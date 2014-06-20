* Hacker sheds light on thefts after release from jail
By Michael Szabo
LONDON, June 20 A British hacker, speaking out
for the first time since he was jailed for attempting to steal 8
million euros ($11 million) in carbon credits, said he was
easily able to break into online government and corporate
registries.
Matthew Beddoes, known online as the Black Dragon, was
arrested in November 2011 with two other men for hacking into
carbon trading registries including those of Spain and the
United Nations, along with the websites of a London-based
commodity broker and an online carbon trading marketplace.
Permits stolen from the Spanish registry were sold to a
third party, while those taken from the UN were frozen.
In March 2013, the men were imprisoned for a combined 5-1/2
years for helping to steal 350,000 credits - worth 3.7 million
euros - from an account on Spain's registry, and for attempting
to steal a further 426,000 credits from a UN account valued at
4.1 million euros.
A carbon credit is a tradable certificate, or permit, that
allows a country or organisation to emit one tonne of carbon
dioxide or the equivalent mass of another greenhouse gas into
the atmosphere.
Speaking by phone from his home in Liverpool, Beddoes, who
was released from prison last year, said in an interview that he
had helped gain access to all accounts on the UN registry, which
contained more than 500 million carbon credits worth around 10
euros each.
Through the Spanish registry the men acquired control over
hundreds of millions of European Union credits, at the time
valued at around 15 euros each.
Beddoes' disclosures shed fresh light on security breaches
that helped prompt regulators to make sweeping reforms and EU
lawmakers to call into question their flagship 36 billion-euro
($49 billion) market. The EU wants countries to replicate its
scheme and link into it as a way of tackling climate change.
Previously a self-proclaimed 'hacker for hire', Beddoes said
he had little knowledge of emissions trading before he was
contracted in February 2011 by an unnamed man seeking to access
carbon registries - online hubs through which account holders
can trade carbon credits with each other.
"It was totally anonymous. He was the client and the target
was carbon credits. He told me he wanted access to government
registries, brokers and anything else I could get, so I went on
the warpath and got whatever I could," Beddoes said.
Beddoes said he was also able to hack into government carbon
trading registries in Africa and Asia.
"I was paid around 3,000 pounds ($5,100) for every access
that I gave them and they used," he added.
The three men are thought to be the first to be jailed for
stealing carbon credits through phishing scams and hacking.
The EU and the UN run the world's two largest carbon trading
markets by tonnage traded, helping to put a price on emitting
greenhouse gases in an effort to stop runaway climate change.
ZEUS THE TROJAN
For the job, Beddoes told Reuters that he used a trojan - a
malicious computer program that when installed can provide
remote access to a system or network - called Zeus.
Zeus was attached to blank PDFs and emailed to the
registries as part of applications to open trading accounts.
"An hour later, the trojan would appear in our control
panel, meaning we had infected their system and could control
it," Beddoes said.
According to the UK's Serious Organised Crime Agency (SOCA),
8,340 credits stolen in the Spanish registry were sold for
89,000 euros to an unsuspecting third party in October 2013.
Attempts to steal credits in the UN registry were thwarted
by its administrators, leading authorities in Spain and the UK
to freeze the unsold hacked units on the Spanish registry and to
arrest the Black Dragon.
Beddoes said he used alternate methods to hack into other
registries but no credits were stolen, helping the security
breaches to go undetected until police searched his computer
hard drives following his arrest.
"Half of these companies didn't even know they got
penetrated until they were contracted by SOCA," he added.
FROM BLACK TO RED
Beddoes in March 2013 pleaded guilty to conspiracy to commit
Computer Misuse Act offences, fraud and money laundering, and
was sentenced to 33 months in prison.
Jasdeep Singh Randhawa was sentenced to 21 months in jail
and Jandeep Singh Sangha was given a one-year suspended
sentence.
Beddoes was released in July 2013 on electronic tag, and
remains on probation until May 2015.
In separate incidents in 2010 and 2011, cyber thieves made
off with more than 3 million emissions units from registry
accounts in Germany, Italy, Romania and the Czech Republic.
Cement maker Holcim is still pursuing a legal
battle to recoup the costs of around 15 million-euros worth of
permits stolen in late 2010.
While little is known about these cases, including whether
there have been any arrests, they prompted the EU to beef up
security at its new bloc-wide trading registry, which was
launched in 2012 to replace individual national registries.
An official at the European Commission said the move to a
bloc-wide registry was among a series of measures taken to
improve the security of its emissions trading scheme, including
adding spot trade to the regulation of carbon transactions.
As for the Black Dragon, Beddoes said he now uses his
knowledge and hacking experience for good.
Earlier this year he set up his own IT security firm - Red
Dragon Security - through which he gives live hacking
demonstrations and helps small businesses protect themselves
from online threats.
