The book is designed to cater to a broad spectrum of readers, ranging from cyber-security experts and policy-makers to academics. Despite its intended primary audience, the book has also been written in such a manner as to make it accessible not only to university students but the broader general public. The complexity and rate of change seen within areas of technology, cyber security, and ethical hacking make it essential not to assume that you are across all terminology. There are many terms that common media and blogs use incorrectly or interchangeable, such as “computer virus,” which turns out to be a “computer worm.” Other new methods of malicious-software propagation may emerge that a reader would not necessarily be familiar with. In general, ethical hacking involves many technical terms that require a foundational level of understanding in order to better understand policy and other issues. For example, a denial-of-service attack is potentially lawful if your own device is used to participate in an online political protest. It would not be lawful to use a botnet that connects to unknown or third-party devices to participate in the same protest. The aim is to provide you with digestible material that demonstrates concepts through engaging case studies. These case studies of ethical hacking, spanning the last twenty years, are dissected and catalogued in a manner that identifies the groups and movements, their motivations, and the techniques they used. You will see some of the most notorious of these incidences explored referenced in chapters 4–6, then selected incidences are looked in context and by issues in chapters 7–13.
If you are a policy-maker, chapters 3–7 and 14 are essential reading. Chapter 3 provides the only publicly available quantitative analysis of ethical hacking in the world. The stark numbers contained within this chapter will assist you in demonstrating why the decisions and policies you recommend are fundamentally essential. As a policy-maker, you are all too aware that in a world of cleverly masked sensationalism posing as substantive information it has become difficult to discern what information can be trusted. Chapters 4–6 table legal cases and selected noteworthy incidences from the quantitative analysis. Throughout chapters 7–13 I aim to provide you with intricate and, at times, intimate looks at the world of ethical hacking, which will assist you in generating well-informed and robust policy. Chapter 14 discusses the required frameworks and changes required as a matter of both policy and law.
If you are a cyber-security expert or consider yourself a hacktivist, there are ethical and legal issues contained within this book that are essential reading. This includes policy and legal lines to be cautious of, which could easily see you cross from that of “ignore action with caution” to one of “prosecute” by authorities. These cautionary tales are drawn from my experience undertaking a large range of roles, as described above.
As I know all too well, the issues surrounding cyber security have garnered interest from a broad demographic of society, and is not limited to just policy-makers, experts, and academics. Even if you do not fit within any of the three later categories, I would still love for you to drop me a line at alanacybersecurity.com and let me know your background. While I keep analytics on how many people visit the site, and the general geographic area of the IP addresses, this will give me an opportunity to engage with you and understand the broader community interests. But please remember that if you are looking at the site or wish to contact me about a private or sensitive matter, this site offers no anonymity to you. So, connect with a VPN, proxy or other anonymizer such as TOR.
www.alanacybersecurity.com
There is also the option of communicating later using encryption and, for journalists, I have and use Signal.
I have a confession: I am an ethical hacker. I use technology in a non-violent way in the pursuit of a cause, political or otherwise, which is often legally and morally ambiguous. I don’t intentionally break the law. Many of the actions I take are assumed by politicians, lawmakers, and people around the globe to be legal because there are few to no legal precedents and scant reportage. The law is written broadly, in a way that captures far more than one might expect. Part of my motivation for writing this book is to highlight how desperately new law and policy are required for ethical hackers.
As a human-rights activist I work to educate and protect online civil liberties globally, but more specifically for the jurisdictions in which I have lived and worked, namely Canada, Hong Kong, and Australia. When I lived in Hong Kong I provided research assistance for the OpenNet Initiative (a collaborative partnership between the Citizen Lab at the University of Toronto, the Berkman Center for Internet & Society at Harvard Law School, and the Advanced Network Research Group at the Cambridge Security Programme, Cambridge University) to examine how Chinese authorities filtered the Internet in 2003–2005. The testing of which sites were blocked in the Chinese firewall meant that a host of domestic Chinese laws were violated, even though the object was merely to provide an accurate reflection of what types of sites were blocked, along with where, when, and possibly why these sites were filtered. I continue to be involved in research efforts addressing civil liberties and Internet freedom for the nongovernmental Freedom House, a liberty watchdog. I was the researcher and author of the Australian Internet Freedom portion of the annual Freedom House Report, Freedom on the Net (2011–2017). Freedom on the Net is the most widely utilized worldwide resource for activists, government officials, journalists, businesses, and international organizations aiming to understand the emerging threats and opportunities in the global Internet landscape, as well as policies and developments in individual countries.
I am a professor and researcher above all else—I currently am the Professor of Cybersecurity and Behaviour at Western Sydney University. I am in the privileged position of leading multidisciplinary research and lecturing teams across a range of cyber-security projects and courses. I work with industry, government, and civil society on a daily basis. But my views about ethical hacking can be traced to a time and place long before I became a professor of cyber security. Here is a bit more about what informs the research, analysis, and opinions represented in this book.
I was a key researcher with the law and policy division of the Data to Decisions Cooperative Research Centre (D2DCRC). The D2DCRC specializes in big data/artificial intelligence for national-security purposes. The centre involved multiple computer scientists and data scientists from universities, industry (e.g., Palantir and SASS) along with governmental departments predominantly in Australia but also in Canada and the United Kingdom. With the D2DCRC, we worked on confidential matters where we helped groups make informed decisions on how new technologies were being built and how they would function based on proposed new legal and policy frameworks.
From an international perspective, I was fortunate enough to be asked to speak at a United Nations workshop in China on cyber security and human rights, where the majority of attendees were students and professors in the cyber-security division of the People’s Liberation Army’s National Defence University. The questions asked and views imparted to me were enlightening, and reminded me how much misinformation there is in cyber security and ethical hacking. My research from my honours in law, masters, and PhD degrees—and indeed my current research—has been entirely interdisciplinary, as has my work with government, law firms, and later with universities. For my PhD I worked with underground security-activist groups concerned with botnets, conducted empirical qualitative research, and worked closely with the technical community to deepen the research. I worked with individuals and organizations in Europe, Asia, North America, and Australia. This included dialoguing and consulting with individuals from Internet-service providers, the Australian Communications and Media Authority, computer emergency response teams (in Australia, Canada, and Estonia), cyber-security journalists, Shadowserver, various computer-science researchers, and the National Cyber-Forensic Training Alliance (an FBI and Carnegie Melon cybercrime training and investigative service, located in Pittsburgh). The thesis could best be described as in the field of cyber security, using methods and analysis from criminology, economics, information systems, and the law. This book borrows from my graduate work in botnets, especially in the chapter on security activism.
I am on the board of directors and am the special cyber adviser for the investigation firm IFW Global. IFW is an investigation firm specializing in cybercrime and intelligence. My advisory work has involved performing a variety of tasks, including surveillance advice, developing protocols for sensitive investigations in foreign countries, providing legal information on investigative procedures and contracting with intelligence units, as well as writing memoranda for arbitration disputes involving counterfeit engineering products. Our investigations have involved online fraud and malicious online conduct, which has led us to cooperate with cybercrime and anti-money laundering divisions of the FBI, CIA, Interpol, the AFP, the New South Wales Police Force, and Thai and Philippines police. Our investigatory work on one cybercrime case led to corruption investigations and charges against certain members of the Queensland police force. IFW is globally renowned for shutting down and recovering funds from sophisticated online organized crime, including payment-diversion fraud and boiler-room and binary-option scams.
Payment-diversion fraud typically involves a situation where a network and/or devices on a network are compromised, a criminal watches the actions of the company over time and is able to divert payment due to a supplier to an unknown third party. This is also known as compromised supply-chain fraud.
A boiler-room scam typically refers to a call centre selling questionable investments over the phone, and nearly almost always with legitimate looking fake websites.
Binary options involve a highly speculative form of trading where you don’t trade on a market but you often trade against a binary-option “company” (in market parlance, a bucket shop)—effectively, an illegitimate broker. The binary-option broker has a backdoor into an online trading platform, where the broker can manipulate prices while you, the potential customer, is trading—ensuring that you don’t win too often, or win just enough to draw you in to want to invest more. The chances of a payout are remote (one in several million), yet people are lured into investing due to premises of a big payout. Kind of like someone inciting you to invest a large sum of money on a horse race with poor odds. The difference, however, is that the odds are so remote that this type of investment is illegal in many jurisdictions. Additionally, the scammers are actively manipulating prices as you engage and invest, luring you into losing more money. Communication is often done through highly encrypted apps such as Signal, and money is exchanged and funnelled through money-laundering processes and, increasingly, through cryptocurrencies. It is extremely difficult to recover money laundered through encrypted cryptocurrencies, making this type of online fraud a lucrative business.
I provide legal and ethical information to computer-security experts (and almost certainly some hackers) on a wide range of topics, such as deviation of application program interfaces (APIs), data crawling on the Deep Web, sale of vulnerabilities and bugs, copyright issues in proof-of-concept videos, subverting national firewalls, disclosure of corrupt practices, and hacking targets. I do know that requests for information have come from Russia, Estonia, China, Jordan, Saudi Arabia, Australia, and Canada, but possibly too from anywhere as people tend to use anonymizing technology to contact me to reduce risk of identification. One person goes so far as to only send me hard documents by post.
Lastly, I have done consultancies for government and industry. In fact, this book is largely the product of research/consultancy work on ethical hacking for Public Safety Canada in 2010. Public Safety Canada engages and works with various departments on a range of cybersecurity issues and also houses the Canadian Cyber Incident Response Centre. As you can see, my understanding of cyber-security behaviour and ethical hacking is based on first-hand knowledge as well as research. That’s more than enough about me; let’s move onto the topic of the book: ethical hacking.