They’re known as web robots or “bots”. An army of computers infected with software that allows a remote “master” to take control of the affected machine – usually without the knowledge of the computer’s owner. The cybercriminals who command these computers are called botherders or botmasters. Botnets are used to send spam, viruses and spyware – used to steal personal or confidential information – and to launch denial of service(DoS or DDoS) attacks. Cyber security experts say that the future home of the world’s largest botnet is in Africa.
The first time I meet the hackers is in 2011. Surprisingly, the meeting isn’t hush-hush or secret – it’s announced on Twitter. There’s a notice about something called 0xC0ffee. I ask if I can gatecrash.
Related: Protect Yourself From Cyber Crime
I’m the only girl there. It’s a default setting. 0xC0ffee is basically all guys. Unofficial members of an informal community of professional and amateur information security (infosec)2 programmers and systems engineers. Some are students but most of them already work in IT – for small companies, for bigger ones (cellphone companies, banks, government agencies), and some work for themselves, as freelance consultants. They all spend a lot of time on their computers. When they have free time, they code.
0-Day means something else entirely. Zero-Day. It refers to an attack that exploits a previously unknown vulnerability on your software. It’s known as a 0-Day exploit because that’s the amount of time it’s been known about, publicly: zero days. As soon as a vulnerability becomes known it starts to lose value as other hackers perpetuate the exploit and software companies begin to develop patches.
The 0xC0ffee3 group meet up in person (they also have an online forum) to share problems and solutions, and ask questions. One guy says he has identified a “hole” in a big corporate firewall; he wants to know if he can ask for money if he tells the company about it. The consensus seems to be no. There’s further discussion about how to even go about telling companies (or governments) you’ve discovered a vulnerability in their system – it kind of raises the issue of why you were snooping around in the first place. Like sending your neighbour an Instagram taken from inside his bedroom, with a polite note telling him he left the window open.
Related: Hackers Want Your Valuable Stuff. These 6 Tips Will Keep It All Under Lock And Key
Juicebox (his real name is Matt; the juicebox thing is an in-joke, which I don’t get and have to Google) works as system engineer for an anti-malware (malicious software) company.
“I’d probably call myself a hacker if only to make it easier for people to understand my thinking and understanding of computers and computer security,” he says. “To me it means I like to find ways around things, whether it’s a security control in an application or system or just making something do something I want it to do, instead of its intended use.”
Most of the hackers say they do what they do because it’s fun. Every firewall or security construct is a puzzle just waiting to be unravelled – one of those little interlocking metal thingies you have to figure out how to undo. What you do once you’re inside depends on the kind of person you are.
Related: Hack-Proof Your Life
There are different types of hackers: black hats, grey hats, and white hats. Black hats are the bad guys – the ones who use their skills to crash sites and systems, to steal or corrupt your data. White hats are the good guys; ethical coders who develop software to improve security systems, maybe even trap or take down a few black hats. (Matt runs something called a “honeypot”5. “It’s really just software that emulates a vulnerable system or application,” he explains, “so that attackers will find and exploit the ‘system’. I can then see what methods they’re using and spread the word.”)
Grey hats fall somewhere in between: they’ll find your vulnerabilities and access your system (without your per-mission) but they don’t use the information maliciously or for personal gain. Sometimes they’ll let a company or organisation know where the holes are; sometimes they let other hackers know, too. Most of the 0xC0ffee guys fall into this category.
Related: Here’s What You Should Know About Revenge Porn
Africa has one of the highest number of cybercrime victims in the world says Professor Basie von Solms, director of the University of Johannesburg’s Centre for Cyber Security. “In terms of the impact of cybercrime we’re third after China and Russia. That’s not good company to be in.” The FBI rates South Africa 7th – out of the world’s top 50 complainant countries – for financial losses due to cybercrime.
One of the reasons why South Africa in particular, and Africa in general, have been targeted is because of the “big broadband cyberpipes coming in, on the east and west coasts of Africa. When broadband capacity facilities are installed, suddenly a country becomes very accessible, Internet-wise.”
Von Solms adds that “many of the people in South Africa, and to a bigger extent Africa, are people moving into cyberspace for the first time via mobile phones. They didn’t go through a PC generation. They have no understanding of the risks. They do things in cyberspace because they suddenly have the option, and they are being caught out. Criminals are very aware that in many developing countries a generation is jumping the learning curve of going through a desktop computer.”
He says the number of cybercrime victims is “going to grow, because of the aggressive marketing of mobile banking and mobile transactions. The broadband is there and the victims are there.”
There’s another draw factor: even if cybercriminals are identified and traced – most of the masterminds operate through South African networks but are not physically here – the lack of appropriate cooperative legislation means very little can be done about it. South Africa is a signatory to the Budapest Convention on Cybercrime but, Von Solms says, has not yet fully subscribed to (or ratified) it – which leaves certain crimes committed outside our physical borders in a virtual no-man’s land.
Related: A Privacy Lawyer Reveals Where Your Personal Data Actually Goes On The Internet
Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts… A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. {Neuromancer}
When William Gibson defined cyberspace, nearly three decades ago, he saw it as clusters of light. But there’s a shadow world – a hidden Internet. And it’s estimated to be 500 times bigger than one most of us can see.
The Deep Web is the part of the Internet that is “beyond the reach of Google” – content (some of it perfectly mundane) that can’t be found or indexed by the spiders or bots that crawl the Internet for information. This may include archives and articles hidden behind paywalls7, as well as sites working in dynamic code specifically designed to confuse spiders. The Deep Web simply means it’s not “searchable”. Content that is deliberately hidden is referred to as the Dark Web, or Darknets. Here, users are hidden too, concealed by passing data through multiple servers (you can download programmes that will do this for you).
The Darknets were originally developed as platforms for free speech – a way for people, in any location, to use the Internet without fear of detection, censorship or persecution. They’re also where cybercriminals go to do their trade. Dark markets, where everyone is anonymous and everything is available: names, credit card numbers, zero day exploits8 (you can buy a full or even a half day), child porn…
Related: There Are 3 Types Of Porn Users, Which One Are You?
“What should I call you?”
“You can use my full name. The best hackers in the world use their real names anyway.”
Like most of the hackers I meet, Robert Gabriel has little formal education in computers – he picked up Hacking Exposed in 1999 (he’s just bought the 7th edition) and taught himself, first from books, then from online printouts and, later, through communities like ZaCon (zacon.org.za). “It’s like watching a magic trick. What’s the first question you ask? How did you do that?”
He says hacking is like a drug rush. “For the real hacker, it’s an obsession.”
Gabriel works for a Security Operations Centre (SOC) in Johannesburg that provides “continuous monitoring of data” – real-time or near real-time data analysis that allows them to pick up and respond to potential problems, from unauthorised network access or abuse of privileges to phishing, botnets, viruses, trojans and worms (See “Don’t Be a Soft Target”). The SOC’s clients include a number of provincial government departments.
Gabriel says his SOC picks up new firewall scans – people checking to see what, if any, ports are open – every few minutes. Recently they ran a log of denied (unauthorised) access attempts and put the data through a Google Maps application. Most of the attempts came from China. “They hack everybody, but they also hack themselves,” he says, adding that the Chinese are far from the only country using hackers to try and target other countries’ information. “It’s government versus government.”
In response, the big fish (financial institutions, governments) keep putting up bigger, better virtual fences. Which, in turn, has driven organised crime syndicates to sniffing out less-protected targets: small and medium-sized companies.
“SMMEs haven’t got the security expertise to protect their systems, and they haven’t got the money,” Von Solms says. “They don’t attack the bank anymore – they attack the end-customer.” Small businesses often yield lucrative data, like credit card and personal information (remember that online purchase you made through a local craft store? That.) “In the UK and the US, the government has come forward to make [security resources] available for small companies. They know their cyberhealth is strategically important, on a national level,” Von Solms says. “There are companies whose entire business model is based on the Internet. If they are hacked and their business goes offline, it’s major. There are jobs on the line.”
Matt agrees. “The biggest issue with information security in South Africa will be government support. Without the support and understanding from government, we’re fighting a losing battle.”
Related: WARNING: 3 Dangerous Ways You Could Expose Yourself On Social Media
The hackers are obsessed with locks. Physical locks – like the ones on your door or your suitcase. Some of them bring padlocks and lockpicks with them to the 0xC0ffees and spend the entire afternoon trying to work their mechanisms.
“It’s about muscle memory. It’s not something you can research,” one of them tells me.
Physical security is one of the most commonly neglected aspects of data protection. It’s often easier to break into a locked room, or a locked laptop bag, than it is to break into a secure network. At the first 0xC0ffee I attend, several of the hackers tell me one of the easiest ways to steal data is simply by sticking a USB drive into a computer and leaving it there. Most people don’t even notice a few centimetres of plastic sticking out the back of their tower or computer, and it can easily be retrieved a few days later.
Increasingly, large companies or enterprises are taking steps to disable USB ports or impose encryption software on USB uploads and downloads, but it’s still a security gap. Whistleblower Edward Snowden used a thumb drive to smuggle documents out of the US National Security Agency – even though such devices were banned.
Sometimes you don’t even have to break in – you just have to ask someone to hold the door open for you.
“These days you don’t go for the company,” says Gabriel, “you go straight for the systems administrator. The systems administrator holds the keys to the kingdom.”
Related: Your Online Porn Viewing History Isn’t As Private as You Think
Haroon Meer – formally the founder of Thinkst Applied Research, informally a total hacking legend (the 0xC0ffee guys whisper reverentially about how Meer once hacked a computer that was placed inside a locked room and disconnected from the Internet or any networks) – has blogged about this issue, commenting how, traditionally, access to “secrets” was usually only granted as individuals “progressed higher” within organisations.
“This natural balance (mostly) worked since it tied the individuals future with the company’s future,” he wrote. What has changed, he explained, is that “entry level sysadmin9 (or dba) [system or database administrators]” have “access to the same secrets at minimum wage. Sitting at his desk, your junior network admin is (probably) able to read the email of every highly paid exec in the company.”