Mitigating the risk cient security measures to protect the personal data of 317,000 “The truth of the matter is that nobody can guarantee that an Lauri Love: the members, for inadequate data protection policies and not having SME or enterprise won’t be hacked or breached,” said IDC’s student accused of hacking the US a data protection officer. Its IT supplier, which was responsible for Batra. “It’s all about assessing the security landscape and miti- its content management system, was fined S$10,000. gating the risk. SMEs need to have plans in case of a breach. Regulators in industries such as finance are also playing their “Investing in security for enterprises and SMEs is like a country part. In the Philippines, the central bank has set up a separate investing in its nuclear arsenal – with the hope that they never cyber security surveillance division to craft cyber security policies have to use it.” n

Editor: Karl Flinders Sub-editors: Bob Wells, Jaime Lee Daniels, Ryan Priest CW Production editor/design: Claire Cormack Vice-president APAC Jon Panker

TechTarget/CW ASEAN © 2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without 55 B/C Tanjong Pagar Road written permission from the publisher. TechTarget reprints are available through The YGS Group. Singapore 088476 About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

cw asean november 2016 4 CYBER CRIME

Home

SMEs are Achilles heel for ASEAN security Mobile devices feed card fraud in ASEAN

Mobile devices feed Card fraud is rising in ASEAN countries, and high use of mobile devices is a contributing factor, reports Ai Lei Tao card fraud in ASEAN

ard fraud is on the rise in ASEAN countries, mirroring a “The faster-maturing markets, such as Thailand, Indonesia The problem of passwords and how global trend, a study has found. This suggests users of and India, tend to show greater levels of risky behavior,” said the to deal with it Csmartphones and tablets in the region need to be edu- report, claiming this could be attributed to less consumer educa- cated on security. tion and experience with payment cards. Lauri Love: the Singapore has the sixth highest rate of card fraud globally and In the ASEAN countries surveyed, more than 20% of consum- student accused of hacking the US the third highest in the Asia-Pacific region, with 36% of credit, ers banked or shopped online using a computer with no security debit and prepaid card users having experienced unauthorized software, or on public computers. activity on their cards in the past five years. The equivalent figure for Indonesia is 26% and for Thailand 23%. Internet cafés For the 2016 study that produced these figures,ACI Worldwide Consumers in Thailand and Indonesia tend not to have strong surveyed 6,000 consumers across 20 countries, including broadband connections at home, so they rely on internet cafés Singapore, Indonesia and Thailand. when activities cannot be completed on a mobile device. “Card fraud rates are on the rise in the majority of countries Risky consumer behavior included in the survey,” said Ben Knieff, senior research analyst at There was a clear correlation between risky consumer behavior Aite Group. “The data shows that consumer education and cus- and fraud, while the overall risk of fraud rose due to a global tomer service remain a challenge for financial institutions globally, increase in smartphone and tablet use. as risky behavior has a direct correlation to experiencing fraud.” The report suggested consumers need to be educated about In Asia-Pacific, the proportion of consumers that received risky behavior, which includes leaving smartphones unlocked at least one replacement card after an attack ranged from when not in use, shopping or banking online without using 14% in Thailand to 34% in Singapore. This may reflect fraud security software, and responding to emails or calls that ask for attacks and data breaches aimed at more affluent regions, such banking information. as Singapore.

cw asean november 2016 5 CYBER CRIME

Home

Many consumers across the Asia-Pacific region used these SMEs are Achilles heel for ASEAN security replacement cards less than their original cards. Some 36% of consumers in Singapore, 58% in Indonesia and 74% in Thailand opted to use cash or alternative payment methods rather than Mobile devices feed card fraud in ASEAN credit or debit cards following a card fraud incident. This behavior represents lost revenue for financial institutions, Illustrating consumers’ lack of confidence and the increasing The problem of passwords and how availability of non-card-based payment options. to deal with it Higher exposure to risk Lauri Love: the While risky and imprudent behavior by consumers makes secu- student accused of hacking the US rity more difficult to enforce, the digitization of financial services inevitably exposes banks to a larger number of client touch- points and higher exposure to risk, said Sui-Jon Ho, senior mar- ket analyst at IDC Financial Insights. “Remote devices, be it client smartphones, remote ATMs or point-of-sale units, are all potential entry points for database breaches, yet the ecosystem of users continues to expand beyond what any single bank can feasibly control,” said Ho. “As vehemently as banks attempt to mitigate such intrusions, it also falls to merchants and consumers themselves to safeguard their transactions.” Other security threats include spoofing, pharming, phishing and ransomware – all part of a would-be hacker’s arsenal to illicitly attain personal card information. “Such external threats are premeditated and instigate specific risky actions to a larger degree, rather than leveraging on con-

sumers’ own carelessness,” said Ho. n IRISPHOTOIMA/FOTOLIA

❯Singapore government will table new Cyber Security Bill in 2017. cw asean november 2016 6 AUTHENTICATION The problem of passwords asswords are a ubiquitous part of the digital age. They and how to deal with it are the keys to unlocking our online profiles that are hosted across a plethora of websites. With each of our Security experts have long recognized passwords as inadequate. Finally profiles necessitating a separate password, it is not technology is offering some viable alternatives, writes Peter Ray Allison Puncommon for people to need up to 50 passwords. So it is not surprising that the worst passwords of 2015, as revealed by TeamsID, remained “123456”, “password”, “12345678” and “qwerty”. This is despite continuous advice and education to the contrary, as security gives way to convenience. A 2004 episode of Spooks, entitled “Outsiders”, dramatized the dangers of using such common passwords, where a hacker was able to access the server of a pharmaceutical manufacturing company simply because the router was set to the default pass- word of “Password”. Logins leaked In recent times, hundreds of millions of passwords have been leaked online, including more than a hundred million LinkedIn logins and tens of millions of Twitter logins put on the darknet. The problem with passwords is that, for them to be effective, they need to be an uncommon word, of eight letters or more, and not used anywhere else. But memorising 50 or more passwords is a major task. “It is very difficult to have complex and unique pass- words for as many sites as required,” says security adviser Sean Sullivan of F-Secure. “It is understandable [that people re-use them] because they are required to use so many passwords.”

ILONA020286INI/FOTOLIA HOME

cw asean november 2016 7 AUTHENTICATION

Home

According to Microsoft’s TechNet, for a password user passwords should be stored to prevent them SMEs are Achilles heel for ASEAN security to be effective, it needs to meet these criteria: ❯Here are five steps to from being re-used. Also, most group policy sys- n Changed every 60 days. ensure stronger passwords tems can be configured to lock an account after a and better authentication to n At least eight characters long. prescribed number of failed login attempts. Some Mobile devices feed reduce the threat of card fraud in ASEAN n Use both upper and lower case characters. business data theft. companies go so far as to make their employees n Contain a combination of alphanumeric charac- change their password every two weeks, but as ters and symbols. F-Secure’s Sullivan says: “Complexity every 14 days The problem of passwords and how n Unique (only used for this particular profile or website). means that it is going to be written on a Post-it note.” to deal with it n Stored using a reversible encryption. Similar to the localization systems used by banks to detect unfa- Using these minimum requirements means there are at least miliar geographic locations of financial transactions, in the event Lauri Love: the two times 1,014 different possibilities. A normal PC running a of possible fraud, servers can be configured to detect, flag and/or student accused of hacking the US freely distributed brute-force password cracker can attempt block access to accounts from unfamiliar regions or IP addresses. eight million passwords a second, which means it would take up Many companies use security questions to confirm identities. to 315 days to break a password of the type prescribed above. These questions are usually personal in nature, asking about the But a high-end computer with 25 GPUs was recently found to user’s background. “These are easily researchable, so security achieve 350 billion passwords a second, which would take only researchers say you should lie to these questions,” says Sullivan. up to 10 minutes to break the same password. “The problem is that you will forget your lie, because you are not Rather than simply relying on users to follow sensible pass- a pathological liar.” word requirements, administrators can enforce these by estab- Using password lockers is one solution for keeping track of lishing group policies for the network. These policies operate as multiple passwords, but these are only as good as the security a top-down hierarchal process and algorithm protecting the user’s apply the password requirements passwords. Some password lockers, to each of the users connected to “Complexity every 14 days such as F-Secure KEY, also contain the network. a notes field, where users can store It is advised that as well as a means [the password] is going to the answers they gave for the secu- maximum duration, the minimum rity questions. duration for a password should be be written on a Post-it note” Two-factor authentication is one day and a history of previous Sean Sullivan, F-Secure increasingly adopted as a form of

cw asean november 2016 8 AUTHENTICATION

Home

identification and authorization. Most financial institutions now recognition software can measure speed, cadence and pronunci- SMEs are Achilles heel for ASEAN security use two-factor authentication as part of their online banking sys- ation, as well as the speaker’s physical aspects, such as the shape tems. Users not only need to know their login and password, but of their larynx, vocal tract and nasal passages. also a random single-use code that But this accuracy also means that Mobile devices feed card fraud in ASEAN is sent to their security token or as it may deny access if an account a text message to a verified mobile Two-factor authentication holder has a sore throat, or if a cus- phone. tomer has switched devices and is The problem of means there is an addition level passwords and how This is not a foolproof system, as using a new microphone. to deal with it the mobile phone or security token of security to overcome Although HSBC was not the first could be stolen. But using two-fac- bank to offer biometric security to Lauri Love: the tor authentication means there is before access is gained its customers, it is certainly the larg- student accused of hacking the US an addition level of security to over- est planned roll-out of voice biomet- come before access is gained. ric security technology in the UK. Biometric authentication, by which a user’s identity is confirmed Despite the inevitably large financial impact this roll-out will by methods such as fingerprints, voiceprint or facial recognition, is have, HSBC will no doubt be able to regain this through swifter increasingly being used as the systems become more affordable. banking (authentication takes just over 10 seconds), a reduction in call center staff and a decrease in fraudulent activity, due to the Biometric security at HSBC increased security offered by biometric systems. HSBC recently introduced biometric security for its 15 mil- However, the cost is not as high as might be expected because lion First Direct customers. The HSBC Banking application on it is only the software that needs to be implemented. All of Android and iOS devices will now offer First Direct customers the biometric authentication is performed using the customer’s the opportunity to identify themselves using finger and voice- own devices. print authentication, rather than stating their telephone security The advantage of biometric authorization is that the data is password or PIN number. A wider roll-out to the rest of HSBC’s almost impossible to mimic and users always have it with them. customers is expected by the end of 2016. People cannot leave a finger at home, or have it stolen without The voice recognition software, provided by Nuance realising, as might happen with a security token. Communications, is so accurate that it can even differentiate But these systems are still not foolproof. “Fingerprints are unique between identical twins. Through analysing speech, the voice to each individual, but to a computer, they might look the same

cw asean november 2016 9 AUTHENTICATION

Home

and facial recognition has been fooled with photographs,” says a password, then that is great. Then two-factor authentication is SMEs are Achilles heel for ASEAN security technical manager Wayne Street of ID Management Systems. right there on my person – my finger plus my password.” Fingerprint scanners have also been fooled by fake gelatine fin- But what does the future hold for passwords? Google’s Advanced gerprints, and back in 2002 by the gummy bear hack. Technology and Projects division intends to replace passwords for Mobile devices feed card fraud in ASEAN Some companies have found they are encouraged to use bio- Android apps with a trust score. Currently called Project Abacus, metric security systems due to the the trust score will be calculated high security standards expected based on typing speed, vocal inflec- The problem of passwords and how by corporate clients. Others have “We tried a biometric lock for tions and facial recognition, as well to deal with it wanted the ability to remove a per- as proximity to familiar Bluetooth son’s access to a building, such as if our office door, but after months devices and wireless routers. Lauri Love: the they have left the company, without Should the user not meet the student accused of frustration, we gave up” of hacking the US having to change PIN codes for eve- minimum trust score criteria, they ryone else. This has not always been Jeremy Stern, PromoVeritas will be asked to submit their pass- successful, however. word to authenticate their identity. “We tried a biometric lock for our main office door, but after To ensure that they are adequately protected, companies should months of frustration, we have given up,” says Jeremy Stern, man- always ensure they change any default passwords and enforce aging director of PromoVeritas. “It was professionally fitted, but the minimum recommended password requirements through the caused us regular problems – not recognising fingerprints, then group policies of their networks. resetting itself. In the end, we got our money back and have an For companies that handle confidential data, it is worth consid- old-fashioned key padlock.” ering the use of second-factor authentication through biometrics or security tokens. Given the wide range of systems currently Biometrics as login available, determining whether a particular system will be cost- Rather than using biometrics as an alternative to passwords, effective is a balance between cost and risk. F-Secure’s Sullivan suggests using them as a form of login may Ongoing developments are leading to increasingly robust be a better tactic. “For businesses that have strong legal obli- authentication systems that are better able to resist future net- gations to protect their data, I do not think they should rely on work breaches. Companies that fall behind will risk losing cus- biometrics as a password,” he says. “If somebody comes up with tomer confidence, while those that stay ahead will demonstrate a solution where biometrics are used as a username, rather than how seriously they take data security. n

cw asean november 2016 10 CYBER SECURITY Lauri Love: auri Love was in his dressing gown drinking coffee when a UPS delivery man arrived at the door of his parents’ the student house in Stradishall, , in October 2013. He was already feeling tired and frustrated after completing his Lmind-numbing first day on a compulsory work scheme for people accused of claiming disability benefits. When Love reached out for the package, the delivery man said: hacking “You’re being arrested under the Computer Misuse Act.” A dozen officers from the National Crime Agency, the UK’s equivalent of the FBI, poured into the house. They found one com- the US puter logged into an online chatroom using a nickname, it was later claimed, that was associated with a hacking group, and on another machine fleetingly saw file structures that were allegedly stolen from the US Federal Reserve. Love’s first thought was for his parents, Alexander, a Baptist NICOLE POWERS NICOLE minister and chaplain at nearby Highpoint prison, and Sirkka- Liisa, a teacher. “Most Christian people have only had positive experiences with the police and have not had a house ransacked, so I didn’t want them to be too distressed and upset,” says Love. His mind went into overdrive as he tried to look after his parents, while also making sure the police read him his rights, cautioned him and did not ask questions they were not legally entitled to. “They asked me questions about my computer and encryption How did a brilliant but fragile teenager and whether I would give them the unlock code for my phone, from a rural English town end up facing life which they shouldn’t really do,” says Love. imprisonment in the US? Bill Goodwin and Three years later, Love, now 31, faces extradition to the US and a Niels Ladefoged speak to Lauri Love possible 99-year prison sentence.

HOME

cw asean november 2016 11 CYBER SECURITY

Home

Indictments filed inNew York, the Eastern District The occupation, which lasted seven months and SMEs are Achilles heel for ASEAN security of Virginia and New Jersey accuse Love of break- ❯Computer activist led to what many thought was a heavy-handed ing into computer systems belonging to US gov- Lauri Love should be police raid, was one of the longest-running student spared a life sentence in a ernment agencies, including the FBI, the Federal demonstrations of that period, attracting wide- Mobile devices feed US jail, says former hacker card fraud in ASEAN Reserve Bank and the Missile Defense Agency. Gary McKinnon. spread media attention. The case is the first serious test of the “forum Later, Love became heavily involved in the Occupy bar”, introduced by the then UK home secretary, Glasgow movement, taking up residence in a tent The problem of passwords and how , to allow UK citizens to challenge US in the center of Glasgow. to deal with it extradition requests, following hacker Gary McKinnon’s 10-year The protest ended badly for Love, who fell into another serious battle against extradition. depression and had to be rescued by his parents. “My mum and Lauri Love: the Love’s father told Westminster Magistrates’ Court in June dad extracted me and took me home,” he says. “I’ve not been student accused of hacking the US 2016 that he was in no doubt his son would take his own life if back to Glasgow since. I can’t now, because I’m not allowed to he was sent to the US. leave the country, and the country – in legal terms – is “In the past 30 years of being a minister, having to take funer- and Wales,” he says. als of people who have committed suicide, [I have seen] the Still depressed, and effectively stuck at home at his parents’ regrets that individuals have are because they did not see it house in rural Suffolk, Love turned to the internet to continue his coming,” he said. “In Lauri’s case, we do see it coming. That is political activism. “Through a computer, you can raise awareness, the difficulty.” promote causes and help with educational missions. Sometimes, Becoming an activist “Through a computer, you can people engage in electronic civil It was at Glasgow University that raise awareness, promote causes disobedience,” he says. Love first developed his interest in It was around that time that activism. In his first year, he went and help with educational missions hacktivist groups such as on an anti-fascist march, and in Anonymous began making waves. 2011, he found himself deeply and, sometimes, people engage in The group sprang from a discus- involved in the student occu- electronic civil disobedience sion and image posting group pation of Glasgow University’s ” called 4Chan. It started off with Heatherington Research Club. Lauri Love pranks on the internet, but soon

cw asean november 2016 12 CYBER SECURITY

Home

found itself fighting battles against the Church of Scientology, and “I was on webcam at the time,” says Love. “There was the FBI SMEs are Achilles heel for ASEAN security other more political targets. and guns and ‘drop to the floor’ and a lot of shouting and manhan- Love took a keen interest in the activities of Chelsea Manning dling. Compared with that, [my arrest] was a very civilized affair.” and Edward Snowden, but it was the tragic suicide of Aaron Brown was later sentenced to 63 months in jail and fines of Mobile devices feed card fraud in ASEAN Swartz that had a profound effect on him. $890,000, in what his supporters argue was clearly a politically Swartz, a brilliant computer specialist, helped design part of the motivated case. internet when he was 14, developed RSS news feeds and was a When Love was arrested in October 2013, the experience was The problem of passwords and how creative force behind the social news site Reddit. traumatic, but at least there were no guns. to deal with it He was arrested in January 2011 after using a computer at the The next day, Steve Brown, an officer and operations man- Massachusetts Institute of Technology ager with the National Crime Agency Lauri Love: the (MIT) to automatically download aca- (NCA), interviewed Love under cau- student accused of hacking the US demic journals from the JSTOR digital “It was a pantomime because tion at the Norfolk and Suffolk joint library. Supporters protested that the custody center in Bury St Edmunds. act was harmless, and JSTOR and MIT they knew I wasn’t going to Brown quizzed Love about a series of decided not to prosecute. answer the questions” alleged hacks on computer networks in “His death was totemic; it was sym- the US and Love declined to answer, on bolic,” says Love. “It was the death of Lauri Love legal advice. the dream of an idealistic, optimistic “I could tell that they had been given internet that could be free and open. It was perceived by people a list of questions by the FBI or the Department of Justice,” says as a personal attack on all the things they stood for.” Love. “There were maybe eight questions and they repeated A few months before his arrest, Love found himself online, them for all 12 networks. It was a pantomime because they knew watching a live feed of the FBI raiding the home of Barrett Brown, I wasn’t going to answer the questions.” journalist, activist and one-time member of Anonymous. The NCA released Love on bail without pressing charges. The young writer had been something of an irritant to the US Love’s parents agreed to pay bail fees, which they raised by sell- establishment, initially through his involvement with Anonymous, ing their campervan. “They asked for my passport, so my mum and later as founder of Project PM, a crowd-funded organization had to bring my passport in, which doesn’t normally happen dedicated to investigating abuses by companies specialising in when you’re arrested, especially when you are not charged with surveillance, often under contracts with the US government. any crime,” says Love.

cw asean november 2016 13 CYBER SECURITY

Home

At one point, the NCA attempted to impose a ban on Love Swartz, code-named #Oplastresort. Charges filed in three US SMEs are Achilles heel for ASEAN security accessing the internet as part of the bail conditions, until the cus- states claimed that Love worked with accomplices to infiltrate a tody sergeant intervened. “Well, you’re not charging him with wide range of US government computers and steal the personal any crimes,” Love recalls him saying. “I’ve looked at his record, he information and credit card details of government employees. The Mobile devices feed card fraud in ASEAN hasn’t committed any crimes in group was accused of exploiting the past – certainly not computer a known vulnerability in Adobe’s crimes. You can’t restrict some- Cold Fusion software to break The problem of “They asked for my passport, which passwords and how one’s liberty to that extent unless into US government servers to deal with it you’ve got a valid reason for it.” doesn’t normally happen when between 2012 and 2013. Later, Love’s lawyer confirmed you’re arrested, especially when you The indictments accuse Love Lauri Love: the he could use the internet, provid- of uploading “shells” or “back- student accused ing he did not use anonymous doors” into vulnerable servers of hacking the US are not charged with any crime” internet services such as The and using them to gain admin- auri ove Onion Router (TOR) or virtual L L istrator rights, which allowed private network (VPN) services. the group to download “massive Love was arrested again on 15 July 2015, this time by the amounts” of sensitive information. The allegations rely heavily Metropolitan Police extradition unit, before being released on bail on records of discussions between the alleged hackers in inter- after a short hearing at Westminster Magistrates’ Court. net relay chat rooms. US prosecutors say Love used nicknames to discuss the attacks with accomplices. On one occasion, Love is Charged with hacking offences alleged to have written: “You have no idea how much we can f*ck He learned that he had been charged with hacking offences in with the US government if we want to. This stuff is really sensitive, the US from a BBC Radio 4 news bulletin. “I hadn’t been charged it’s basically every piece of information you need to do full identity by the UK police,” he says. “I thought the BBC had screwed up and theft on any employee or contractor.” I was ready to call them to say, ‘I don’t remember being charged – where did you get that information from?’.” Putting computer skills to good use US prosecutors had filed indictments claiming that Love was Love, as far as he can, is now trying to lead a normal life. He has part of a sophisticated network of criminals involved in a protest completed the first year of an electrical engineering degree at the by hacktivist group Anonymous against the treatment of Aaron University of Suffolk and is helping to teach younger students.

cw asean november 2016 14 CYBER SECURITY

Home

He comes across as highly articulate and gifted, although SMEs are Achilles heel Lauri Love takes his battery- for ASEAN security he says he has “obsessional tendencies”. One obsession is his battery-operated amplifier and DJ equipment, which he takes operated amplifier and DJ equipment everywhere, with him everywhere, pushing it around on a porter’s trolley. He Mobile devices feed even to court card fraud in ASEAN had to transfer the equipment to a pushchair to get it through court security during his extradition hearings. He is putting his computer skills to good use at an organiza- The problem of passwords and how tion called Hacker House, which brings former hackers and activ- to deal with it

Lauri Love: the student accused “I don’t get on with arbitrariness of hacking the US or authority that does not stand on its own rational values” Lauri Love

ists together to work with law enforcement and businesses to improve computer security. Security research is perfect for people who have Asperger’s, says Love. “It is just being a scientist boiled down to its pure essence, in that there is a hypothesis, there is a system that acts deterministically, you can run experiments and, if you pick the right experiment, you can prove a theorem,” he says. He applied for summer school at GCHQ for computer stu- dents, and – remarkably – was invited to an interview. “I had a

chat with them and they liked the way I thought,” he says. “I said, POWERS NICOLE

cw asean november 2016 15 CYBER SECURITY

Home

‘You know, I do have a few qualms about what you guys do, but SMEs are Achilles heel Lauri Love with his parents, Alexander and Sirkka-Liisa for ASEAN security if all of the people with qualms don’t go along and get involved, I imagine things will get worse.’ I didn’t get the place, and I don’t know if it was because they eventually searched my name and Mobile devices feed card fraud in ASEAN decided, ‘That’s a hot potato we don’t want to touch’. Or maybe I didn’t pass muster.” Love uses origami as a way of dealing with stress. As he sat The problem of passwords and how listening to witnesses during court hearings, he would construct to deal with it elaborate paper models of complex geometric shapes, and life- like red roses, which he handed out to a few of his supporters. Lauri Love: the “I have a preternatural capacity to assimilate large amounts student accused of hacking the US of information and systematise information from a variety of sources,” he says. “I don’t get on with arbitrariness or authority that does not stand on its own rational values.” Love is guardedly optimistic that he will ultimately be allowed to stand trial in the UK and that he will be able to continue to make a positive contribution to society. “At the moment I work in information security; I help make the internet more secure,” he says. “I fix things, and some of the things I fix are US government information systems. I could continue to do that if I’m a free person. “Or I could languish in a cell, not get the treatment and provi- sions I need for my mental health, potentially die tragically, or, at the very best, emerge from it several decades later, broken and so far behind the technological curve that I can no longer contribute One of the life-like paper to society at all.” n roses made by Lauri Love during his court hearings

This is an edited excerpt. Click here to read the full article online. POWERS NICOLE

cw asean november 2016 16