MDT2_ASSEMBLE_63_020216 ENDING 4
0 (0 Likes / 0 Dislikes)
There are kingdoms and companies that are the
Switzerlands of the Internet. These are data
havens, and the information they host on the
servers only they have access to are
amongst the most secure, impenetrable, and
inaccessible places on Earth. These
kingdoms and companies offer cyber
criminals the privacy to conduct
unregulated information exchanges, malware
attacks, spam dumps, ransomware breeches,
and bulletproof hosting.
Every cyber criminal walks these halls,
here today, gone tomorrow. Emerging
outside the reach of law enforcement and
between international legislations.
We're visiting some of the most dangerous
places on the Internet to find out where
cyber crime goes to hide.
We were flying over the North Sea to see
the world's first data haven.
The Principality of Sealand, which
considers itself a sovereign country, is an
abandoned World War II gun platform.
You're the prince of Sealand.
I am, yeah. I mean, it was -- the fort was
situated in international waters. And my
grandfather decided why not declare it a
principality?
Yeah. So what is it about having your own
kingdom that's so appealing?
I mean, it's the element of freedom that we
have out there. We can do what we want
without prying eyes watching our every
move.
Why don't you want prying eyes watching
your every move?
Why wouldn't you, did you say? I mean, why
do you shut your curtains at home?
It seems like a long way to go to store
your data.
Yeah, well, somebody will go to long
measures, won't they, to secure what is
theirs.
At the dawn of the Internet, an idealist
named Ryan Lackey founded the world's first
online sovereign state by creating a
bulletproof data hosting facility.
The idea of HavenCo was to have a place
where people could host servers for
Internet sites and the users would be
located everywhere in the world, and these
servers would be located on Sealand in a
physically secure environment, and we would
have very high technical quality of
service, but we would also be able to let
the customers pick which laws applied to
them.
So is Ryan Lackey involved in HavenCo
anymore?
No, he had a little bit of a falling out
with us. No, no.
What was the falling out about?
Primarily, we sort of just disagreed, as I
say, on the gray areas as far as when we
were hosting for HavenCo originally.
He wanted absolute cart blanche, do what
you wanted. If someone wanted to come out
there and operate a server selling firearms
or missiles, he thought we should just
offer a service to anyone that wanted it.
We built the business, so we got to make
our own rules. Anyone who creates something
gets to define what that thing is, which is
part of why we picked the kind of
regulations we did.
We found a story about another bulletproof
host, CyberBunker, a Cold War nuclear
bunker in the south of Holland, also able
to withstand a 20-megaton blast.
Have you seen a large black building, sort
of like a nuclear bunker?
[Speaking Dutch.]
He knows the bunker?
Yeah, he knows it. So they're telling me it
used to be like a drug lab.
[Right.]
Oh, yeah. [Speaking Dutch.] You don't go to
it.
Oh.
No.
You don't --
It's forbidden.
I'm not quite sure if this was a good idea.
CyberBunker was a notorious hoster for
illegal materials, especially spam. It was
also rumored to be home to numerous
hackers.
A battle is waging across the Internet.
It's under the worst ever cyber attack, so
strong it's slowing down Internet access
globally. It's allegedly a strike from a
Dutch web hosting company called
CyberBunker. Could somebody go to prison
over this? Could somebody be fined? Is this
going to be resolved?
I am doubt that the people that did the
attacks are in any country where doing a
DDoS attack is legal or where they can even
be found.
You know it's illegal, what you're doing,
right?
After weeks of cryptic responses as to
whether we could actually get into
CyberBunker, I decided just to try my luck.
There was a face scanner at the door.
Denied?
Yeah, denied.
It was clear that someone had also been
using the facility quite recently.
There were fresh coffee grounds in the
trash and an empty server rack seemingly
recently delivered.
It became clear that someone may have been
inside at that very moment, watching us.
We decided it was probably time to leave.
Just when we thought getting inside was a
lost cause, I managed to get in touch with
a convicted black hat hacker who knew the
owners of CyberBunker and a meeting was
set.
Raymond.
Raymond, nice to meet you.
Hi, how you doing?
Roy.
Roy, nice to meet you.
Nice to meet you.
How you doing?
Fine, fine.
So you're welcoming me into CyberBunker?
Oh, that's the wrong name.
That's, in fact, not the name anymore.
Oh, what's the name now?
It has a code.
Right.
Yeah.
What's the code?
ML01.
This is the nuclear blast doors.
Yeah.
Of course, you're in a nuclear bunker, so --
What's the phone signal like down here?
None.
None.
None. So these are your CCTV cameras you've
got around the place.
Yeah. Yeah.
Yeah, we did notice them. I did try to get
in the other day.
Yeah?
The only thing I would say is it does say
dog outside the gate, but there was no dog.
We have silent dogs.
Access granted.
It's incredible. It's straight out of Dr.
Strangelove. So this was built to protect
against Russian nuclear threat?
Yep.
And now we're in the cyber world, and it's
again providing the protection. So you're
doing a full circle.
So we came here looking for CyberBunker.
This isn't CyberBunker anymore.
No. Our company is based upon trust.
We want to provide high-end security for
clients that are, well, trusting us with
their most valuable data. And we are
combining it with cyber security
capabilities, and we're telling that it's
not just concrete or an EMP shield that
helps you out in terms of securing, but
it's also in protecting the fiber and the
cryptology and all those stuff from
nowadays.
Yeah.
With all the trends like cloud and big data
and Internet of things, that there is
solely focused on cyber security and let's
say the digital part of securing data.
Yeah. But you're doing the physical part,
as well.
No, we're doing both.
But why do you need the physical part?
Who's actually going to break in here? Come
on.
Well, here, no one.
If you're a company, you're storing your
stuff here that you don't want anyone else
to get their fingers on.
Yeah.
Okay, so --
So you don't store everything in a bunker.
We don't have a concept that relies on one
bunker. Because one bunker is no bunker. So
you have at least two in one country and
then other bunkers in other countries,
which gives you also advantages from a
legislation perspective, from data
protection laws and what's more beneficent
for clients to have their data in.
So who are you providing data storage for?
Currently, we're not entitled to say.
Okay.
Well, typical, let's say, in generic terms,
governments, but --
So potentially governments might want to
store their information here because it's a
safe place from military attack from other
governments who might want to launch cyber
attacks.
For sure.
We don't brag about locations, we don't
show pictures and movies from the inside,
because, in the end, that's not what
clients are looking for, ultimate security,
high-end security. This will probably be
the first and last time you will see this
bunker from the inside.
It seemed CyberBunker had evolved from a
place where scammers and hackers go to hide
to a place where governments and corporations
go to do the same.
There's different types of bulletproof
hosting, and it depends on if you're a
criminal or if you're legitimate or you just
need your data in cold storage -- you pick
the bulletproof hoster who is best for your
needs.
I wanted to see an active data haven, one
that touted its ultrasecure hosting.
Embedded in a nuclear bunker 30 meters
below the hills of Stockholm is a hoster
called Bahnhof.
This facility hosted the WikiLeaks at the
height of their notoriety.
If ever there was a place to securely keep
your data, data that people wanted to get
their hands on, this was the place.
Hi.
Hi.
I met the CEO, Jon Karlung. He gave me a
tour of the impressive facility.
It's a blast door.
Is the physical impenetrability of this
bunker even relevant?
It's important. I mean, if you operate
mission critical business, it's important
to have it secured by physical means. You
need energy, which is the diesel engines.
Then you need Internet, which is fiber
optic cables. And they are coming in from
many ways.
Is it a closely guarded secret where these
cables are?
Yes. Yeah, yeah.
Jon showed me where WikiLeaks servers had
been and walked me up to the control room
It did indeed look like a James Bond
villain's lair.
Back in London, I met with James Ball, who
used to be a data analyst for Julian
Assange at WikiLeaks.
James.
Hey.
How you doing?
Good to meet you.
Nice to meet you.
How's it going?
Assange's right-hand man.
I wouldn't quite say that, but, yeah.
So kind of WikiLeaks's famous server was
this server in Sweden, a company called
Bahnhof, which is essentially, you know, in
an underground bunker and hyper secure.
Was Bahnhof effective?
I tend to think stuff like Bahnhof is a bit
more theatre than anything else. You can
have as secure a server nowhere near a
bunker or an underground [unintelligible]
and most of the stuff that's actually going
to catch you out isn't going to be someone
drilling into an underground vault James
Bond style.
Is there anything illegal down there?
It could be, but --
Could it?
Yes. But it's not my -- I mean, I don't
[unintelligible] at any given moment, there
can always be some illegal material on the
Internet. But I don't open the boxes. I
don't control what's on the boxes. And I
think we are the [unintelligible] we are
the bank.
The hosters would like to see themselves as
the post office. But if they really want to
be a post office, they have to act on abuse
complaints when they come in. A post office
doesn't have -- like if a post office had a
bomb stored in their post office and they
didn't take action when they got a
complaint, they'd be out of business. So
bulletproof hosting is a term that's gone
back maybe 10 or 15 years, and it refers to
a hoster who will not take action to take
down your website.
So somebody discovers that your website at
that hosting provider is bad and they go to
the hosting provider, say can you
disconnect this customer? Or can you give
me information about what that customer is
doing? Because they've stolen my data. And
the company will just ignore those abuse
complaints.
I was told corrupt hosters in Southeast
Asia favor smoke and mirrors over hardened
datacenters.
We found one such hoster, so we decided to
track them down.
Their registered address took us to a
nondescript apartment complex in the
suburban outskirts of Kuala Lumpur.
This is a residence.
Yeah.
So this is just like someone's flat, right?
The sixth level is all residences, so it
probably is a residence office.
Yes?
Oh, hello.
Hello.
We were just wondering about your
neighborhoods.
Yes?
[Cinepack]. You say they haven't been here
for --
Three years.
They haven't been here for three years?
Yes. No. Since I stay here --
No one's there?
No.
We went to a place today called Cinepack.
We went to the location, which is on their
website, and there was no one there, and
the neighbors said they hadn't been there
for around three years.
So there will be one specific group of
people. They are very specialized in the
web hosting business -- in the hosting
business. So what they do is they set up
different companies, they take different
orders, and then once the company starts
being criminal, they will start another
company in other places, different
provider, and then they will take new
orders again until they got the same
complaint. And then they will stop and then
they will start another company.
Right.
Kind of like nomad hosting, in a way
Just going from place to place to place
until there are so many complaints they
move on to the next one.
Yeah.
So what's the extent of cyber crime in
Malaysia? Is it a big problem right now?
I think the majority is on fraud and
phishing attacks. So that is what we are
seeing. I think mid last year, there's a
bunch of claim to be a South African, which
they managed to get access to the local ATM
machines. So they managed to withdraw
money, like 30 million ringgit from the
different ATM machine throughout Malaysia.
So they hacked the cash machines?
The cash machine, yes.
A company called Ecatel that was rumored to
have ties to bulletproof hosting and cyber
crime popped up on our radar. We had a line
of sight on their location, so we boarded a
flight to The Hague.
Oh, hi, is that Ecatel?
Oh, I'm just looking to host some data on a
server. I'd heard Ecatel was a good place
to do that. I've got eclectic tastes, so I
thought Ecatel might be the place. Oh,
well, it was just sort of in the ether,
your telephone number. Their offices are in
The Hague, okay?
Oh, hi, I've got an appointment with
Ecatel. Can you let me in?
Oh.
Hi. Could you buzz me in? I've got an
appointment with Ecatel.
Thanks.
[Speaking Dutch.]
What?
You don't come in.
Do you know Ecatel?
No, never heard of them.
Ecatel is not here.
Oh.
I'm so sorry.
So how do you know --
I know they're in The Hague.
Is this your building?
Go away.
Is it your building? Ooh.
Please, go away.
Is it your building?
Please go away.
Can I not come and see Ecatel if I've got
an appointment?
Yep. What do you want?
Just wondering if they've got their servers
here.
Don't take any pictures of me.
Okay. Okay.
Don't make me angry. Yeah.
We heard there was some nasty stuff on
Ecatel's servers.
If there is anything on the servers that's
not normal, not right, it's removed. Any
abuse they receive will be dealt with.
By?
By Ecatel.
By Ecatel.
Yeah.
Oh, that's good, so they're policing
themselves.
Stay away from me.
Okay, sir.
I'm not your fucking friend.
Okay, all right. Okay.
I found myself talking to some of the most
secretive people on the Internet to
understand the magnitude of bulletproof
hosting. A patriotic hacktivist that goes
by the name Jester agreed to chat. He has
been credited for taking down jihadist
websites across the world and hacking the
personal email accounts of Iran's
president.
I was seeing a giant up tick in jihadis
using the Internet to recruit, radicalize,
and even train online. I felt I should do
something about it.
Why would people want to use bulletproof
hosting?
I suppose hackers' tools are servers. They
need places to launch attacks from.
Bulletproof hosting is a valuable service
for me. I'm under constant attack. I care
more about the provider being impenetrable
to cyber over physical attacks.
Well, if I want to be a bulletproof hoster
in a true sense of the word, I would
distribute all my information all over the
place. I wouldn't rely on a single server
in a single bunker. I wouldn't rely on a
single jurisdiction. All right? Basically,
I want to distribute it to a point where a
single takedown of a single location does
not disrupt my ability to host or to
basically put anything out there.
So nowadays the most effective from of
bulletproof hosting isn't necessarily being
in a bunker. It's being in the cloud,
hiding in plain sight.
Yes, exactly. It's not necessary that you
have a bunker or some very secure location.
The idea is that you pretend like you're
not doing anything illegal at all and you
just sign up for regulator hosting like a
regular customer. And then the task is to
try and mask the fact that you're actually
a criminal enterprise.
And how do you mask?
So the way they mask is they take multiple
hops before a victim is sent to the final
destination. And those hops are generally
in different countries to make it difficult
for law enforcement to get cooperation from
all those countries in order to find out
where the hosting is behind that.
It's totally a war. Cyber space is the new
theatre. We're seeing this more and more
now every day.
A Silicon Valley startup is caught in the
middle of a cyber war between ISIS and the
hacking group known as Anonymous. The
company's called Cloudflare. It's a startup
that protects websites against denial of
service. Those are attempts to bring
websites down. But it does not discriminate
with its clients. It has come out and said
that. Anonymous is lashing out at
Cloudflare for shielding pro-ISIS sites
from the hacking group's attacks.
Cloudflare, it frustrates me.
It frustrates all of us. Even though, you
know, we do have to use it to protect our
site, but it's an American company, and
they're protecting many, many of the ISIS
websites now.
Now I work at a company, Cloudflare, which
is the edge of the Internet. It connects
between your browsers and your servers from
multiple locations around the world.
So is Cloudflare the future of bulletproof
hosting?
It is the future of how you reliably host
Internet content without censorship.
Anonymous have recently accused you of
having two of the top three ISIS websites --
Yeah, that I can't really talk about.
You can't talk about that?
Yeah.
Why?
We have contacted Cloudflare directly,
daily, alerting them to this, and just get
no response.
What gives Anonymous the right to say what
should and shouldn't be online, to make
judgments?
Have you seen the ISIS material? When I see
a head cut off because someone prayed the
wrong way or they're gay, I think that
gives me the right. I'll make that judgment
call.
Do hosters have a moral responsibility when
it comes to what's out there on the
Internet?
I think it is very much their
responsibility. Guides for homegrown
terrorist cells on how to shoot up a room
and successfully go carry out another
attack before suiciding oneself should not
be easily available to people online.
If you just take the I will host
everything, you're really facilitating some
dark stuff, and you're actually endorsing
it. I think you have to actually get in the
weeds. You have to get in the case by case.
And go there is a ton of stuff that I hate,
that I would never do anything with.
You're making hosters incredibly
responsible for the content that they're
hosting.
I mean, hosters are incredibly responsible
for what they're hosting [in law]. That's
why they want to be blind hosts.
So criminals need bulletproof hosting
because they need to be able to keep their
website up. Because if they're on your
computer and they're stealing your credit
card or your emails, they need to send that
information somewhere. And those type of
bulletproof hosters, they understand that
there's criminal activity happening on
their severs, and they just want to get
paid.
These guys have got billions and you don't.
These guys have got hundreds and hundreds
of computer scientists and most of us
don't. You've got to know how not to be
scammed. You've got to trust everyone you
give your data to.
So we have to actually just take personal
responsibility for our own online security?
It's -- I think we need to force companies
to take responsibility for our data that
they have, and we have to take
responsibility for our data that we have
overall.
There's no absolute solutions, essentially.
It's constantly give and take.
Yeah. There's no magic bullet. There's no
magic server. We are going to have to work
this out for ourselves.