Skip to main content

tv   The Communicators Kate Fazzini Kingdom of Lies  CSPAN  August 26, 2019 8:00am-8:31am EDT

8:00 am
book tv is television for serious readers all weekend every weekend join us again next saturday beginning at 8:00 a.m. eastern for the best nonfiction books. >> next on the communicators. a discussion on cybercrime. after that live coverage from france as president trump holds a news conference at the end of the g7 summit. .. ..
8:01 am
>> host: so kate fazzini, what do a romanian teenager, a chinese dishwasher and a russian young man from russia raised by an alcoholic single mother have in common? >> guest: well, you'll find all these people in my book of course, in "kingdom of lies," but i think the ones they may have the most in common is a sort of dancing between good and bad. so you have people who have, you know, a woman in romania has very few computer skills. you have a gentleman in china, and gentleman in russia who had very good computer skills, but you see them going to work often on both sides of the equation, so someone can be a hacker
8:02 am
forbade and be a criminal, but sometimes they can put those skills to good use. sometimes they just go all the way down the bad path and use certain people who have a bit of a bent towards sociology going that way, as we see with our friend in russia. but in the end you have people who are curious, interesting, and people that we can learn from, which is what i was really going for. >> host: how much money did those people literally steal? >> guest: that's an interesting question. i don't think i have an actual figure for anyone, and without giving away too many details of course we do see one of the characters make a million-dollar ransomware demand in one shot. it is not because this character knows a lot about cybersecurity
8:03 am
or technology or engineering, but she happens to be in the big enough and created enough to on the spot come up with an idea that works here and then you see the quote-unquote company criminal enterprise she is working for immediately pivot and put the skills to use to make similar amounts. >> host: how did they get into hacking, all three of these people? >> guest: that's an interesting question. you have three completely different trajectories. you have this woman from romania, and her name is renée in the book. of course everybody's name has been changed. there are people who didn't want to have their identities known for what will become obvious reasons. but you have written a was growing up -- renée it was growing up in a typical suburban
8:04 am
countryside filled in romania. what ends up happening is, as has happened across eastern europe, many of these what we sometimes refer to as cybercrime villages have actually popped up. up. you have entire economies that are being basically run of these illicit schemes, whether it's stealing credit card information or ransomware, which we have now seen at a bunch of u.s. cities, and she sort of once to have a more glamorous life. she wants to have more glamorous job. she gets this sort of impossible offer, and in a lot of ways finally finds out what's going on in her town, by everybody has a lot more money, and stumbles on this criminal enterprise. she's not someone with a background in computers. she has a background in communications. she's a waitress.
8:05 am
she is working as a waitress. she's in college but she's a very good talker. as it turns out, being a very good talker and being able to convince people that something is one of the primary skill sets of being very good at being a criminal hacker. >> host: and what about bo chan? >> guest: bo is a former government hacker for the people's liberation army in china. as a lot of your watcher certainly no, china has a very large military operation with a lot of investment in cybersecurity, and he is one of those people. he starts out his career, as it were, somebody doing work for the government. this of course raises a lot of interesting questions. because when we think of people are bad people and there are bad guys, hackers attacking our companies, he was doing that, but is he doing it goes like renée come he's bored and wants
8:06 am
to make his life more interesting? no. he's doing it because he worked for the government. he believes he's doing something for his country. this individual leaves the military, goes to work for a hotel and then finds he can put some of the skills to use in a kind of, not in a kind of, and a truly criminal way. that is what he ends up going into and ends up making lot of money. but ultimately he tries to make a different decision, and then you have our friend in vladivostok, you have this very criminal hacker who was kind oa criminal from beginning to end with a very difficult upbringing. he is somebody who as many of russia are, they are steeped in mathematics and computer science from a young age, and feels like it's nothing to lose.
8:07 am
he's very impoverished going up and kind of falls into this -- he sees a lot of how like american rap culture and pop culture is just filled with his big, beautiful cars and huge houses, and he wants to be a part of that. he is a part of that until it comes crumbling down. >> host: in your book "kingdom of lies", and i'm going to quote from, this is referring to yourself when you're with the "wall street journal." this report has learned a lesson through these conversations, that the significant cyber incidents indeed don't happen without a person behind the scenes who has a deeply felt reason for inflicting pain. people need reasons to do what they do, and hackers are people. >> guest: yes. that's something that, and just
8:08 am
maybe even to backtrack a little bit. i think that the term hacker itself usually we think of that as referring to only criminals and bad guys, but as you see in the book i also look at the people who have hacking skills. they are hackers themselves but they are on the good sense of the equation, and some of those people have a lot of trouble i was doing the right thing. i like to make the point that if you want to understand what all of these things are happening to us, whether it is the exploitation of the algorithms that run twitter and facebook in order to help the russian intelligence agency influence an election, or the ransomware that is not taken down big cities like baltimore and atlanta, we
8:09 am
have to understand the people who are behind these things, and all of them are different. >> host: another quote from "kingdom of lies." by 2015 2015 anyone who works n cybersecurity, criminal, good guy, or in between can see that the russians are more than active. they are so busy that they can't train their hackers fast enough. >> guest: so that is a very interesting observation because what we've seen, especially through 2015 and beyond in the case of russia is that you have a russian government -- and a talk about this in the book a little bit, how early on vladimir putin, very early in the early 2000, was well aware of the power of being able to kind of control this cyber sphere. the fact you don't necessarily need volume to do it.
8:10 am
you have people in a country with a population of russia or even iran who can do damage at the scale of country like china that has the numbers. now, he realized that in order to get the very best people, those people are not going to work on a government salary. if if you are really, really god at hacking, if you don't have a lot of scruples and you live in russia, you can make a great deal more money doing any number of illicit activities, selling things on the dark web, laundering money for cyber criminals. the list goes on and on. now, what the government has realized is that in order to have these really good people for good at what they do be on their side, they can work together with these criminals. so you have a situation where
8:11 am
the government is willing to bring in people who are doing criminal activities. they are aware of them into the fold to help them. and as a comparison, we don't do that in the united states, just so it's clear. you won't see the fbi going out and recruiting people who are doing major crimes against retailers. instead, you'll see them arresting those people. now, that means that you have criminals who are sort of allowed to do with the deal as long as when it comes time for the russian government to call them, they are willing to sort of pay the price, a the tax for being allowed to do those criminal activities. and then of course what you have is this beautiful, plausible deniability so that rush is taking part in some sort of major action against ukraine or the united states, it's very
8:12 am
easy for the russian government to then say, well, we didn't tell these people to do this stuff, or they are not parts of the government. if anybody did that come maybe they were a patriotic russian which is a line putin has used, but they are not actually working for us. it really has stepped up with a situation that is hard to fight, from our point of view. >> host: but don't use intelligence services higher hackers? >> guest: they do. they do, and the difference here is that there are a lot of restrictions as far as whether you have a criminal record. they definitely would not let somebody continue taking part in criminal activity, and it's really rare for somebody who has committed a significant crime,
8:13 am
as many of the russian hackers who are actually name in the indictment of 12 russian hackers that was passed down last year by our attorney general. we would never hire people who would continue doing that kind of activity or who would actually make millions of dollars on those crimes. we arrest those people. we put them in jail. every month or so, the fbi or department of justice released in indictments of people have taken part in criminal hacking activity, including a great number of russians, some of whom have actually been arrested in the united states but we are never going to do the level of collaboration with the criminal element that the government in russia does. >> host: one of the thank you note in your book is that in the
8:14 am
digital world, boundaries become a little mighty. >> guest: -- mighty. >> guest: they become very muddy. one of the big issues now is whether companies and government agencies should have the right to what's called hack back are, do offensive cybersecurity attacks against somebody was broken into their system. now, why is that problematic? if we had something like a citigroup, one of the major u.s. banks, and they are getting attacked by china, and they are wonderful investigators at citigroup who determine that these individuals are sending their packets from shin sin in china, and decide to go on the offensive and either get back
8:15 am
information episode or do something to stop this from happening. there's all kinds of collateral damage in between there. the companies that run the technology between these two places. the fact that you might actually have a scenario where the chinese pla and an american bank are going to war with each other. it's many different boundaries of their, many things that make it so difficult for us to retaliate against these attacks, and then you run the risk of maybe that attack wasn't really coming from shenzhen at all, and you just attacked a completely different place because there are sending the signal from somewhere else. there are a lot of issues, and the boundaries, international boundaries, who people are, their identity, much of this stuff becomes really mixed up. >> host: kate fazzini, can you
8:16 am
do most of what you describe in your book with your iphone or your android? >> guest: i try to -- that's an interesting question. i myself am not a technical person, but much of what i describe in the book can be accomplished by really most people. on the one hand, there's a lot of what's called social engineering going on. my ability to make you do something quickly that is going to give me what i want. so if i have an e-mail that can compromise you in some way, then i send it with an urgent, you need to open this, it's your boss, you need to do a couple of tasks immediately, like send me
8:17 am
all the w-2s for all the employees, it's an emergency. that's social engineering, something that makes you feel like i need information right away. any people can do that. salespeople do that. a lot of people have good skills and use those skills for good purposes. many of the people in my book you software, malicious software that they had bought online and may be tweaked it a little bit, but it's just delivered through a usb stick. bye-bye on the dark web, stick it into a target computer and have access to that device. that's a little more complicated but a lot of people have the ability to do that as well. a lot of this stuff is very accessible to the average person. >> host: how sophisticated is using a usb stick in today's hacking world? >> guest: it's almost -- it's not sophisticated at all.
8:18 am
i always like to talk about how tired i am of the word sophisticated because there are really very few attacks today that are genuinely sophisticated. when i see one i'm really impressed. but using a usb stick is almost dated at this point. a lot of companies have put restrictions in place over whether the devices that you plug a usb sticks think you can even read them. many of these devices just don't read the sticks anymore because they are so dangerous point but for the average person very, very simple. just like sending ransomware might be today for the average person. >> host: a couple of terms or items that come into play in your book. i want to start with two. vpns and wi-fi. >> guest: so should i just
8:19 am
describe what these -- vpn, okay, a vpn as a virtual private network, and vpns has cut up an interesting, like to have sort of an interesting trajectory right now because for a long time they were mainly used by corporations. if you are traveling on business and you might be using public wi-fi somewhere, wi-fi in your hotel, you can log on and your u logon into a virtual private network which gives you a way to reach her information securely so it can't be seen. it's encrypted. it can't be seen over the wi-fi network. it's really interesting because in the united states most people who use vpns pay for them in some way. there are a couple of free products, but comparatively in
8:20 am
places like china and russia where the internet is very heavily restricted and very heavily watched, vpns are used by many, many more people. often there are free products that they can use to get around the restrictions over having their communications monitored, and also get around the fact that they can't use facebook and they can't use gmail in some cases, and google products because they are banned. it's become a very interesting phenomenon as people in use pay for the service, that they are just enormously popular, far more popular overseas and the united states for a very different reason. >> host: when it comes to wi-fi, do you use public wi-fi or do you have a wi-fi at home? >> guest: i do.
8:21 am
i have a wi-fi at home. it's a lot easier to control your home wi-fi and the setting to get on it. public wi-fi with a vpn, i think i'm pretty confident using that combination. i don't use public wi-fi without a virtual private network. i mean, i think that, i have to travel for work, you know. there are times when i have to get online. i've actually headed tonight, in fact, to a hacking conference in las vegas called black cat and defcon, two of the biggest conference of the year. i will not use the wi-fi at this conference because this conference will be filled with people who are trying to exploit it. i'm going to find alternatives and maybe even stay off the internet entirely while i'm there. so that's a bit of a different situation. >> host: it's been recommend at black cat and defcon to leave
8:22 am
your phone in your room come to use your atm anywhere close by, et cetera. >> guest: there's always interesting tricks that are coming up. i'm going to be following a team called shellfish which is, they have these events at black cat and death, capture the flag where they have some of the premier hackers in the united states, and they tried to capture virtual flight from one another as a contest. these guys win fairly frequently. they do very well so i'm going to be tracking them and adjust quickly all my electronics in the room i think when i'm on that. i will just have a notebook and pencil, you would old-school. >> host: back to "kingdom of lies", two other items that come into play throughout the stories you tell in your book. paypal and bitcoin. what are their roles when it comes to hacking? >> guest: so paypal i think,
8:23 am
you know, the events of this book and in 2017, approximately, and go from 2013-2017. paypal had long been away for some cyber criminals to keep their money out of, you know, being able to establish an account very quickly and move money. but bitcoin was much more influential in terms of giving people a way to have these transactions, embassy transactions. so the way it works is you can have bitcoin wallet and someone else can hold it, but your identity is essentially private. as long as you know that account number, you can move money without it being traceable. so for criminal activities this has been one of the premier ways they move money and a lot of
8:24 am
people are skeptical about bitcoin because difficult sometimes because it's so volatile and a price as i was going. that doesn't seem to be much rhyme or reason as to why the price is always going up and down. there's a lot of speculation as to why people investing, why are you buying that going unless you want to hide something. i don't necessarily think that's true but it certainly has been a major driver of significant criminal activity, not just cyber crime but everything from sex trafficking to terrorism, to other sorts of illicit transactions. bitcoin is been a real revolution in the criminal underworld. >> host: kate fazzini, do you need to be a stem student to become an internet cybersecurity person? >> guest: no. in fact, so i do often talk to people about their jobs because
8:25 am
i do a lot of reporting on career prospects in cybersecurity. one of the biggest contingents that comes my way is people in law enforcement. so i often get a lot of people who are just police officers. they might be really young police officers and they're really interested in cybersecurity, or they might be in some other level of security, like a security guard. cybersecurity is two things. it's technology which is often intimidating but it is also security. the security part, people can understand a matter how old or young they are, you know that when you have a big event, you will pick get a perimeter arou, right? you might have some physical barriers. you might have some cops. you might have some checkpoint where people can get their
8:26 am
ids. the weight information security actually works is pretty similar to that. he put up firewalls, multiple firewalls of different kinds and sizes. you make sure people have the right username and password to get in, and then i need another username and password to get in even further. so people who come from a security background like that, no matter, even if it was totally all physical security, often have a nice base of knowledge to then learn a couple of skills, learn how to use some software, learn a little bit of technology and be really astounding cybersecurity people. and really there are so many different disciplines within cybersecurity, and the u.s. government and banks, and all of these big companies are just desperate for these people. so if you're considering it, it's a really good time.
8:27 am
that's my big pitch. >> host: what the positives and negatives of hiring retired military personnel your character bob breakoff does not necessarily come across so well. >> guest: yes, bob. i think what you're seeing here, i did go out of my way to be sure that i differentiated between people who had been very high ranking members of the military and also members of the political class, versus soldiers who often come back and make really amazing cybersecurity people. and, of course, some high-ranking people do as well. but there are a lot of people with ben at a high rank working in a government agency or the military for a very long time who tried to make the transition to cybersecurity in the private sector and had a very, very difficult time, for a couple of different reasons.
8:28 am
number one, the hierarchy that exists in the u.s. military, especially for very high-ranking people, does not exist in most private companies. and you don't have 100 different hands who are going to help you to do a variety of tasks. doing many different things at once with a very small staff. also any private company, profit comes first, and that often involves having to deal with people overseas in foreign countries that if you were in the military, had been your enemy for a very long time. if it involves having to take direction from somebody who might have brought in more money last year then you and somebody who was very high-ranking from the military might have a little bit of a problem with that.
8:29 am
but in the hierarchy of, say a financial institution, the person who brings in the most amount of money is often the person who has the most say in what happens. so you do have a real abrasive, around 2014 and 2015 there were a bunch of major nationstate attacks against u.s. banks and other companies. you saw a lot of companies doing this, hiring top ranking military people, and in a lot of cases it didn't work out for those reasons. >> host: here's the book cover. it's called "kingdom of lies: unnerving adventures in the world of cybercrime." the author is kate fazzini of cnbc, formerly of the "wall street journal." thanks for being on "the communicators." >> guest: thank you. >> host: and this program and all other communicators are available as podcasts.
8:30 am
>> in 1979 a small network with an unusual name rolled out a big idea. let viewers make up their own minds. c-span open the doors to washington policymaking for all to see bring your unfiltered content from congress and the odd pic a lot has changed in 40 years but today that big idea is more relevant than ever. on television and online, c-span is your unfiltered view of government so you can make up your own mind. brought to you as a public service by your cable or satellite provider. >> president trump hold a press conference at the conclusion of 2019 g7 summit. watch live coverage today at 9:30 a.m. eastern on c-span2, online c-span.org or listen live on the free c-span radio app. >> and wake of the recent shootings in el paso, texas, and dayton, ohio, the house judiciary committee will return early from its summer recess to mark up three gun violence prevention bills which include
8:31 am
banning high-capacity ammunition magazines, restricting firearms from those deemed by a court to be a risk to themselves, and preventing individuals convicted of misdemeanor hate crimes from purchasing a gun. live coverage begins wednesday september 4 at 10 a.m. eastern on c-span and c-span.org. if you're on the go listen to our live coverage using the free c-span radio app. >> now a look at some of presit trump's activities this weekend at the g7 summit in the seaside town of biarritz, france. on saturday after his arrival in france president trump and french president a new macron met for a private lunch. the french president said the leaders were discussing a lot of crisis around the world including libya, iran and russia as well as trade policy and climate change. both later spoke briefly to the media. here are their remarks.

27 Views

info Stream Only

Uploaded by TV Archive on