Experts unpack the cyber black market, cybersecurity and hacking

I'm amazed at how many questions have rolled in and I'm sorry we haven't been able to get through them all.

A really big shout-out to Shiloh Payne for herding this particular group of cats.

Thank you again to our panelists Echo Hui, Katharine Kemp, Nick Klein, Paul Nevin and Vanessa Teague for their insights.

We launched this Q&A in light of a story ABC Investigations published yesterday about the true  depths of the  cyber blackmarket. Have a read of it, below.

Until next time!

Full disclosure, I engage in social engineering sometimes as part of my work as an investigative journalist. I have very strict rules around never using it in my personal life.

I'm the open-source investigator (OSINT) here at the ABC and so I'm often called in ahead of a sensitive story to run security checks on our team.

Last year, when my colleague Alex Mann and I last year published a series of secret  recordings from a neo-Nazi group trying to establish roots in Australia I had to go through our digital footprints top-to-bottom to find any vulnerabilities.

Not specifically about us, but it's incredible what you can glean from a person from just fragments of information.

For example, if you had a photo of a student in their uniform and you had their rough age, it'd be relatively trivial to figure out their name and probably where they live without paying a cent for the information.

I won't go into how that information could be used to harm someone, but I've definitely come across some horror stories.

To answer a previous question of how to prevent it, I always tell people you send out as much information as you put in. Lock down your social media profiles because you never know who is snooping and keep separate emails for different things.

Even then you can't always account for what other people post or tag you in.

Thanks for your question, Adam.

Nick Klein has answered this one for you:

First my cheeky answer – the best investment in forensic capabilities is training, not tooling. A well-trained practitioner will know what tools and methods are best for any given investigation.

Also beware of any vendor who claims their product is the only one you need. As the saying goes – "if all you have is a hammer, everything looks like a nail."

However, you mention preparedness – which is absolutely the right focus. I'd advise to determine the kinds of incidents you expect to encounter, then map out exactly how they would play out across your environment, then determine the kinds of technical capabilities you need to detect and response. For example – evidence collection from local servers and user workstations, log correlation from cloud platforms, monitoring for malware running on endpoints, performing forensic analysis at scale – you'll need a few tools to really fit the bill.

Without sounding too self-serving too – please work with experts on this, who have done it all before.

How much is Australian data being ransomed for? What are the pros and cons of paying? Wouldn't a customer want an organisation to pay for it and is there an issue with publicising the fact that you're under ransom?

It's worth noting the Federal Government position, at least in the case of Medibank, is that you don't pay the ransom. However, it's far more complicated than that. I'll let our experts answer.

Paul Nevin says:

Over the years, I've changed my stance on the 'pay or don't pay' debate.  When ransomware was comparatively new, and data restoration was automated, paying a small ransom made a lot of sense. 

For example, on a Monday, I responded to a ransomware incident at an accountancy business and advised that my investigation would cost more than the ransom ($2000).  They chose to pay the ransom to get their business systems back online quickly. Unfortunately, their receptionist clicked on another phishing email on Friday, locking up the network twice in one week.  

When this was the extent of a ransomware attack, it was a simple business decision to figure out the cost of ransom vs fixing the underlying issue and restoring business continuity.  What has changed in recent years is that malicious actors will extort additional money by threatening to release the business data online or selling it to other criminals on underground markets. 

I think the only way we can combat this is to make ransom payments illegal.  It won't stop the attacks, but it may discourage malicious actors from targeting Australian businesses as they know the payoff will not be as great.

Nick Klein says:

Big questions!

Our Cyber Intel team has recently seen Australian customer records sold on the dark web for as little as $1.

Paying a ransom (or not) is a series of risk decisions. We regularly help organisations make these, and they’re extremely difficult.

The main reasons for paying include obtaining a decryptor to unlock systems and data when nothing else can and the data is absolutely critical. The other reason is trying to prevent the publication of stolen data when it’s super sensitive. However when dealing with criminals, there are no guarantees they’ll delete the data even if paid.

The main reasons for not paying are that it denies the attackers monetising their crime, it doesn’t help fund their illegal behaviour, and it doesn’t brand the company as somehow giving in to criminals – whether this perception is accurate or not is another discussion. In some cases, the criminal is a sanctioned entity, which makes payment illegal under Australian law. This is even trickier for US companies, who operate under a tighter sanctions regime.

Thanks for your question, Jay.

Here's Vanessa Teague with her response:

No, I strongly support it. I acknowledge that TOR can be used by criminals, but it also provides a critically important service for political dissidents, whistleblowers and others who have an entirely legitimate need for anonymous communication.

And here's Kevin Nguyen:

I concur with Vanessa. Secure communication and unimpeded access to information is vital to the preservation of democracy. There's a reason why social media sties like Twitter and Facebook are the first to be taken offline during a totalitarian crackdown.

We have asked this one to Nick Klein for you, Cheryl:

Great point, and very much a question arising after recent large-scale breaches.

Many organisations are now reviewing what data they collect, why they need it, and whether they should either archive or destroy it. We've seen a steady increase in attackers honing their skills around stealing sensitive data during breaches, so holding unnecessary sensitive data (especially when it's not properly protected) is not only a risk to customers, it's a risk to the organisation itself.

As someone recently said, the new lifecycle of data governance is "from collection to class action".

This question was asked to Vanessa Teague:

You specialise in election security, is there a crossover in your field and what's been happening in the past few months?

And here's her response:

Well, let's say I'm glad that producing ID document numbers over the Internet didn't allow you to vote in any of the elections we had in Australia this year.

We have received a couple of questions about tracking down who is responsible for a hack, so we put this one to Nick Klein:

A few reasons. A skilled attacker will hide their true location using technologies such as TOR browsers, VPNs and routing through other systems, perhaps including others they've also compromised.

While it may be possible to trace these connections back to the source, doing so usually requires the assistance of the people or organisations overseas, which can be difficult to obtain, especially in jurisdictions that don't like to cooperate with us.

 Also, good attackers won't leave clues behind that identify themselves. In fact, in some cases they drop clues that point to other cybercrime groups, or even nation-states, which makes attribution even harder.

Social engineering as a concept in cyber crime (and crime in general) is becoming very popular in media, including in the Netflix series You.

We asked some of our experts what it is and how it works in practice. Note, it's not as simple as impersonating someone and it usually involves doing recon work to research a target.

Paul Nevin has the overview.

Social engineering is leveraging trust to convince a victim to perform some action that isn't in their interest.  This is frequently done in cyber attacks in the form of phishing emails that claim to be from a friend, co-worker or trusted source asking you to click on a malicious link, purchase iTunes gift cards or some other dodgy action. 

Social engineering is used by call centre workers claiming to be from the ATO or Microsoft to convince people they are legitimate, only to ask for a credit card number or remote access into their computer.  These techniques can even be done in person by dressing up with a yellow safety vest, holding a clipboard and walking casually past the receptionist into the corporate office, only to steal laptops or implant malware.

It should be pointed out that a highly sophisticated social engineering attack is all but impossible to detect if done well.  People should be aware they exist and be encouraged to report suspicious activity without fear of reprimand. This is especially true in corporate environments where security professionals always want to know if something suspicious has happened as early as possible. It can dramatically reduce the harm done, if caught early.  

Vanessa Teague has raised a rather recent and dramatic example:

My favourite social engineering attack is the time Alexey Navalny called the FSB officers who poisoned him and pretended to be a senior FSB official demanding to know why they'd messed up the job.

Is there a way of preventing it?

Well, like anything, you can make it harder. It's clear that the FSB had some processes in place to explain to agents that they weren't supposed to spill the beans about sensitive operations in response to unsolicited phone calls. But they didn't have actual secure authentication of those phone calls.

Nick Klein seems to be a big fan of the Navalny call as well.

Oh I hadn’t seen that – how brilliant!

How are hackers getting MyGov passwords and login in details? And would these methods be the same for bank accounts?

We put this one to Echo Hui, who says we can only speculate but has offered some good advice.

Good question. The short answer is we don’t know. It would require some investigations from cyber experts for each case. But a likely possibility is the victim has clicked on some suspicious links or downloads (commonly referred to as a phishing scam).

Credential-stealing malware could extract the victims’ saved account names and passwords, even the cookies on their browsers.

A cookie (not the dessert) stores data for easier web-surfing. For example, notice how you don't always need to login to your social media account every time? That's the cookie in action.

Stealing cookies tied to identity and authentication gives attackers a new path to compromise.

In some scenarios, stolen cookies work as a “super password” that could overcome multi-factor authentication. So my advice would be clean your cookies as often as you can and not save your passwords on web browsers.

As further advice from me, Kevin, I would add that most online banking services do use multi-factor authentication. So even if they had your ID number and password, it's not just a matter of punching that in and gaining access.

With Commonwealth Bank for example, you'll typically need an app on your phone to confirm bank transfers to unknown accounts.

This is what proper digital protection is meant to look like. It should have multiple contingencies.

How much of the Australian cyber security industry is based within Australia? (on shore) - Steve

Here's Paul Nevin for you, Steve.

We are fortunate to have a strong domestic cybersecurity industry and world-class professionals working on our behalf.

As a nation of early technology adopters, we have always been at the forefront of Internet adoption, resulting in a thriving market for technology innovation and services.

It is no stretch to claim our cyber security professionals are among the best in the world but also universally motivated to help their fellow Australians.

To this point, many Australian commercial competitors work collaboratively on cybersecurity threats as a whole-of-nation defensive effort. Australians should be proud, as it is unique to find Government (ACSC), commercial industry and academia working collaboratively for the greater good.

A lot of you are asking how you can find out whether your information has been hacked.

Here's Nick Klein:

If your details have been compromised in a breach of an Australian company, such as Optus or Medibank, they have an obligation to notify you. They’ll also provide advice on what you should do.

There are also (legitimate) websites that collect stolen data, which you can query for your details. One popular one is haveibeenpwned founded by Australian security professional Troy Hunt. You can also subscribe for updates as new data is disclosed.

Technology companies are also improving their efforts in this area. For example, if you’re an Apple user, you may notice that the Safari web browser alerts you if it knows your stored credentials have been compromised in a data breach – make sure you update your passwords if this happens.

Lastly, always ensure you follow good cyber security hygiene, which includes:

• Use strong passwords, and different ones for important services like online banking and email
• Use multi-factor authentication on all accounts that support it (again, especially important ones)
• Check to see what devices have logged into your online accounts (where the provider supports this)
• Make sure you’re running anti-virus on your computer, and keep it updated
• Be on the lookout for suspicious emails and text messages, especially where they ask you to click links or open attachments.

Hi there Steven thanks for sending your question in.

Nick Klein says it's not as simple as it may seem:

Firstly it’s technically difficult, since the dark web is embedded through the Internet.

Shutting it down would require ISPs to filter dark web traffic, which sends us down that slippery slope of Internet censorship.

 It probably wouldn’t work anyhow, since new technologies would be developed to bypass these filters.

In fact these already exist, such as VPN services which hide a person’s true location.

As it seems impossible to locate hackers, what would be the point of paying for the 'return' of data? Even if payment was made how is it possible to prove the data has been obliterated? - Patrick

Hey there Patrick, here's Paul Nevin's answer:

This is a tricky question; it all depends on the nature of the investigation. In some cases, the payment isn't to so much 'return the data' as to validate what has been stolen.

Payment can be a delay tactic to give investigators additional time to get to the truth; what exactly was stolen and where it was taken. What people don't understand is that the cost of the ransom is usually only a small fraction of the total cost of a compromise.

The investigation, disruption to business, loss in customer confidence and stock market damage can be many times the extortion amount.

Hi Steven.

Nick Klein has listed a few common techniques he has seen lately.

Attackers are nothing if not wily and nimble. Some of the techniques we've seen more recently include:

• Focussing more on stealing sensitive data, and sometimes not even deploying ransomware
• Operating independently rather than being aligned with a well-known cybercrime group
• Increased technical skills attacking virtual platforms, since so many companies run these
• Bypassing MFA and other security controls which block their activity
• Being nastier in publishing sensitive stolen data, to force victim organisations to pay

Having said that, attackers are humans too – they can be inexperienced, incompetent, and just plain lazy. Mostly they choose easier targets and use basic attack techniques that should be easy to prevent and detect.

Are cyber attacks becoming more common due to the dark web, if so why? - Charlotte

Here's Vanessa Teague:

Again, I don't really know. Ironically, they could be becoming more visible because the results (and the tools) are traded relatively openly on the dark web.

We've had a comment from Adam about white hat hackers which says:

We should consider the implications of these labels - similarly white-listing and black-listing of applications…

Paul Nevin has given us some insight into the background of the term.

The concept of a white hat hacker comes from old black-and-white TV cowboy shows. For an audience to easily know who was the bad guy and who was the good guy, TV producers would place a light-coloured cowboy hat on the hero, and the bad guys had dark-coloured hats.

If you can imagine watching a black and white TV set from the 1960s, this would look like black and white hats. The idea has stuck around, so we call hackers who work towards the greater good white-hat hackers and cybercriminals and other malicious hackers black-hat hackers.

The skills and knowledge required to be extremely good as a black or white-hat hacker are similar. It comes down to the ethics of the individual as to which hat they choose to wear.

A white hat hacker will be employed to break into companies or identify vulnerabilities that need to be fixed. They do this under very strict rules of engagement to ensure no actual harm is done.

 White hat hackers may also identify serious problems in software code and inform the owner of problems, hopefully before black hat hackers take advantage of these bugs. Suffice it to say the world owes a great debt to the many white-hat hackers working on our behalf to secure the Internet and the computer systems we rely on.

This question is from Callum:

Why are we hearing about all this now? Has something changed, or are companies being coerced into admitting breaches in their security?

Here's Dr Katharine Kemp's response:

There is a Mandatory Data Breach Notification scheme under our federal Privacy Act which makes it compulsory for companies like Optus and Medibank to give notice to the Office of the Australian Information Commissioner and affected individuals where a data breach is likely to give rise to serious harm.

We happen to have had a couple of recent major data breaches which have affected a significant percentage of Australians, which needed to be notified under that law. There's also been a lot more media coverage of other breaches than we've seen in other years, most likely because people are already (rightly) concerned about the major breaches they've heard about.

We've put this question to Vanessa Teague, CEO of Thinking Cybersecurity.

Honestly, I don't know. There are some benefits sometimes, because if you're using a decent one it has a fair chance of detecting well-known attacks and malware.

However, there's also a risk because you're giving a company access to all your files. Some anti-virus software is quite misleading. (A certain elderly person I know downloaded McAfee and became quite upset when it told her in great big red text that her computer was unsafe — it turned out that all it had 'detected' was a competing anti-virus product. Would you trust that software with all your files?)

Hacking and cybercrime in a lot movies is probably not representative of what happens in reality. What is your favourite/least favourite hacking trope you see in TV and movies, and what actually happens? 

Paul Nevin's favourite trope already has a legendary status in cyber circles:

Undoubtedly, the scene from NCIS with two characters hacking simultaneously on the keyboard is the most ridiculous thing I have seen.

What happens, in reality, is that weeks or months of effort are required to plan, test and execute sophisticated cyber attacks.  The actors work in teams, many with extremely specialised skills, to build up the infrastructure servers, test malware and translate phishing emails before the actual attack.  In many cases, it is far more like an episode of The Office than a James Bond movie.

Kevin here, I really wanted to add to this and say this scene never fails to make me laugh.

I do wonder if they're being cheeky? I used to be notorious at my previous job for asking the IT department if they could simply "hack into the mainframe" as a response to any technical issue.

Hacking in films and TV is seen as something of a kinetic activity. Not only are hackers depicted as physically abusing their keyboards but what happens on their computer screen is a disorientating swirl. In the same NCIS clip you can see about a thousand pop-ups onscreen. Sometimes hacking is represented as kind of geometric exercise.

In the Hugh Jackman film Swordfish, I recall him solving together a kind of digital Rubik's Cube to bypass a firewall. In reality, what is happening on screen is probably a console or terminal showing lots of lines of codes.

It happens this way because of practical reasons because it lets you see a lot of code and data in one go. Nowhere near as exciting and trying to beat the  world record for keystrokes per minute, admittedly.

I suppose this stems from the director's need to make the process of hacking seem exciting. We definitely have this problem in news media as well, which isn't helped by the lack of real experience with coding and hacking among reporters.