by Nirmal John
NIRMAL JOHN
BREACH
Remarkable Stories of Espionage and Data Theft and The Fight to Keep Secrets Safe
PENGUIN BOOKS
CONTENTS
Preface
1. The Con in the Code
2. Food for Thought
3. The Slow Death of Piracy
4. Banking on Data
5. The Weakest Link
6. Taking Data Hostage
7. Power Breach
8. White Hat Is Greenback
Epilogue
Footnotes
Preface
1. The Con in the Code
2. Food for Thought
3. The Slow Death of Piracy
4. Banking on Data
5. The Weakest Link
6. Taking Data Hostage
7. Power Breach
8. White Hat Is Greenback
Epilogue
Acknowledgements
Follow Penguin
Copyright
PORTFOLIO
BREACH
Nirmal John is scared of artificial intelligence. When not dreaming up scary scenarios of a future dictated by machines, he loves observing and recording life at the intersection of technology, culture and business. He is a journalist who has worked with Fortune India and is currently with the Economic Times Online in Bengaluru. This former adman loves telling stories of people who have embarked on crazy adventures (or misadventures) in an increasingly tech-obsessed world. He is also the winner of the Prize for Economic Journalism in Asia, 2016, awarded by the IE Business School in Madrid, Spain.
Advance Praise for the Book
‘Breach is a fascinating book on data theft. It’s educative, it’s informative, it’s insightful! Nirmal’s book is thought-provoking, superbly researched and deftly crafted. He is an engaging writer who combines the nuts and bolts of data theft with a deeply felt sense of India and shows how to combat it. This is a remarkable saga of data protection and data security. The lucid, open-hearted account makes for an interesting and informative read for experts, academics and practitioners alike’—Amitabh Kant, CEO, NITI Aayog
‘Unputdownable! Nirmal tackles a complex and tricky subject with the craft of a novelist combined with the skills of an investigative journalist. The book is a page-turner where you feel the childlike excitement of finding out what lies beyond that closed door!’—Aditya Ghosh, president and whole-time director, IndiGo
‘A fascinating, and scary, sweep of the many different types of data breaches we are susceptible to, written in a fast-paced mystery-novel style. If this book does not make you realize the enormity of the problem, nothing will’—Ajit Rangnekar, former dean, Indian School of Business
To Appa and Amma
I’ve never found it hard to hack most people. If you listen to them, watch them, their vulnerabilities are like a neon sign screwed into their heads.
—Elliot Alderson, a character from the TV series Mr Robot
Preface
I’m Bruce Wayne. I’m also Peter Parker. At times, I am Rajinikanth.
One of the greatest things about my job as a business journalist is that no two days are the same. I get to talk to extremely interesting people on subjects as varied as the economics of asteroid mining, delivering education to a screen-obsessed generation, or the impact of artificial intelligence on the travel industry.
There is always the option to have these meetings in a local cafe. But I prefer going to their offices because I believe it reveals more about the person I’m meeting and provides what my editor calls colour. It was during one of these trips to an office a few years back that I started my experiments with multiple personalities.
The first person to welcome me in nearly all the offices I visit is the security guard, usually clad in an ill-fitting uniform in a not-so-fetching shade of blue and a cap perched uncomfortably on his head. He usually sits on a plastic chair behind a small desk, with both the chair and the desk out of sync with rest of the office decor. As I walk in, he asks if I have an appointment, and as soon as I answer that question, he thrusts a large register in front of me.
‘Sir, entry kar lo. [Please enter your name.]’
I nod and proceed to write my name. Then, without even as much as a glance at what I have written in the register, he motions me inside the office.
One day, in 2012, this flow changed. I had a meeting with the managing director of a multinational firm in Gurgaon for a story that I was working on. As usual, I was about to enter my name in the register when a thought occurred to me. Did it matter what I wrote in the register? Would they know if I put in a fake name? Were the guards really keeping a track of visitors by the information they provided about themselves?
It was around the time when the third movie in Christopher Nolan’s Batman trilogy, The Dark Knight Rises, had come out. Instead of writing my name, I wrote Bruce Wayne, Gotham City. I was a tad apprehensive of getting caught and being embarrassed, but I needn’t have bothered.
I was ushered right in.
It was too easy. Since then I have passed myself off as Peter Parker, David Beckham and Rajinikanth in offices in Bengaluru, Mumbai, New Delhi, Noida, Gurgaon, Faridabad, Ghaziabad, Ahmadabad, Pune, Kochi, Hyderabad, Mysore, Jaipur, Chennai and many other cities. I have written these names at the offices of India’s biggest start-ups to its biggest financial institutions and largest conglomerates and everything in between. I have even done it in companies that provide security services, both digital and physical.
There are rare offices which ask for your identification and those, of course, stay out of bounds for my little superhero transformations. But most offices don’t ask for anything more than a cursory entry into the register.
This little experiment got me thinking. If it was as easy as that for an amateur like me to saunter into the offices of some of the biggest companies in the country, without even having to disclose my real name, what about those with nefarious intent? How often did those with malicious ideas do what I did? More importantly, did those who were adept at the art of deception even break into a sweat if and when they wanted to steal information? Why weren’t Indian companies investing in better security? Why wasn’t I getting caught?
There’s more. We have stepped well and truly into a digital world. Although data has always been valuable in the context of most businesses, it has now acquired an altogether elevated stature. The Economist1 and Wired2 called data the ‘new oil’. Much of the obnoxiously high valuations for technology companies in the e-commerce era currently underway in India and around the world are not based on how much they sell, but on how much they know. Google, Facebook, Amazon, Alibaba, Tesla and Flipkart have become valuable because of this access to data.
In India, if it is so easy to find holes in the wall of physical security that Indian businesses build around them, how robust is their digital security? More importantly, how robust are the security practices pertaining to how the government handles this new era of data? After all, data is the currency of this century and any compromise on data integrity is an existential risk, not just for businesses but also for countries.
There are instances aplenty of hacking and stolen data from the most advanced of economies. Big names in business, including Sony,3 Target4 and Yahoo!,5 have faced major data breaches. Allegedly, Russian agencies hacked into the Democratic National Committee6 and leaked information to influence the US presidential election in 2016. Media reported that data was stolen from the Republican National Committee7 as well, but was suppressed to influence the election in that country. Then there is the most sensational of them all: Edward Snowden walked out of the most secure location with highly sensitive classified data from the United States National Security Agency.8
In the following pages, you will read a few i
nstances of data theft in India and how those fighting the threat reacted. As India grows and as more and more people move online, it becomes an even juicer target for criminals. Any number of reasons, from corporate espionage to cyberwarfare to financial gain to geopolitical manoeuvring to stalking, might motivate this criminal behaviour. There are many black hat hackers who do what they do simply because they can. What is certain is that the wealth of data that is being collected by companies and the government will constantly be under threat from those who want a peek.
Defending against these threats is not merely about enhancing technological security. It is about addressing the vulnerability of people. There is nothing that contributes more to breaches than the mistakes people make. Most of the incidents recounted in this book have happened not merely because of weak technology but because of errors in judgement by humans. It could be about people clicking on something they shouldn’t have or people disclosing passwords that they should obviously have kept to themselves.
Much of it boils down to ignorance, or a lack of appreciation of how actions of an individual can impact the data security of a company. When we are young, we are taught to close the doors and windows and lock them at night. The problem with India is that, at the moment, many of those who are on to the digital bandwagon don’t know the importance of closing doors and windows.
There will be more attacks from those hiding behind a digital veil, and it is important to empower the digital populace with knowledge to fight them. At the moment though, the conversations around these issues remain far too closeted. As the founder of a major Indian start-up told me, ‘Data security is a reactive topic, and as a country we don’t have conversations on security until shit hits the fan.’
This book is an effort to start this conversation. It is my two cents’ worth to trigger a more honest appreciation of data security in our society. There are enough instances of breaches in the country that have hurt businesses as well as individuals. It was a difficult task to get people to talk openly about these instances of data theft, and many refused to cooperate.
Thankfully, there were some who agreed with my submission that it was time that we became more open. Many of them were crime-fighters at the forefront of these instances and were governed by iron-clad contracts that didn’t allow them to reveal anything except the merest generalities, but they still chose to collaborate for this book.
Over the next few chapters, I will recount a few instances of where data was siphoned off from Indian entities. I will look at how these cases were investigated and how, in some instances, collaboration among stakeholders enabled a fightback. The thing about data theft in India is that those who know stories about how the tentacles of cybersecurity and data theft intertwine with everyday life know all about it and know it in depth. But beyond that echo chamber, ordinary folk as well as the future leaders of Indian businesses may not. This book is for them.
This is not meant to be a technical treatise, and I’m clearly not a techie to write one. It is meant to be a gentle tap on their shoulders to remind them of the importance of making sure that their data and the data generated by their company remains safe. This is not written for people who know all about breaches, particularly from within the security community. This is for people who are unaware of the extent of the problem. Life in this day and age becomes a little bit safer when individuals become a little bit more informed.
I hope you enjoy the read.
CHAPTER 1
THE CON IN THE CODE
The Mightiest Can Fall for the Simplest of Traps
The journalist couldn’t believe what he was hearing.
He was being accused of hacking into the computer of one of the most high-profile businessmen in the country. This was a businessman whose name popped up every other day in the dailies, both pink and white. This was a man whose influence ran deep across multiple industries and up and down the corridors of power in New Delhi. This was also a man whose association with the journalist was purely professional.
It was in that professional context that the journalist had been in touch with the businessman over the last few months. His was one of the companies the journalist had written extensively on for the media house where he worked.
He was not even remotely the sort of hacker who made computers dance to his tune, finding and manipulating their vulnerabilities. Hacker, no. Hack, maybe. As a noun, the word is defined as ‘a journalist whose work is low in quality or does not have much imagination’. Even in that context, he thought ruefully, describing him as a hack wouldn’t be fair, considering the quality of his work through his career was never in any doubt. He had spent many years in this profession and always considered his work as high quality.
Unlike many people he met in his trade, he was not obsessed with technology. He used his computer only to write stories and for research. He knew little coding, let alone programming of the malicious variety that would infiltrate computers. Why, then, was he being accused of snooping on and stealing data from one of the biggest businessmen in India? Nothing of what had happened in the hours leading up to his interrogation in a police station in India’s capital city made any sense.
His heart thumped hard and fast. It was the winter of 2011, among the coldest in recent memory in north India. The room should’ve felt chilly, but there were tiny beads of sweat forming on his forehead.
The ‘evidence’ against him was right there on the table. Every time he denied having anything to do with the hacking, the cops pointed to it. It was the printout of an email. He could see what was printed on it through the corner of his eye. Sure enough, it was his name in the ‘from’ column just before the subject line. That was what had led the cops to him that morning, with the accusation that he had hacked into the businessman’s computer. But he, sure as hell, hadn’t sent the email.
Time ticked by.
The journalist knew he needed to get help from someone who could prove he had nothing to do with any of this if he were to get out of this situation. He asked the cops if he could place a call.
* * *
The evening before the journalist found himself plunged in this nightmare, the businessman stood at the window in his office in Mumbai, gazing at the evening sun and its last few minutes of orange shimmer before it set in the Arabian Sea. He was contemplating, among other things, the last few years of his business. It had been a particularly tough period for his company. What accentuated the pain was that the lean phase had come right on the heels of a few years of huge success. Like many other businesses in Mumbai, and around the world, his company too had entered a difficult phase with the 2008 collapse of Lehmann Brothers and the meltdown it had triggered in the global markets.
He walked back towards his seat. It was time to wrap up and leave for the day. Just as he was about to close his laptop, the mail icon lit up. The name of the journalist flashed in the notification box on the lower right corner of his screen as the sender of the new email in his inbox.
That was not unusual. He often got emails from a few journalists with whom he maintained open communication channels. He glanced at the subject—it said something about a new draft of a story. He presumed the journalist probably wanted him to answer some questions for his story. He was a tad irritated by journalists emailing him directly rather than going through his company’s corporate communications team. He was about to close it, but then those pesky email notifications were designed to pique curiosity, and he couldn’t resist clicking on it. He opened it.
The text of the email followed from the subject line. The journalist was writing some story and had attached a draft for his review. There was the attachment and precious little else in the email. That was a little odd, considering journalists like this one usually wrote long emails, building the context to their story. But then, he knew this journalist often worked on tight deadlines. In his hurry, he may have forgotten to type in the introductory details, he rationalized. He double-clicked on the attachment.
Not
hing happened. He clicked again. Nothing this time either. He minimized the email window to see if any file had opened up and was hidden behind the email window. There was nothing. His desktop wallpaper with the smiling faces of his family from their last vacation stared back at him.
Richard Skrenta was eighteen when he wrote this little poem:
Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes, it’s Cloner!
It will stick to you like glue
It will modify RAM too
Send in the Cloner!
The young American, Skrenta, embedded this poem into a piece of software that he had written, which he called Elk Cloner.1 He copied it on to floppy discs and shared it with his friends. The poem would annoyingly pop up on every fiftieth computer that ran the floppy. It was meant to be a prank to get under the skin of his friends, but was otherwise harmless. What makes the ninth grader’s programme something of a watershed in the history of computing is its status as the first piece of malware written for a personal computer2—here it was for the Apple II.
By 1986, the IBM PC became the most popular personal computer in the world. Two Pakistanis—Basit Farooq Alvi and Amjad Farooq Alvi—who ran a computer store in Lahore, are credited with creating a virus for Microsoft’s DOS, which had by then embarked on a journey that took it to the top of the operating system pile.3 Just like Elk Cloner, the (c)Brain virus they created was relatively harmless, but in retrospect, these lines of malware were the harbinger of things to come.
Since those early days, malware—the umbrella term given to malicious software, from viruses to trojans to worms to adware to ransomware—has spread its tentacles, and it has become more and more complicated and destructive. From being silly pranks, malware has morphed into dangerously potent weapons used in waging virtual wars against countries.