If there was any doubt about it, Amber Rudd in Manchester last month said that cybercrime is where modern day crime is being committed and international conflicts played out; from criminal groups hacking and phishing to monetise our personal data from credit cards to identity data, to attacks on businesses and banks releasing huge funds which are instantly laundered round the world, to the use of the dark web to trade in criminal goods and services.
And while not all money laundering relates to cybercrime, the scale of money laundering in this country is staggering. London is undoubtedly the money laundering capital of the world; The Home Affairs Select Committee estimates that £100bn is laundered through London (mainly the property market) a year. And if Mexico is the heart of the international drugs trade, the UK is its head. Increasingly these more traditional criminal activities incorporate aspects of cybercrime. Rudd announced another £50m over 2019 to bolster cyber capabilities within law enforcement. UK Govt stats suggest 7 out of 10 large businesses have been affected, with an average cost of £20k per business.
Here are some recent examples of cybercrime hitting national/international news: -
Sony Pictures hack in 2014, movies distributed freely on the internet, personal information was used to embarrass prominent players in the entertainment business and tarnish their careers. North Korean hackers thought to be behind it – trying to stop release of a film about Kim Jong Un. Of course, it was North Korean hackers behind the 2017 ransomware attack, which froze computers in over 150 countries, including dozens of NHS Trusts, leading to thousands of cancelled operations. Brought home how important basic cybersecurity is.
In 2015, the Panama Papers were hacked from a Panamanian law firm, and confidential attorney-client materials were distributed worldwide. Reminds us that lawyers and law firms—especially those that may be representing high-profile defendants—are ripe targets for exploitation – more on that in a moment.
In 2016 in the US, emails from the Democratic National Committee and the Clinton presidential campaign were hacked and then published by WikiLeaks. Alleged unlawful use of online personal data in US Election.
This year, Essex based Goncalo Esteves aka KillaMuvz was convicted of computer misuse offences and money laundering for offering an online service for hackers, who could test their own malicious hacking tools against anti-virus scanners. He also sold custom-made malware disguising products. He accepted conventional money, Bitcoin and Amazon vouchers and made about £0.5m. This allowed fairly unsophisticated hackers to sharpen their tools.
Matthew Falder got 32 years at Birmingham Crown Ct after a joint investigation by the NCA, GCHQ, US Homeland Security, Europol and Australian police. He was blackmailing victims into posing for indecent images which he then sold and promoted on dark web hurtcore websites.
Closer to home this year, we had the 5 Uni of Manchester students who sold more than £800k worth of drugs on Silk Road on the dark web, trading in bitcoin, allowing them to pay off their student loans, buy city centre pads and party in the Bahamas. They were intercepted by the FBI when it shut down Silk Road in Oct 2013.
Finally, also this year, we have all heard about the alleged use of cybercrime techniques to steal personal information available through Facebook Apps, then used to influence the Brexit vote.
Arsing from this broader context are a number of discrete issues – the need, not least as practitioners, to have a basic understanding of cryptocurrency and what lawyers and other professionals can do practically to protect ourselves and our clients from cybercrime.
Cryptocurrency and Cybercrime
Ross Ulbricht created the black market trading website Silk Road in around 2011. By using the Tor browser, he could anonymise the IP address of the site and his own identity. You could get anything from pure MDMA to credit cards to guns. Silk Road also required traders to use Bitcoin. While all Bitcoin transactions, from the very first to the latest, are recorded in a virtual log called the blockchain, users would avoid linking their identities to their online “wallets” and so could undertake transactions with considerable anonymity. Brilliant. So why does he now sit in prison serving a life sentence without the possibility of parole?
Part of the answer to that question relates to how Bitcoin works. The cybercriminals using Silk Road wanted privacy, which depends on high anonymity and low transparency. The problem with most cryptocurrencies and certainly Bitcoin is that the transactions themselves are highly transparent as they are all published on the blockchain.
To send money in Bitcoin you need to use your unique private key, just like you need an email password to send email. But, unlike email, instead of getting to choose your public address – firstname.lastname@example.org – it gets mathematically generated from the private key. People can see that public address and, of course, data is recorded permanently on the blockchain when you make a transaction.
To give you an analogy, I can prove I know the private code to my iPhone by punching in that code and then showing you the unlocked screen. The problem with this for cybercriminals is there may be clues hidden in that screen which can lead law enforcement to uncovering thier identity. It was this aspect of transparency within Bitcoin, combined with traditional investigative techniques, which led police to Ulbricht. And in the same way, cryptocurrencies like Bitcoin are now favoured by law enforcement precisely because of the transparent way the blockchain works. Crack that and you have all the transactions permanently recorded.
But imagine if I try to prove to you I have the code to my iPhone in another way. I don’t want you to see the screen of my unlocked phone. What else could I do? I suppose, without showing you the screen, I could activate a wireless hotspot which you could detect was coming from my phone. That might be another way to prove I must know the private code.
The important point to make about cryptocurrency is that cybercriminals have largely moved away from Bitcoin and onto other cryptocurrencies such as Monero, ZCash, Etherium – which adopt alternative techniques for verifying virtual currency transactions – techniques which increase privacy.
As practitioners we need to have a developing understanding of cryptocurrencies. Illegal transactions and, particularly, money laundering, will continue to be attracted to them. There are now a huge number of these currencies available on different exchanges with an estimated market capital of over $100bn. There are increasing moves to regulate, particularly from the FCA and to legislate. It may well be that cash – with its lack of transparency – may fall out of favour entirely and Governments may well attempt to operate their own cryptocurrency.
Protecting Ourselves and Our Clients from Cybercrime
Although most lawyers do not need to become de-facto information security officers, given that lawyers and law firms historically have had notably lax security protocols, knowing some of the current best practices will help safeguard client information. All lawyers need a working awareness of cybersecurity issues, as well as becoming compliant with the General Data Protection Regulation, which comes into force on May 25th 2018, with its duty to report data breaches to the Information Commissioner’s Office and it’s fines for non-compliance: -
Email: Email technology is over 40 years old and was designed to facilitate speedy communication without security in mind. It therefore should go without saying that sensitive information should not be sent by email. To facilitate email communication on sensitive issues, lawyers should consider the adoption of an end-to-end encryption platform and two-factor authentication. At the very least, attachments should be password protected, with the password transmitted separately.
Cloud Services: While free cloud services like Dropbox, Evernote, and Google Drive have become popular ways to share documents and information, these should be avoided whenever possible. Unfortunately, clients often like the convenience of these services. Arguably, we are under a duty to warn clients when the client’s behaviour creates a significant risk that a third party may gain access
Mobile Devices: From a security perspective, Apple’s iOS devices are preferable to Android devices. Apple’s “closed ecosystem” design, where the company designs both the hardware and the software, allow Apple to push security updates out to users quickly. On the other hand, Android devices not only need software updates from Google, but each device manufacturer then has to customize the Android software to its devices, a lag time that allows for longer opportunities to exploit security vulnerabilities. Apple also vets each app before it is available in the App Store, while Google Play is more freewheeling and does not thoroughly test the apps that are available to Android users.
Border Crossings: As a matter of national sovereignty, a nation has the ability to search and inspect anything that comes across its border, including (controversially) data stored electronic devices. When re-entering the United States, this ability trumps the Fourth Amendment’s protections from unreasonable searches and seizures. Accordingly, lawyers need to think very hard about whether to bring any electronic device with sensitive information across a border; while the risk of searches is low, the outcome could be catastrophic.
Charging in Unknown Ports: Public USB charging stations have proliferated, especially in airports. But remember that USB ports can transmit both power and data, so lawyers know what is on the other end of those USB ports before plugging in. If you do not, you should not plug your mobile device into that port. (And the same goes especially for the chargers some taxi and Uber drivers offer their riders.) If necessary, carry a “USB data blocker,” which are cheap and can be plugged in between your device and the charger.
Web Browsing: Lawyers should avoid unnecessary plug-ins or extensions, many of which are written purposefully to monitor your activities and aggregate your data. However, lawyers should strongly consider using the Electronic Frontier Foundation’s HTTPS Everywhere extension, as well as Ad Block Plus or uBlock Origin to protect your computers from “malvertising” attacks.
A basic understanding of the current landscape will help to lock your virtual doors and prevent threats not only to your clients, but yourselves.