Net ninjas

...A COUPLE OF MONTHS ago, Twitterverse was abuzz with a new trending topic, #EthicalHackersWithPolice, a hashtag started by Bengaluru deputy commissioner of police (crime), Abhishek Goyal. He called “Bengaluru Hackers who r interested in working against Cyber Crimes” to mail their CVs to him.

Why did Goyal do this? Mainly, he says, because much of “what we learnt in the academy has become obsolete now”. (He was quick to clarify that it was not the police department looking for hackers: “It was me.”) Goyal was following the time-honoured advice to “set a thief to catch a thief”. And, surprise surprise, he’s not the only one doing this.

“Regular” or “traditional” crimes are on the rise, but the traditional police force, however stretched, is capable of handling them. But when it comes to the new breed of criminal—the one who uses technology to break and enter and steal—law enforcement stumbles. Efforts like Goyal’s are born in this context. Across the country, a parallel crime-fighting scene is emerging, where ethical hackers, computer engineers, coders, and the like come together to solve mainly cybercrimes that the police force is ill-equipped to bust.

In reply to a question in Parliament last year, Union minister of state for home affairs Kiren Rijiju said “the sanctioned and the actual strength of police personnel at the all-India level per one lakh population are 181.47 and 136.42 respectively”. This, when seen against global figures from a 2010 United Nations study, is bleak: India is ahead of only Uganda in police per capita among the 50 nations studied. Add to that the unrelenting rise in crimes; only 11 years between 1953 and 2012 showed decline in total reported crimes under Indian Penal Code, the last such year being 2003.

It’s not all bad news though. For instance, police forces in major Indian cities are now supported by social media labs looking for patterns that will throw light upon possible dangerous people and situations. (The Orwellian shades of such monitoring is another matter.) But that is not enough to help fight cybercrimes: National Crime Records Bureau (NCRB) statistics for the three years between 2010 and 2013 show a 350% rise (from 966 to 4,356) in reported instances of such crime, led by cases of fraud.

That number is much higher in a study by Assocham and Mahindra SSG, which pegs cybercrime instances in 2011 at 13,301 and projects that number at the end of this year to reach a mindboggling 3,00,000. The major reason for such variance is that only a fraction of the cases are reported to the police.

A CRIMINAL'S GOAL has traditionally been to stay a step ahead of the cops. With technology, he can stay continents ahead. Those familiar with the dark alleys of the Internet know that it’s almost commonplace for teenagers to steal millions of dollars (or data worth more) from people and organisations in other countries using just a laptop.

In a TED talk, Marc Goodman, global security futurist and chair for policy and law at California-based Singularity University, talks about how he, during his law enforcement days with Interpol, noticed that gadgets like cellphones and pagers were with criminals long before the police started using them. He refers to the PlayStation hack in 2012 (where hackers broke one of Sony’s toughest defences in the PlayStation 3 and stole user data, including credit card details, of an estimated 70 million users) and asks a question that underpins how technology has changed the nature of crime: “When in the history of the world was it possible for one person to rob 100,000?”

It’s not as though corporations are unaware of this. However, much of what’s happening is defensive—ensuring that there are strong walls protecting data. Companies such as Symantec, McAfee, and Cisco are among the dozens of big names in the business of data security. But ultimately, what they provide is not enough. What happens when those defences are breached?
In the immortal words of Ray Parker Jr., “If it’s somethin’ weird an’ it don’t look good, who ya gonna call?” Parker Jr. suggested Ghostbusters, but that happy group is unlikely to have much effect against a hacker sitting in Vilnius, Lithuania, stealing data from users in California.

Even in the rare instances when they are tracked down, it takes a great deal of multinational co-operation to nab cybercriminals who often operate from geographies without extradition treaties. Despite a few successes in shutting down botnets and other criminal cyber infrastructure, the problem that international cybercrime fighters face is that cross-border co-operation is painfully slow. Organisations like Interpol are not created with the capability to fight millions of instances of cross-border cybercrime.

Neither are local police forces, particularly in countries such as India, equipped to deal with cyber fraud and cyber intimidation. With traditional law enforcement of little help, enter the private eye. These private detectives come armed with hacker skills and the same high-tech gadgets that criminals have. I call them the hacker force, though their skills are not limited to hacking.

The idea of the private investigator is hardly new, but in India, these detectives have always functioned in a shadowy area that’s not quite law enforcement. There’s been little legislation, and as long as the bulk dealt with small-time, low-key domestic cases (snooping on a spouse, pre-marriage screening of the couple in arranged marriages, etc.), there was no real call for supervision.

But the lack of accountability, coupled with the easy availability of a host of gadgets such as spycams and bugs and listening devices, means these investigators often cross the line between surveillance and invasion of privacy. With cybercrime though, you’re looking at a different class of investigator altogether, far removed from the slightly shady guy sitting alone in a one-room office with paan-stained walls.

Legislation is pending to bring some governmental regulation into the private detective agency business. Once the legislation, first mooted in 2007, passes all formalities, a central board will be constituted to issue licences and bring in structure as to what they can and cannot investigate. The Private Detective Agencies (Regulation) Bill 2007, as it is formally called, will push out many fly-by-night operators. It will also make collaboration with the police easier.

I FIRST MET Sahir Hidayatullah and Raviraj Doshi when researching corporate espionage and how it impacts Indian businesses. They were then partners at Securus First, an investigation firm founded by D. Sivanandhan, former Maharashtra director-general of police and former commissioner of police, Mumbai. Both are white-hat hackers (the good guys, unlike black-hats who hack for malicious reasons), who had offered me an up close and personal experience of being hacked just to show me how easy it was. I had refused firmly.

Hidayatullah looks like he’s not been out of college too long, and Doshi is hardly my idea of a hardcore techie; at most, I’d say he’s a benign banker. But the duo is fast emerging among the foremost fighters in the battle against cybercrime. Their superpower: creating virtual smokescreens that manage to fool malicious intruders. Their new company, called Smokescreen Technologies, has been in business less than three months, and has already broken even; profits are around the corner, and global expansion is already being charted out.

Then, there’s Shweta Chawla in Pune. She’s a private investigator who has become the Pune police force’s go-to person in cyber forensics cases. “Pretty much every case today has some element of digital in it. It depends on the investigator whether he is ready or not with technology,” she says. The logo of Chawla’s cyber forensics firm, SC Cyber Solutions, is a squirrel holding a nut. “Have you ever seen a squirrel letting go of a nut? It always cracks it,” she explains.

Cracking cases isn’t all it’s cracked up to be. It’s a lot of drudgery and ploughing through reams of data. Even with rapid strides in analytics, it’s time-consuming. But companies are prepared to pay huge amounts for the results, which is why, increasingly, large financial consulting firms are setting up digital forensics units. EY, for instance, has joined forces with the cybercrime wing of Securus First. KPMG, too, has a digital forensics team that works with all sorts of companies, from retail multinationals to software giants.

It is a natural progression. Forensic accounting has been in the DNA of these companies, but the nature of investigation has morphed over the past few years. EY’s partner and national leader, Fraud Investigation and Dispute Services, Arpinder Singh, says that he understood the potential of tech in forensics while being involved in the investigation into one of the major corporate accounting scams of the 2000s. “Prior to the scam, our investigations were primarily about books and records. Post, we started imaging computers and cellphones, recovering deleted information, and using software like Clearwell so that the information collected can be produced for litigation purposes outside India. Around the same time, lot of police officers started joining us and brought in skills like asset-tracing and background checks.”

KPMG and EY both claim to have the largest teams involved in forensics and fraud investigations in India with around 800 people, up from less than half of that a couple of years ago. Both also claim that this will go up soon to touch a thousand. This despite the fact that technology has made it possible for fewer people to do the same job. Sandeep Dhupia, KPMG’s head of Forensic Services Unit, says, “We ran a project where we employed 100 people to review a million e-mails and it took us four weeks. I can probably do that now with five people in a fraction of that time.” So the growing workforce is just proof of how much work there is.

Investigating cybercrime requires specialised skills and is almost always done in high secrecy because of reputational risk. Existing business relationships mean that firms like EY and KPMG are the first port of call when client companies need to investigate cybercrime situations. Singh says that in the past five years, the forensics practice has grown 50% every year. “We have hackers, Big Data analytics guys, coders. This is added to the 80-odd people who are on the intelligence side, going out and gathering information and doing surveillance. We have MBAs, CAs, and lawyers.”

Dhupia adds that their skills are often called in to investigate other kinds of crimes. “I even got a call from someone in a company which was our client to help investigate a murder case. We declined, but I did suggest some of the things they could look into.”

THERE ARE STORIES aplenty, but since all these crime-fighters are governed by ironclad contracts that don’t allow them to reveal anything but mere generalities, a lot of the real drama is lost. Still, what we do have is interesting enough to merit its own gritty TV series. There’s a story out of KPMG’s files about a whistleblower in a large software company. The whistleblower claimed that an employee was stealing data and leaking sensitive information about the company’s clients. KPMG was called in to investigate, and its forensics team reviewed the network, web servers, and the data and call logs. The result? There was no way that the employee named could have leaked information.

Stranger still, the logs showed that the whistleblower did not send the warning mail. Some more data crunching and log monitoring and the KPMG team found that the real whistleblower was a contractor, who set out to settle a score with the employee in question. He knew enough of the system to figure out that investigators would be called in and reckoned that his actual target would be unmasked. What he didn’t count on was being found out himself.

Then there’s the story of how Hidayatullah and Doshi helped the managing director of a Fortune India 500 company (you’ve been reading the fictionalised account in the graphic novel on the accompanying pages). Doshi recalls that it was 8 am, and he was contemplating breakfast before heading out to work, when the MD’s executive assistant called. “Come at once!” Doshi called Hidayatullah and they agreed to meet at the MD’s office in the business district. They found the MD sitting with a 14-page e-mail, which contained allegations of financial impropriety, with detailed references to confidential documents, and a warning that unless he “came clean” within 24 hours, the contents of the e-mail would be sent to the media and to various government agencies.

Doshi and Hidayatullah’s task: Find out who had sent the mail—in less than 24 hours. The duo set up a war room next to the MD’s, manned by seven of the sharpest minds in Securus First, brought in from their office in nearby Lower Parel. Ideas were tossed about, software programs suggested, and finally, a course of action laid out. The amount of inside dope in the mail suggested that this was an inside job. With the MD’s help, the team drew up a long list of 50 people who could have accessed the documents. The e-mail itself was then run through an authorship attribution program, a great new tool in the arsenal of cybercrime fighters. The software matches styles to authors by scanning their e-mails, looking at patterns such as length of sentences, style, words used, number of syllables per word, and so on. It’s handwriting recognition in the era of pixels.

The Securus First team decided to use the popular JGAAP (Java Graphical Authorship Attribution Program). After filtering and re-filtering, JGAAP narrowed down the list to a dozen names, but that was still 11 too many. That’s when Hidayatullah had a brainwave. An ardent fan of military history, he says deception is something that the greatest commanders share with great criminals. He tells me about how Genghis Khan used to win against huge armies by sending out a small force of his best warriors in distinctive uniforms. The strike force would gallop up to the army, start a skirmish, and then retreat. The army, believing it had won, would almost always give chase, only to find Genghis Khan’s massed army drawn up behind the nearest hill. The Khan would strike at the moment of confusion, inevitably winning. In the Iliad, the Greeks used the same strategy to defeat the Trojans; remember the Trojan horse?

So, deception it was. The Securus First team sent an e-mail, supposedly from the MD’s financial planner to the MD, with details of his investments. They gambled on the fact that someone accusing the MD of financial impropriety would definitely want to see his investments. It wasn’t just a random e-mail that screams “scam”; this was from a reputed financial services firm (fictional), with employees having LinkedIn pages (all fictional). They were sure that the mail would fool almost anyone.

It sure fooled the criminal, who clicked the link in the mail. That activated tracers put in place by the crack Securus First team. Late evening, Doshi got a call. “There has been an incident,” said a cold computerised voice. The tracer software had been instructed to make this call when activated. Details started pouring in—everything from the IP address to the screen resolution of the thief’s computer. It turned out to be someone in the IT department. But the MD was convinced that the techie had assistance, so the team continued to track the IT guy’s computer. Sure enough, he forwarded details in the fake mail to the perpetrator—someone in the MD’s core team. All this in less than 24 hours. (The rest is silence, because Securus First left; the company took its own action.)

Hidayatullah and Doshi are now building Smokescreen on the edifice of deception. Hidayatullah explains. “Our software creates honeypots on our customer networks with juicy information: financials, salary details, research. These are perfect replicas of the real thing. If there are intruders on the network, it is only human that they would want to peek in.” The moment they get the bite, the team starts working on identifying the source and learning more about them, all the while lying low to avoid suspicion. To lower the incidence of false positives, the decoys will be triggered only if a user starts behaving in ways that are consistent with hacker behaviour.

They are calling the product IllusionBlack, which uses the idea of deception as an active defence. “Cyber security is like guerrilla warfare. A guy sitting in the basement of his house can break down companies that spend hundreds of millions on cyber security. Companies need to take a more active approach to fighting it and investigating it,” says Hidayatullah. Rather than barricading the network, it’s preferable to “seek out if anyone has broken through and find the human behind it”. He also recommends conducting periodic “intrusion response simulations”, a fire-drill for networks, to get administrators responsive towards handling breaches.

Hidayatullah and Doshi say they are already working with banks and large listed companies. They also claim to have investors interested in the technology and will raise funds later this year to support their global push.

While Hidayatullah, Doshi, and Chawla may never become household names, their work is impacting popular culture. Amrita Chowdhury, author of Breach, a “cyber thriller”, says she was struck by how differently tech-enabled private detectives approached cybercrime, compared with cops. And now, with cops like Goyal voting for it, private eye-style investigation could well become the future of crime fighting.