DarkNet and Cyber Security
The Darknet Simply put, the “darknet” is anything that cannot be accessed via a standard browser because it requires special software, and often special knowledge, to access. The darknet typically refers to sites on the Tor network that look and feel just like regular sites but require a special Tor browser to view.
The darknet, more broadly, includes other protocols and environments common users don’t know about, such as IRC (internet relay chat) channels and I2P (Invisible Internet Project) networks.
In addition, the darknet hasn't indexed the way surface websites are; virtually all of its sites’ addresses must be shared instead of searched for, and not everyone out there will be keen on sharing. This tutorial explains the DarkNet and Cyber Security in depth with the best examples.
A private place Not everything on the darknet is illegal. In fact, it was originally designed by the U.S. government to let their operatives and analysts anonymously explore the farthest reaches of the global internet, in search of information.
Privacy and anonymity are paramount to all users of the darknet, and many use it simply because they can communicate free from fear of online surveillance. Consider life in some countries where freedom of expression is not a right.
Learning about, for example, government abuses by accessing foreign websites blocked by your nation is now safely possible using the darknet, as is expressing hopes and dreams—and, yes, buying a pair of counterfeit Versace sunglasses. When you consider the arbitrary nature of laws being an extension of the arbitrary power of government, the beauty of the darknet is clear.
Going deeper in the first thing to know in getting your head around this topic is that the web is not the internet. While they may seem synonymous in daily life, the internet is far more than the World Wide Web.
The internet is the entire global set of computers connected to a giant public network that shares certain rules for communicating various types of information. The most familiar of these are web pages and emails, but there are in fact many other things you’d never notice or care about that run over this same global network. Here’s the basic breakdown.
The Surface Web Most of what you see online, from Facebook to eBay to Amazon to Twitter, is the surface web. It’s made up of all the various public websites that share content, sell goods, or otherwise want to be easily found.
They allow any guest to visit, and they invite search engines to index them so that users can find them through Google, Yahoo, and the like.
The Deep Web Millions of sites out there don’t appear in search engines, often because they don’t want to be found easily. These sites have no inbound links from any other site, and they block search engines.
You can still visit them using a standard browser, but only if you have some other way of knowing the address, for example, if a link is sent in private email to a specific list of recipients. This type of arrangement is often used to share content, such as hacked data or child pornography, with a closed community that wants no outsiders.
The bottom line is that, for average users, the deep and dark web may seem alluring or sexy thanks to television. In reality, what you’ll find there is malware, viruses, illegal content, and criminals ready to take advantage of the uninitiated. Unless you really know what you’re doing, keep out.
SHOPPING IN THE DARK While it offers many legitimate uses to activists, whistleblowers, law enforcement, and political refugees, the darknet also supports an underground black-market economy that follows its own set of rules. Buyers and sellers have many reasons to trade outside normal open markets. These can include the following.
Illegal Goods Anyone looking for products or services that can’t be sold in the open, such as drugs, stolen identity data, or weapons.
Anonymity These transactions can be done without records, allowing the buyer and seller to remain anonymous, with (theoretically) no paper trail or electronic footprint.
Technology has made it easier for black-market buyers and sellers to safely connect and do business. In the constant back-and-forth between authorities and black markets, one black market is shut down, but another takes its place.
PEELING AWAY THE ONION The largest and best-known element of the darknet is the Tor network. Tor, which stands for “The Onion Router,” was originally a project started by the U.S. Navy but has long since been turned over to a private nonprofit organization. The details are extremely technical, but, as an average user, you can think of the Tor network as three related technologies.
A Web Browser The Tor browser works like a normal web browser, but it routes users requests for web pages through the Tor network.
Safe Passage Tor anonymizes users’ activity by stripping identifying data from page requests, then sending the requests through multiple encrypted transfers between volunteer-run computers all over the world that run special Tor software, letting them act as transit points.
When a user with a Tor browser type in a standard web address, that request goes from the “normal” web into Tor, gets bounced through various intermediate relays, then reenters the normal web via a Tor “exit node” and arrives at the destination website. The site responds to the page request, and the content is sent back to the user by the Tor network through a similar process.
Hidden Websites Computers equipped with the right Tor software can also run websites (and other services, including IRC chat channels) accessible a via Tor browser.
So users with a Tor browser are able to not only anonymize their browsing of the standard web but can see a whole second “web” (albeit relatively small) made up of sites ending in. ONION that can’t be reached by a standard browser.
Software for browsing acting as a node or hosting a Tor website can be found at Tor Project | Privacy Online.
PEELING THE ONION
Using Tor means that internet traffic on the browser is routed through multiple layers of Tor user relays, like an onion—hence its name.
UNDERCOVER OPS While criminals lurk in the shadowy recesses of the darknet, so too do law enforcement officers from around the world. A colleague in the UK complained that he’d bought too many knives and drugs to know what to do with.
I spend countless hours surfing Tor sites looking for child pornography producers (distinct from distributors, who are often careless enough to use the surface web to exchange their unforgivable goods).
Shopping for Trouble The intrepid cyber-security reporter Brian Krebs has taken on so many darknet criminals that his local police department had to come up with a special procedure when someone calls to report a violent crime at Krebs’s house after SWAT teams, alerted by darknet thugs that there was a “hostage situation,” had converged several times on his house.
Krebs has also had criminals send heroin to his house, and then call authorities with the tip to search his mail.
“The darknet is where the bad guys are,” a high-ranking federal agent told me. “We’ve got to get good at being there and looking like we belong there because that’s the only way we get into the kinds of conversations and relationships that will enable us to get leads and stop plots.”
Reputation Matters This raises an important non-obvious point: In a world of anonymous users, reputation—based on common interests and sustained consistent activity—is the only measure of trustworthiness. That’s something that keeps academics busy.
Of course, reputation is how good reporters and journalists arrange to meet with sources to safely learn of corruption schemes and criminal gangs.
The work done by these journalists is important in helping law enforcement and academic researchers understand new trends, and reporters can sometimes break stories based on darknet trading patterns.
Brian Krebs, for example, broke the Target hack. Steve Ragan, another cyber reporter, has for years reported on criminal malware and hacktivist groups.
Check It Out—Carefully Who else is on the darknet? The morbidly curious—those who want to see whether you really can buy heroin and speed (you can) or hire a hit man (you can).
The authors recommend you have a look around if only to see for yourself the kinds of wares (and warez, aka pirated software) for sale, to educate yourselves about how the rest of thisblog isn’t a bunch of people making stuff up. On the darknet, no one knows if you’re a dog, but they do know if you have bitcoin (more on this digital currency in a bit).
The darknet may be a place to find guns, drugs, and hit men, but here are some of the stranger things you can buy on the DL.
Fake Coupons Grocers and snack companies have lost millions on everything from discounted cereal to free bags of chips.
Social Media Followers Wanna feel popular? For the low price of $25 USD, you can get 2,500 “followers” on Twitter.
Immortality You too can learn how to live forever! As long as you believe what the people selling the formula tell you.
Original Red Bull The energy drink now found worldwide was adapted from a more… potent formula originally sold in Thailand.
A New Identity Want to disappear? There are lots of guides on changing your identity. Plastic surgery not included.
DREAD PIRATE ROBERTS AND SILK ROAD
The internet has enabled new business models that connect buyers and sellers from around the world for illegal transactions as well as legal ones. eBay was one of the first big online marketplaces, and it has carefully policed sellers to be sure no one is breaking the law.
So where’s an online shopper looking for something a little less conventional to go? It was only a matter of time before something arose to serve those interests.
The breakthrough for illicit online marketplaces came when bitcoin, a decentralized digital currency that works a lot like cash, was introduced. Word on the street was that bitcoin allowed you to make purchases online with perfect anonymity.
This turned out not to be the case, but it’s still a more stealthy way to operate than, say, using PayPal to purchase that shoulder-mounted grenade launcher you’ve had your eye on.
The first of the darknet markets, Silk Road was started in February 2011 by an anonymous self-taught administrator who later became known as the Dread Pirate Roberts, aka DPR. At the peak of Silk Road’s popularity, it was estimated that the operation was bringing in $10K–$13K USD a month.
Silk Road emerged at a perfect time. It was like eBay but for black-market goods—mostly drugs, both illicit and pharmaceutical. As with eBay listings, sellers were rated, and there was an escrow to increase trust in the transactions.
There were certain illicit goods that were prohibited. DPR’s philosophy was to hurt no one—thus child porn and stolen data were not allowed. DPR saw Silk Road as a new brand that would challenge the government status quo.
“IT WAS LIKE EBAY BUT FOR BLACK-MARKET GOODS.”
Buyers and sellers know this too and therefore keep minimal funds on the sites, in case they are seized. Criminals are both clever and greedy, and it seems like every new technology can be bent to nefarious uses.
More tech-savvy criminals arise all the time, competing with laws and law enforcement—both sides aided by technology, which is itself value-agnostic. But how bad might it be, really, to have a clean, well-lit place for illicit transactions?
For knowing the quality of the products sold? Some might say “Better the devil you know…”
KEEP YOUR IDENTITY OFF THE DARKNET With the increasing numbers of site hacks, it’s just a matter of time before your personal data is sold on the black market.
There’s not much you can do to protect yourself from someone else’s site getting hacked—that’s up to the site’s security technology. But you can use good account password hygiene.
Never reuse the same username/password combination on different sites. One of the first things hackers will do with freshly hacked data automatically checks the hacked username/password combos on numerous banking, social, and email websites.
If you use the same username and password combination at other sites, hackers could get into your accounts on those sites, even though those sites were not hacked. Use a complex but easy to remember password combination.
LET THE BUYER BEWARE Until recently, the U.S. dollar, in cash, was the preferred currency for black-market transactions. Cash is untraceable and anonymous, but it’s difficult to use cash for online commerce. Credit cards and other common payment methods leave a paper trail. That’s why bitcoin is so ideal for shady shoppers.
While as noted above they’re not entirely anonymous, the use of bitcoin “tumblers” and anonymizing sites can obscure ones trail pretty well. Should you do this?
There is a legitimate reason to keep a light financial footprint, particularly if you subscribe to any number of concerns (or conspiracy theories, to unbelievers) about your government and its nosy ways.
Give It a (Careful) Go There are some reasons why a noncriminal user might consider these underground markets. For example, you might wish to rent access to the internet via another user’s computer elsewhere in the world where.
for example, Netflix shows first-run films not available to U.S. users, or you reside in a part of the world where freedom of expression is limited and you want to be able to communicate with others about civil rights or human rights issues.
Approach with Caution Small mistakes in your “operational security” can have massive consequences. It’s not enough to be careful. You must be very careful and follow a strict set of procedures every time you enter and leave the darknet and even the deep web.
First off, don’t use your own computer for this kind of exploration. In fact, you shouldn’t even use a real-world one. Instead, download a bootable Linux image and always be sure to load your Tor sessions through that path. You should also load tools such as PGP (Pretty Good Privacy) encryption onto that bootable drive.
This setup will allow you to load your entire browsing session in the host computer’s memory so that, when you finish, you restart the computer and there are no traces of the activity on your hard drive.
We don’t recommend doing any shopping of course, but if you do get curious, don’t just use Tor to access darknet sites. For extra anonymity, you’ll want to use an additional VPN (virtual private network) to completely anonymize your traffic.
All these techno-stealth measures may seem like a lot of work, but they’re really the only way to access the darknet with any degree of security. And that’s important once you think about the fact that almost everyone who gets caught doing something illicit gets caught because of security lapses.
We will even go so far as to recommend using a clean laptop—completely devoid of any personal data or links to legitimate online accounts such as banking—and thus dedicated only to your deep web and darknet adventures. You certainly don’t want to be playing around in these neighborhoods with a computer that, if breached, would reveal a lot about your activities.
The darknet is a fascinating place to spend a little time exploring, but dangers lurk everywhere, even if you’re not doing anything illicit. Take reasonable precautions.
Don’t engage in any kind of illegal or questionable activity on the Internet.
If you do any transactions on darknet sites, even perfectly legal ones, use encryption for everything.
Disable all scripts ion your browser before logging on to Tor.
Only use cryptocurrency for darknet transactions, and employ a tumbler to ensure optimal anonymity.
Change usernames and passwords frequently.
Minimize coin kept in escrow to avoid losing it in a bust or heist.
Use both Tor and a VPN to completely anonymize your traffic.
Keep your data on a thumb drive so that you can erase all traces from your regular machine.
GOOD TO KNOW
THE FUTURE OF THE DARKNET Since the darknet has come into being, multiple changes have already taken place, and things will continue to change. Specific marketplaces will come and go—they’re never going to go away entirely.
Regulatory changes may influence what is sold on the black market, and some goods (such as marijuana, in places where it has been legalized) may transition to white markets.
So what might we find on future black markets? In short: anything that is unregulated or highly regulated. This could be technology and drugs to augment the human body, government secrets, or new types of personal data, such as medical data collected by new consumer devices or household sensors.
One thing is for certain: Future systems will be more secure than the ones that we have today—but future hackers will be more sophisticated as well.
All these expenses mean that a loss can be devastating to the owner. And when home businesspeople, for example, conduct business on the same poorly protected Wi-Fi network on which their teenagers have access, tragedy is lurking just around the corner.
SET SOME GROUND RULES There are a few prime directives you have to follow in business: Buy low and sell high, always make payroll, and don’t make a mess where you expect to eat. In other words, if you’re selling merchandise on Facebook or eBay, use a dedicated computer for those transactions, and use it for nothing else.
HOME-BASED BUSINESS BASICS No matter how small your business, safeguarding it is critical. You might ask, “Who would ever target me?” The answer is “criminals.” They can attack you with great ease and with an efficiency, as our forward-looking leaders used to say of nuclear power, that is too cheap to meter.
There is actually a search engine on the internet that does nothing but map the machines that are sitting there connected to the internet—it’s called Shodan, and it is just one way that your internet-connected refrigerator is in fact known to hackers and vulnerable to attack. Protect yourself.
While most online small-business owners take at least some precautions against cyber attacks, many are still dangerously exposed. Here are some estimates of what risks they’re taking.
Build a Wall The first thing you will need is a business-grade firewall. This doesn’t need to be expensive—you can get a good-quality home-business firewall for about $200 USD.
But business firewalls do some things that home firewalls don’t do—or at least do them better: opening ports for virtual private networks, examining packets, and providing services that are above the needs of home users.
Stay Connected You’ll need a good, solid way to connect to the internet. Cable modem users might find it best to buy their own (I use an ARRIS modem, made by Motorola), as opposed to leasing one from the cable company, because the connection is actually better and a little faster. Also consider a managed DNS service.
This allows content filtering for your employees and can keep malware activity to a minimum. You’ll need a decent-grade Wi-Fi access point that supports at least WPA2 pre-shared key (PSK) encryption. Use a strong key and rotate it at least semiannually to keep terminated employees off your network when they are no longer employed.
Let Business Be Business Keeping your work separate from other affairs is about maintaining an atmosphere of professionalism and safety. Do not let your kids or nonbusiness users or traffic on your business network at all.
And buy a few hours’ help from a local computer outlet—it’s worth it to have a checkup on your business network and computer, as well as any necessary maintenance. The silliest thing to come out of the mouths of most smart people is, “I don’t have anything worth stealing.”
GROUND RULES FOR SELLING ONLINE Give me your first name, your occupation, and your home city, and I can likely find out almost anything about you in a few searches. Give me your email address, and I can get your Social Security number and full credit file in minutes. And I use legal sites. Imagine what criminals can do.
Even when selling something like a barbecue grill through local ads, be very careful about what information you reveal about yourself.
If you’re engaging in an online transaction or starting an online dating profile, consider creating a brand-new anonymous email address. Use your first initial only, and be careful about what information you give out.
Does Craigslist really need your full address to list a cabinet you’re selling? Of course not. Engage in emails with the person you are meeting, and trust your gut about what feels wrong—listen to your instincts, because they are correct.
If you get to the point of a phone call, consider a burner app (available on mobile phones) or a burner phone. Be slow to hand over your number, and agree to meet in public first.
Again: Your gut should be in the driver’s seat. Make sure someone knows where you are going and with whom you plan to meet—leave a bread-crumb trail in case something bad happens. Consider meeting at a sanctioned online transaction zone set up by local police departments for in-person transactions.
GOOD TO KNOW
DON’T WORK WHERE YOU PLAY When you are working at home, definitely think twice before engaging in any business activities on the same network that your teenagers are also using to play online multiplayer games at the same time.
In fact, you should probably just keep your business traffic out of all other networks, and keep all other traffic out of a business-based network.
The best way to do this is through a virtual private network (VPN), which is essentially an encrypted tunnel through which your business traffic is shunted back inside your business firewall and then out onto the internet at large.
Another option is a mobile Wi-Fi hotspot that only you are able to use and that you will be using for business and only for business. The advice from the movie Ghostbusters—“Don’t cross the streams”— should suffice here to keep you out of trouble.
GOOD TO KNOW
IMPROVE YOUR INSURANCE You shouldn’t assume that your homeowner’s or renter’s policy will cover you and all of your equipment that’s related to your small business—quite often it won’t, if you are genuinely running a business from home.
And it obviously won’t cover your data losses, no matter what. You’ll need some type of special business-related insurance rider to cover all the good stuff.
You’ll also do well to get your business set up with surveillance cameras that can store video in the cloud (off-site) and that will allow you to view the videos remotely.
Should you ever happen to become burglarized (or vandalized or worse), the first question the cops will ask you is, “Do you happen to have any surveillance video?” If you are able to answer their question with a yes, they will become noticeably more interested in their work.
STAY SAFE One exciting way to meet some of the less scrupulous people in your neighborhood is to install a lot of expensive business equipment in your house.
The realities of life in America mean that computer gear provides thieves with tempting targets, but there are steps you should take to protect the most important assets: yourself, your family, your data, and your equipment—in that order.
Save the Data Next up is your data. As the veteran of an office that was burglarized by thieves who stole our computers and our backup drive, I heartily recommend a cloud-based backup. Don’t skimp on a backup solution, especially in an era of ransomware—your backups are what will save your company.
Consider turning on BitLocker for Windows or File Vault for Macs to stop thieves from harvesting data from your stolen goods. This feature for Windows requires the Professional version.
Work with Employees For those who are considering hiring other remote workers, your considerations will be all of the above, plus ensuring you maintain control over shared data.
And when you part ways, you’ll want to be sure to get your equipment back and “de-provision” them (lock them out of your network and third-party applications).
SORRY BOSS, MY BAD
Employers are put at risk by their staff every day. Here are some of the most common goof-ups that can expose a company to risk.
SMALL BUSINESSES AND HACKERS Larger businesses and corporations may get a lot more visibility in the press when a hack happens, but that doesn’t mean criminals aren’t targeting small business every day.
In fact, smaller businesses occupy a certain sweet spot for cybercrime. That’s because they have more information and assets than a singular consumer, while also being unable to afford as much in terms of security as larger companies.
Just like real-world thieves, cybercriminals will happily take everything they can if they break in, including financial information and records that belong not just to you but to any consumer or client registered with your business—and all of those stolen identities can be used elsewhere.
Even your business machines can be locked up with ransomware or infected and drawn, zombie-like, into a botnet for other hacking misdeeds.
So, what can you do to protect your business, its data, and your clients from the effects of a data breach? Quite a lot, actually.
Get Insured Aside from the various security measures we’ve already covered, cybersecurity insurance is an important part of covering all your bases.
Make sure that the policies you consider will cover first-party liability (costs from a breach, legal fees, interruption of business, customer notification, and public relations) and third-party liability (to protect you should your company be involved in a breach that exposes sensitive information about others).
Purge Regularly Never retain business data longer than you must. Once data is not needed, or older than, say, a year, delete it all. Credit card numbers are highly regulated: Understand your obligations under the Payment Card Industry Data Security Standard (PCI-DSS).
Stage a Drill Make it a practice to, well, practice your business’s response in the event of a breach. Take the time to formulate, review, and (with each drill) update your response plan as necessary. Perform these exercises at least quarterly, look for any errors or holes in your plan, and then fix them.
Prepare for the Worst Should your business end up the victim of a hack, get to work immediately to find out exactly what happened and put a stop to it, whether that means software patches or a complete takedown and cleanup of your system.
Restore any damaged software and documents from backups. Contact your insurer, and get legal advice if you must. Inform your clients as soon as possible of the breach and its nature as it relates to them.
BACK IT UP Be rigorous about backing up data and storing it in separate places. The best bet is to store things locally, as well as in the cloud.
Small businesses can use commercial cloud solutions like Dropbox, SpiderOak, or Backblaze (about $100 USD for two years with unlimited data). Augment this with daily (or more frequent) snapshots of your environment stored elsewhere.
A good rule to remember for your business backups is 3-2-1: at least three total copies of your data, two of which are local but on different media (maybe a USB drive or a network-attached storage device) and at least one copy off-site.
And be aware the backing up is just your first step. At some point, you will want to test to see if you can restore files. Businesses have thought that they were backing up data only to have some level of corruption ultimately invalidate all the hard work they’d put in.
NEVER CHEAP OUT ON BUILDING AN E-GUARD A GROWING BUSINESS
At last, your business has taken off. So, how do you scale up? The biggest problem for businesses as they grow is that they tend to continue using tools they have instead of reassessing their needs.
This is especially true with spending the money to upgrade computers because business owners don’t want to feel like they’re getting ripped off: “Why do I need a new firewall? The old one hasn’t burned up yet!”
Cyber incident responders see this all the time, even in publicly traded companies—especially ones that have grown quickly. Failures usually fall into two categories.
The first one is just that: a failure to properly scope technology requirements and scale technology purchases to match. The second is more insidious: its fast growth, during which executives make decisions to build now and scramble to secure later.
This is the most tempting thing in the world. I can tell you from the painful personal experience of having to break the news to senior executives at Fortune 500 companies that, because of decisions like that ten years previously, the cost to implement a fix is approximately 100 times what it would have been to do it right in the first place.
In the security industry, we call this “technical debt,” and it’s like using a high-interest credit card. You can go ahead and do it, but the day absolutely will come— we guarantee it—when the bank wants its money, and you find out about the wonders of compounding interest. Here’s how to avoid that pain.
Get Upgraded Find trustworthy, well-referenced security companies near you and ask them to help you review your needs and make recommendations.
These companies are generally easy to check out, and better firms have principals who regularly speak at security conferences, consistently publish articles and write blogs, and participate in the business community. Find two, and if they generally agree, then go with the one you like most.
Get Tough You’ll be looking at a beefed-up version of the secure home office we described. Seek out some kind of centralized authentication system, regular incremental backups and frequent snapshots of your environment, and encryption in every place it can fit.
You’ll need to hire a good information technology person to manage these systems or employ a company to manage your infrastructure as a service, an increasingly popular option.
You should also consider keeping your critical systems such as servers and firewalls under some form of maintenance contract or support by the vendor. Vulnerabilities in hardware, firmware, and software are constantly disclosed, and having maintenance will keep you up to date without having to either buy new equipment or learn from technical debt bankruptcy.
Get Backup This should go without saying, but back up all your business data… and then create a second backup, preferably off-site in a cloud storage server, for example.
And then consider a third—just in case. This may sound a little paranoid, but if something goes drastically wrong and you need to restore data, you’ll be glad you did.
Get Outside Help Consider hiring a third party to monitor your firewalls and other security gear for signs of trouble. You should have your internal tech person run vulnerability scans regularly so that you keep complete lists of what you actually have and what connects to your network (you won’t believe how difficult this is for many companies).
Have that double-checked by an outside firm, either regularly as a service or at least once a year.
Get a Checkup Every eighteen months or so, perform a security architecture review. Take this opportunity to reexamine the single most vulnerable part of most business networks: your assumptions.
Although taking this step might mean having to pay a bit more up front, it’ll be well worth it for the peace of mind it’ll bring. As someone who sends his kid to a private boarding school, I can tell you that the alternative is dramatically more expensive in the long run.
BRICKS AND MORTAR Any brick-and-mortar shop that has developed a great online presence get a great benefit from the fact that the cost of maintaining this infrastructure is much cheaper than it used to be: Now, you park the entirety of your business’s electronic infrastructure in the cloud instead of maintaining it on-site.
But “cloud” does not mean “secure.” Cloud infrastructure still has many of the issues of traditional infrastructure, and if you’re selling goods online, you have issues of payment card industry compliance to deal with as well. Fortunately, most of this can be outsourced, reducing costs even further.
However, it pays to have third-party firms provide you with vulnerability analyses, architecture reviews, and penetration tests—especially against your primary business applications— regularly.
BACK UP PROPERLY If utilizing a Windows server, you can turn on shadow copies, which allows you to revert file changes made to the system. This can be done by starting the volume shadow copy service and changing the startup type to automatically via the services in the administrator control panel in the control panel.
You can then go to File Explorer, right-click on a drive, go to the shadow copies tab, and enable the option on the drive or on other drives on the system.
Shadow copies aren’t backups but a quick way to revert files or folders, such as when a user accidentally deletes a file or if a few files become encrypted by a crypto malware.
You’ll need professional help in setting this up, but on the day ransomware encrypts all your files, or all your machines get stolen, it will be worth every penny you spent and then some.
ONLINE BUSINESS BANKING Business banking is where most companies get into trouble. The problem is that banks are not actually responsible for wire transfers and automated clearinghouse transfers made from your business account without your knowledge provided that those transfers were made using your credentials.
Business accounts are not protected in the same way that personal ones are. Most banks will still try and help you claw back the stolen money, but in some cases where the victim of fraudulent transfers sued the bank, the bank turned around and counter-sued that customer… and won.
Keep It Simple Unless you employ more than, say, 250 people, we recommend not using online business banking without an actual two-factor authentication login and a voice verification from the bank. Weirdly, the only banks that seem to offer this without any hassle are not the big guys but the boutique banks.
Get Personal We have found that these smaller banks—the ones that provide personal bankers who know you and your voice, and who ask about your family—are usually the banks with the best possible security you can get.
The argument about the availability of bank branches is absolutely valid—but with the security upside of the most common vector of attack (wire and ACH fraud) handled, the inconvenience may be worth it. Oh, and we have found that the costs are just about the same between the big banks and the boutiques.
No matter what kind of online banking you prefer, we recommend using a dedicated computer for it. The less that computer interacts with the public internet, the less of a chance there is of your credentials being hijacked.
A SECURE WEBSITE A business without a website is simply not taken seriously. Where people get into trouble is trying to build an e-commerce website on the cheap.
That is a guaranteed disaster—note, I didn’t say almost a guarantee. It’s rock solid. If you want to sell things on your website, you need to understand that one of the internet’s most vulnerable things is the commercial web application.
The good news is that if you’re just looking for a basic web presence—a site consisting of a home page, contacts, information about your services or products, and that sort of thing—there are a lot of very cheap options out there that are in fact quite beautiful and professional looking.
Right now, I’m partial to Squarespace. They have designs you can personalize, and you pay a monthly charge for them to host it. They even make it very easy to buy your domain name—all these things that vexed your predecessors in the 1990s and aughts have been reduced to wizard-based menus.
Beyond any design aesthetics and good customer service you’ve built in, there are also some important guidelines to creating and maintaining a properly secure business website.
Stay Secure First, make sure your site itself, when built, is a secured one. This means your site’s address will have an https prefix instead of just HTTP, along with a small padlock icon. This adds a layer of encryption and makes it harder for hackers to break in.
Further layers of security, such as a web application firewall (WAF), will add to your protection. A “secure and verified” badge added to your site, when clicked on, will also provide full verification to visitors, including the date of the last security scan.
Keep It Up to Date Whether you build your site yourself or trust someone else to do it, keep your software updated. New exploits are found on a weekly basis, and you don’t want to become the latest victim of something like the 2017 WannaCry attack in which computers that hadn’t installed a basic security update was hijacked to attack hospitals, phone companies, and others in 150 nations.
Run a Tight Ship Change passwords often, and keep them strong. Hide and rename admin directories in your business website to thwart any hackers, as they invariably will go after files and folders with names such as “admin” and “login.”
Be Transparent Display your business’s privacy policies on your website, explaining what data is collected, how it is secured, and what is done in the event of a breach; update your policy as needed.
GOOD TO KNOW
A STRONG DEFENSE IT security is best done in layers; the more there are, the harder it is to have unauthorized access. No matter the OS, no single silver bullet will keep you secure. So, what to do?
Turn on the firewall built into the OS. Inaccessible application port connections reduce security risk. Update software regularly, not just automatic updates, and keep antivirus software to protect your machine and data, including against malware.
Disable remote access if unneeded. Use 2FA and VPNs through a company firewall with support agreements (to add content filtering, remote access, constant updates, and malware protection).
Keep Wi-Fi separate and protected, and employ intrusion monitoring along with virtual LANs. Control with whom files are shared, consider security awareness training, and, last, keep all hardware in a secure room with restricted access.
GOOD TO KNOW
REPUTATION REPAIR Let’s say people are leaving bad reviews of your business on Yelp or Google. Instead of hiring services to try and “fix” your reputation, go online and answer questions and concerns. If a negative review on Yelp is followed by your side of the story and an offer to make things right, people tend to cut you some slack.
Real, useful content that shows your business in a positive light is often weighted more than complaints and slander by search engines. That said if you’re an executive who said something untoward on Twitter, for example, and the story is picked up by the press, you’re in for a few years of reputation building.
In this case, a reputation repair service might take some of the weight off of you. But there is no way to erase stuff from the internet: Work on new, relevant, accessible content that search engines will value more than the bad stuff.
LOSING IT BIG TIME
It’s hard to do a scientific ranking of corporate heists, partly because the information is rarely made public, and partly because it’s hard to attribute dollar values. That said, here are some major breaches.
ORGANIZED RETAIL CRIME When people watch the news and see a breaking story announcing that, say, fifty million peoples’ credit card data was stolen from Target or Home Depot, they sometimes wonder, “Just what the hell can you do with fifty million stolen credit card numbers?” The answer is simple: You can sell them to other criminals—in blocks of 1,000 card numbers at a time.
Criminal Coding Criminals can monetize stolen cards in any number of ways, but one popular method involves gangs of crooks who buy a bunch of stolen credit cards and a magnetic card encoder (similar to the kind used to make hotel room keys).
They pay people to obtain cards of all kinds with magnetic stripes: used gift cards, used hotel room keys, stolen credit cards —anything with a stripe. Then the perps re-encode them with the information from the stolen cards.
When they’re done at one mall, they drive to another. Soon, they have a truck full of swag. And at some point, the swag gets sold on eBay or other online outlets.
There’s big money to be made, and that’s one of the reasons banks and credit-card companies rolled out chip + PIN cards, designed to combat exactly this kind of point-of-sale scam. This development means that criminals will have to find some new way to rip of card-holders and businesses. I have faith in their ingenuity.
Head spinning with all the ways someone might try to rip off or otherwise undermine your small (or not so small) business?. Check these basics.
Encrypt, back up, and use strong passwords for data. Hire professionals to help set up systems.
Delete as much information as you can every week; you can’t lose data you don’t have.
Use a cloud-based service to back up your minimal set of business data.
Teach your employees the best security practices and policies.
Train any employee authorized to transfer money about inviolate procedures for wire transfers.
Employ two-factor authentication and do vulnerability and penetration tests regularly.
Take snapshots of all computers at least daily, if not more often, and store them encrypted in the cloud.
Have a plan in place in case any of your business- related devices are compromised, lost, or destroyed.
Run quarterly tabletop exercises to practice the plan and find problems with it.
Keep single-sign-on, forced-VPN, all-virtual desktops.
Run phishing awareness and other security programs as training for your staff.
Keep an incident-response company on retainer.
THE FUTURE OF MONEY
I used various apps on my mobile phone to pay for my transportation. Each of these apps had previously saved my payment details, so they automatically billed me in my native currency.
At one point, I actually needed cash for a purchase, but I just happened to have some U.S. dollars in my wallet, and the small-business merchant agreed to accept them. —Heather Vescent
In 2008, a pseudonymous developer operating under the name Satoshi Nakamoto released an open-source white paper describing a peer-to-peer method for creating a cryptocurrency called bitcoin.
In the beginning, the only attention it received was from a small group of crypto enthusiasts. Now, bitcoin has kicked off a currency revolution and re-envisioned money for the information age.
How Is Bitcoin Made? Unlike physical money, no one person or government owns the technology or concept behind bitcoin. New bitcoins are generated by people on the internet who competitively work to record and verify previous bitcoin transactions—starting from the very first transaction in 2009—in a process called mining.
Think of it as using your computer’s processing power to solve a complex puzzle. Whoever solves a step (or block) in the mining process is rewarded with a new amount of bitcoin.
Is Bitcoin Actually Money? The U.S. government sees bitcoin as a commodity rather than a currency, but many use it for transactions as if it were money.
Its value fluctuates, generally trending up as the number of new coins decreases, and acts like a stock at times, rising and falling based on perceived value. In 2009, the first bitcoin was valued at $0.07 USD, but it soared as high as $1,250 in 2017.
Will Bitcoin Replace Other Currency? Early on, many speculated that bitcoin could replace nation-state-backed money such as the U.S. dollar. Once it was released into the wild internet, it took on a life of its own and attracted a different set of users, forcing governments to react (with the U.S. government classifying it as a commodity, for example).
Nevertheless, it started a revolution—showing a viable new way of creating currency for the digital age.
Is Bitcoin Anonymous? One of the “features” of bitcoin is the ability to complete anonymous transactions. But this isn’t totally accurate.
Financial institutions require compliance with KYC (“know your customer”) regulation so if you buy bitcoins from an exchange where you have a connected financial institution, your wallet can be traced to your identity. However, there are ways to set up anonymous wallets. In either case, the transactions are recorded on the blockchain.
There are hundreds of cryptocurrencies out there. Most are copycats or have been developed to expand initial bitcoin functionality.
All bitcoin transactions that take place are recorded on the blockchain—a database that acts as a public ledger and helps to reinforce the cryptography behind the currency. Transactions are each recorded with a time stamp, the amount of transaction, the wallet address that sent the bitcoins, and the address that received it.
With cash transactions, no one knows the details of your actions. With bitcoin, a certain number of transactions are formalized into a “block.” When each new block is recorded on the previous block, the transaction data is set in stone and can’t be changed.
The blockchain is the ultimate tracking system—it’s decentralized, no one can manipulate it, and any information added to a blockchain is also permanently recorded. Because the blockchain records are set in stone, it reduces the bitcoin’s full anonymity.
Investing in Cryptocurrencies Those who are curious about bitcoin and other cryptocurrencies can acquire them in multiple ways. The original method is to join in the mining effort, which means using your own computer and a set of specialized software (and sometimes extra hardware) to work on the blockchain, and thus unlock the next set of bitcoins by solving it.
Don’t be surprised if it takes a while, though: Mining on your own is akin to playing the lottery, while mining in a group (or pool) means getting a return equal to the fraction of the pool’s computing power that you’ve put in. Multiple exchanges are online, and you can also purchase cryptocurrencies from other people.
No matter the method, you’ll have to use an address—a public string of numbers—to send or receive bitcoins, similar to the way that an email address handles messages.
A wallet is actually just a private string of code that corresponds to the address, and stores the cryptocurrency info, keeping the bitcoins safe and reached only to the person who has access to the wallet.
The wallet is not usually physical—although some people do indeed keep access to these digital wallets on a physical object, such as a USB stick, to reduce the risk of losing cryptocurrency in a hack.
For bitcoins or other cryptocurrencies to work in the market, they need a level of stability and buy-in. Here’s how that works.
Convenience or Anonymity? If you buy bitcoins from an online exchange, they will give you your own address and wallet. Once you have connected your bank account and once it’s been confirmed as yours, you can buy bitcoins from the exchange, storing them there on their in-house wallet, or you can export them to an outside address.
As an investment, bitcoin and all cryptocurrencies are high-risk. Bitcoins have been stolen, and legitimate exchanges have gone bankrupt and customers have lost their bitcoins.
In order to have a totally anonymous bitcoin wallet, you will have to resort to buying the bitcoins in person—yes, this means that you’ll have to physically hand someone cash.
They will then send bitcoins to your anonymous wallet. Since cash transactions are not tracked, you can have them transferred to a wallet that has no identity associated with it. (The electronic transaction will be recorded in the blockchain, regardless.)
Bitcoin and Black Markets Up to this point we have discussed the legitimate uses for bitcoin. But plenty of people out there also utilize bitcoin for illicit transactions, money laundering, or moving money around in ways that can’t be easily tracked.
There are innumerable black markets, and the most popular and active ones are always changing as old ones are shut down and new ones pop up.
The first and most notorious online black market was called Silk Road, and it was started by the Dread Pirate Roberts in 2011. Functioning much like eBay, Silk Road offered illegal and prescription drugs, hacked data, fake IDs, and more.
Silk Road was shut down by the FBI in late 2013, and the Dread Pirate was unmasked as Ross William Ulbricht, who is now serving a lifetime prison sentence.
The Future of Cryptocurrency In all likelihood, bitcoin and other cryptocurrencies will stick around for some time to come. The way has been paved for modern digital currency experiments, putting pressure on the traditional financial transaction methods to reduce bank and transfer fees, while increasing transfer speeds.
Although we will see more characteristics of this technology as part of our existing currencies in the future, it won’t entirely replace the U.S. dollar for groceries and gas anytime soon.
Cryptocurrency values fluctuate too frequently, governments see them as commodities at best, and the technology will continue to be targeted for hacks.
YOU CAN LAUNDER MONEY WITH BITCOIN
TRUE When you use cash to buy bitcoins from someone in person, there is no trail. Bitcoin wallets are not required to have identifiable information.
An anonymous email address can be used to start a wallet, which can then hold bitcoins. If you end up with a large sum of bitcoins and want to cash out, you can find someone to exchange them.
The trick is to keep identity data away from these bitcoin wallets. Cash transactions aren’t recorded, so it makes using bitcoins to launder money appealing. There are also “tumblers,” programs or sites that mingle fractions of BTC in multiple transactions. After a time, the bitcoins come out clean—well, at least in theory.
MOBILE MINUTES AS MONEY Currency is essentially a physical representation of value. Historically, gold and other precious metals and minerals have been used as a medium of exchange based on their rarity and perceived actual value. It makes sense that anything of mutual value between parties can be used as money.
Smartphones and Finances Anyone with a smartphone basically carries a tiny computer in their pocket and can connect to the global financial network.
Whether you are making a bank transfer, sending a PayPal payment, making a trade, buying a tomato at a farmers’ market, calling for rideshare, or paying with bitcoin through a QR code, today’s mobile phones are more sophisticated than the bank tellers of twenty years ago.
Credit Cards One of the money dreams of the future is the creation of a single global unified currency. We already have that today in a way, thanks to credit cards that are accepted almost everywhere and have excellent fraud protection.
But even with the best security system, sophisticated social hackers can successfully impersonate you despite the strictest precautions. Credit cards are never going away and are a de facto universal currency.
Blockchain Expansion While they may sometimes vary in perceived value between curiosity and commodity, cryptocurrencies aren’t going anywhere anytime soon—and neither is the blockchain.
In fact, the concept of the blockchain can be applied to other parts of the world’s economy, and not just for tracking of cryptocurrencies and the transactions they are used in.
As the transactions on a blockchain are set in stone once recorded, the technology could be used to create cheap, tamper-proof public registries of who owns various land or property, notarize documents without the need for a notary on-site, and even ensure the security and value of stock market and other high-value trading systems and financial transactions.
In the end, the future of money must include more security and convenience while being easy to use. As technology continues to innovate, we will also have to keep up with bugs, flaws, and loopholes, fixing them as they arise.
KNOW YOUR CUSTOMER Any financial institution out there has to have a degree of security, stability, and trustworthiness in order to operate, and that includes having stable customers.
Traditional banking regulations require banks to know their customers (called “KYC” in bank speak). To comply with these financing regulations, banks have to confirm the identities of all their account holders.
When you open some bitcoin wallets, especially any that are connected to traditional bank accounts, you may have to prove your identity. It’s not recommended to do illicit transactions or make black-market purchases with these accounts—unless you want to increase the chance of being busted.
However, there are other ways to acquire bitcoin that do keep the purchases anonymous and can also facilitate money laundering.
GOOD TO KNOW
SMART MONEY, SMART THIEVES You might think that increased surveillance and face-recognition software would help catch the guy who stole your wallet, especially with all the cameras out there. But the problem is accessing the data before it’s deleted and then taking action on it.
In the case of Quentin Hardy, whose wallet was stolen in San Francisco, the thief used his stolen credit card for Uber. The card was connected to an existing account, and since Uber keeps data on all its rides, it had info about the thief—including GPS data that might show where the thief lived.
The problem with this is getting the data, which often can only be legally released to the enforcement, and the infraction has to be big enough to warrant an investigation. Often, it is not. And even so, by the time the police get around to seeing the video footage, it may have already been deleted.
DIGITAL SAFEKEEPING In the future, we won’t get to simply stash our cash in a safe or under a mattress. New forms of finance mean new protocols for keeping your money safe.
Keeping Online Integrity While many governments offer individual reimbursements from fraud, business accounts are not always guaranteed the same security, and online banking and fraud protection are not typically in the hands of the user.
Look for financial institutions that have good security—sometimes it’s hard to find out which ones have been hacked because no one wants to disclose that information.
Use robust passwords in online banking, change them often, and don’t reuse old passwords. Limit who you share banking authentication credentials with to reduce the chance of unauthorized transfers or transactions.
Stay Secure with a Selfie Banks are motivated to use secure systems. Passwords can be difficult to enter on a mobile device, so banks have other secure authentication systems options: your fingerprint, a PIN, or facial (or even voice) recognition.
The secure selfie is even hacker proof—you must blink or make a facial gesture that you can’t duplicate with a photograph.
Be Safer with Biometrics Biometric verification has been thought of as the great fail-safe. The idea is that it’s near impossible to replicate someone’s fingerprint or iris or retina, although hackers (and Hollywood) have shown ways to duplicate a fingerprint. Unlike a password reset, it’s not that easy to get a new fingertip or eye.
CHIP AND PIN CARDS CAN’T BE HACKED.
FALSE Chip and PIN credit cards were first released in the United States in 2015 to decrease fraud and identity theft. But it turns out that they are not as secure as we might think. In Europe, to use a chip and PIN card, the PIN is entered at the point of sale. This would make impersonation very difficult—or would it?
In 2015 in Europe, a creative team of criminals devised a man-in-the-middle attack by soldering a different chip onto the card, which was then able to accept any PIN entered.
To manage such sophisticated card hacking required a certain level of know-how, skill, and artistry—but it was one that ultimately resulted in the thieves getting $680,000 USD worth of free goods.
Living with the Law Depending on where you are in the world, local laws restrict gambling online as well as in person, especially in the United States. the Federal Wire Act of 1961 has been construed by courts to mean that it covers all forms of gambling.
The FBI may not break down your door if you bet a dollar on that online poker forum, but the legal risks are still present, as well as dealing with the tax issues should you win big.
Supporting Your Local Mob There are plenty of historical ties among gambling, casinos, and organized crime and internet gambling is no exception. Plenty of gambling sites are relatively legitimate, but it’s just as likely that a given online casino could also be a place where money is being laundered and other shady dealings are being supported behind the scenes.
Going for Broke The biggest risk associated with gambling is losing all your money or developing an addiction, or both. Humans tend to respond strongly to game-of-chance situations, due to a psychological effect called intermittent reward: If you don’t know when to expect the payout from a gamble, there’s a chance you’ll keep trying over and over.
And if you can go for that potential reward without having to leave your house and visit a casino, you could easily empty your savings account while still in your pajamas.
Making Your Loss Their Profit Whether the risk is tied to organized crime or no, internet gambling requires spending money, either by transferring funds from a bank account or providing a credit card number or some other means of sharing your financial information.
If a gambling site you’re visiting gets hacked and you have any information saved there (or any money left in an account on-site), then you run the risk of getting your finances stolen.
Putting your money where your modem is opened you up to all kinds of new and exciting financial risks. Here are some methods of staying safer while spending online.
Monitor your accounts.
Set up alerts for your accounts and for purchases over a certain amount.
Use a strong password, and don’t use the same password for multiple accounts.
Use a stronger password for your financial accounts than anywhere else.
Use multifactor authentication.
Use credit cards that offer fraud protection and identity protection.
Monitor your credit score.
Use financial services that offer biometrics, or three- (or four-) factor authentication.
“Launder” your cryptocurrency by using services that obscure the source.
Use cryptocurrency like a one-time pad: buy the coin, launder it, make your purchase, and erase all records.
DEGREES OF DECEPTION
Fake college degrees are held by tens of thousands of deceptive doctors, lawyers, therapists, teachers, and others whom we count on to be well trained.
And that doesn’t include the thousands more noncriminal but naive degree holders who simply fell for a fast-talking salesperson who convinced them to lay down heaps of money for nothing more than a worthless piece of paper—one that may, in fact, be a lot worse than worthless.
A fake degree can be a career-ender if it should be exposed— and that’s to say nothing of the risk to others before the truth comes out.
3,300 Estimated number of fake or substandard universities worldwide
50,000 Number of fake PhDs bought each year in the United States (more than the 45,000 earned legitimately)
5,000 Number of fake medical doctors identified by a Congressional sub-committee
100,000 Estimated number of United States federal employees with fake degrees
$300,000,000 USD Value of worldwide sales of false degrees each year
$1 USD Lowest cost of a fake degree (excepting those thrown in as a bonus for larger orders)
0 Hours of study required for the average fake degree (if the check clears)
3 Number of James Bond movies students needed to watch to earn a degree from the late Eastern Caribbean University
BUYING FROM DIPLOMA MILLS People purchase degrees for any number of reasons, but the following are the most common.
Employment Opportunities Many jobs will require that people in certain positions have a specific degree (or, sometimes, any degree), which can lead job hunters to fake it. Others believe that the esteem of an advanced degree will give them an advantage in the market.
GOOD TO KNOW
FALSE WITNESS One of the more frightening subsets of prestige, or being seen as an authority in a particular field, is the matter of expert witnesses in court cases. A lot of damage can be done—but the courts rarely seem to check the legitimacy of those witnesses.
The Case of the Fake Engineer One particular self-styled automotive engineer testified on the behalf of an auto manufacturer that the brakes on a vehicle involved in a fatal accident “could not have failed.” This man was later exposed on the witness stand as having bought his credentials from a notorious degree mill.
NONSTANDARD SCHOOLS Not every nontraditional school out there is a bad one—some are just, well, not traditional. One thing to be aware of is that shady schools may well use the cover of one of these legitimate alternatives to disguise their own lack of a proper curriculum.
New Ideas Educational models change—not long ago the idea of earning a degree online was crazy. Now it’s standard. But beware of schools that claim that they are too innovative to be accredited.
Many totally legitimate and academically rigorous degree programs are offered online. So are a lot of worthless scams. Here’s how to tell the difference.
Check the school out in a reputable college directory.
Only deal with accredited universities—and don’t take it on faith that they’re accredited. Check.
If it sounds too good to be true, it probably is. If the only “work” required for your degree is giving them your credit card, be very skeptical.
Ask to speak with graduates of the program you’re interested in.
Ask if you can “audit” some online courses to assess the instruction and student engagement.
Scope it out on Google Earth.
Visit the school in person to check out their facilities.
If you can’t travel to the location, see if you can hire a local through TaskRabbit or Craigslist to play private detective and snap some images of the buildings and grounds.
SEX AND LOVE IN THE CYBER AGE
Almost from day one, the internet has helped those with lonely hearts (or other body parts) make connections with others, as well as providing a wealth of erotic entertainment to the home viewer who might never have ventured into a shady adult bookstore in real life.
As long as nothing illegal is taking place, and everyone involved is a consenting adult, you might ask what’s the problem? Unfortunately, there are still bad guys out there who are very much aware that we tend to act impulsively when we’re hot and bothered.
We might take more risks to get an immediate reward, such as clicking on a sexy link without thinking about the source. Sites promising illicit affairs and easy hookups could lead to personal data being compromised, and offers for easy money from online camming can prove to be a trap for the unwary.
From inadvertently downloading malware that cripples your computer along with those tempting sexy pictures, falling for a complicated cat phishing scam, or having those compromising pictures or videos used against you, a wide range of financial, technical, and emotional risks abound for an unwitting user. This blog will explore things to watch for and safety measures to take.
SET UP A SEPARATE EMAIL TO USE JUST FOR DATING TO PROTECT YOUR PRIVACY IN CASE OF HACKS OR STALKERS.
ONLINE DATING Whether you’re looking for The One or simply a one-night stand, the internet is, to a greater and greater degree, becoming the place to go for those connections.
Entire blogs and websites are dedicated to the basic etiquette of online dating as well as how to stay safe, whether you are having your encounters online or in person. Here are our top security tips.
Have a Conversation Most online sites and dating apps work pretty much the same: you view potential dates’ pictures and profiles and then have a chance to message them.
If they find you equally interesting, a chat ensues. This is a great way to get a feel for who someone is. Be cautious about divulging personal information too soon, but do take the time to get acquainted, and pay attention to cues.
If someone pushes for your phone number, requests sexy pictures, or sends some to you unsolicited, these are major red flags. For better or worse, many potential dates will disqualify themselves early on through this sort of behavior.
Take It Offline Once you have a good feeling about a person you’re chatting with, you’ll probably want to suggest a meeting. It’s best to make that meetup a safe and low-key one, such as getting together for a cup of coffee during the daytime in a public location. This is another tip that will disqualify some unsavory types right away.
If the potential date comes up with excuses about why that’s impossible, they may be a scammer looking to steal from you once they’ve gotten your confidence, or they might be a jerk who won’t take “no” for an answer.
LOOKING FOR LOVE?
Who’s out there seeking connection? As it turns out, millions of lonely hearts. Here’s how some major dating apps stack up.
Be Cautious Before you meet up with your new acquaintance, tell a friend where you’ll be and with whom, and arrange to contact your friend at a certain time. You can even inform the person you’re meeting about your check-in plans as another test of their personality—and hopefully, they’ll be understanding.
It might seem like overkill, especially if you have good instincts about someone, but this really just boils down to the “better safe than sorry” adage.
CATFISHING SCAMS Broadly used to describe the practice of creating a false online profile to deceive people looking for genuine relationships, catfishing is sometimes done by bored trolls looking to mess with peoples’ minds.
In more malicious cases, the catfisher may request sexy photos or ask for cash (often a “loan” so that they have an excuse to meet the victim in person).
If you think you’re being led on—if those photos seem just a little too staged, or if your new friend won’t chat on the phone or meet in person—it may be catfishing. Many folks use stock photos or other peoples’ profile images.
Try dragging one of the pictures into Google image search and seeing what comes up. Your love interest may have also tried the same sweet words on other folks. Cut and paste a line or two from their come-ons, and see if anything shows up, perhaps in a post warning of this scammer.
GOOD TO KNOW
RECKLESS REPORTING During the 2016 Brazil Olympics, a journalist used various hookup apps—including Grindr, which enables its users to track each other by location—to look up gay Olympic athletes and out them.
Aside from this being a serious breach of journalism ethics, outing others without their permission is disrespectful and, in some cases, can put their lives at risk.
Some of those athletes may have been from nations where homosexuality is considered a crime— in some places, even punishable by the death penalty.
If you’re concerned about your own safety and privacy as a user, then you should probably avoid using these sorts of tracking apps. This means you’ll have to find another way to meet new friends, but the lack of convenience is worth your safety.
STATS ON SEXTS
Who’s sending all those salacious images and texts? As it turns out, quite a lot of people are getting digitally flirt.
FLIRTING AND MORE Online communication often lead to flirting and sexy talk far more quickly than it would otherwise develop in person. There’s something about the intimacy of chat (perhaps especially at home after a few glasses of wine, or when lonely and bored) that can make one get naughty fast.
This can be good not-so-clean fun, but you shouldn’t let those thrills make you vulnerable. Here are a few things to keep in mind before you share that saucy fantasy or racy image.
Safe Sexting You should think twice about sending racy messages over your standard text app, even if there’s nothing inappropriate going on.
After all, things might change, and a former partner might try to use the revealing information to embarrass you. (You also don’t want an X-rated message popping up on your lock screen if your phone happens to be on your desk at work where anyone can see it.)
For anonymity, you can go with apps such as Kik or Wickr, which let you set up a username rather than sharing your phone number. You can also use something like Facebook’s messenger app, but be aware that the company has the right to read your messages and may use information in it to target ads to you.
Picture This Take extra caution when you’re sending sexy images. You might accidentally forward a message or post it on social media. Even transient social media apps such as Snapchat aren’t safe: People can still take screenshots, and the companies that host the servers for said software could potentially snoop.
Just because you don’t share a face pic online doesn’t mean you’re safe. A friend of mine felt deeply betrayed when she discovered that her ex-boyfriend had shared nude images of her with his friends while they were dating.
The sexy photos didn’t show her face, but the hurt and shame weren’t made any better than that. They still knew who she was, after all.
SAFE BROWSING Humans have been looking at sexy images for probably as long as we’ve been painting on cave walls. The availability of internet porn speaks to ancient desires—but with a whole host of modern considerations.
Certainly, not everyone views adult content on the internet, but many do, so without weighing in on the morality, here are some best practices and common concerns.
Financial Security Porn sites can’t use the same credit card systems that other sites use (because many banks deny merchant accounts to adult service providers), so they don’t have the same protections as other online retailers.
While there are some systems that are well known and secure, it’s recommended that you use anonymous prepaid credit cards for site access or purchases. Definitely, don’t use your regular debit or credit card.
It’s not uncommon for unscrupulous sites to add fraudulent charges on the assumption that consumers will be too embarrassed to complain to their bank if it means admitting what they’d been doing online. Don’t fall for this—customer service reps at your credit card company won’t mock you, and they’re familiar with these scams.
Malicious Invaders Anything you download could have malicious software. Use protective software, special browsers, or a virtual machine (or a combination of these factors) to keep the integrity of your software. In addition, avoid clicking on ads while browsing, as so-called “malvertising” can infect your computer with one click.
Data Mining Data is constantly being collected about your browsing behaviors, even if you’re using private browsing, and this data is then used to market to you.
Sometimes this “marketing” comes in the form of viruses packaged in a link that hackers have determined you might find hard to resist, given the kind of adult media you prefer to view.
And even cautious browsers can click impulsively if the promised images are intriguing enough. Again, protective software measures can help here, though they may not always reduce the data collection to zero entirely.
GOING INCOGNITO Normally your browser keeps track of information to make browsing the web easier: your browsing history, cookies for login credentials, and a cache of downloaded images.
When activating private browsing or incognito mode, these things are turned off. Dolphin is a Chrome extension that has an ad blocker incorporated and allows you to turn off all scripts, which protects you from self-executing malware.
The Firefox browser, meanwhile, offers the ability to install add-ons such as NoScript and Adblock Plus, as well as a private browsing mode, to reduce the chances of your computer being affected by scripts and malware as well.
This sort of software will ensure that your computer doesn’t retain your browsing history, but it doesn’t remove this information from the internet entirely. Your internet service provider and the sites can still monitor the traffic.
SECURE YOUR SELFIES You might be wondering about your own personal flirty photos and whether you’re safe from having private images stolen or being surreptitiously spied upon.
Obviously, the simplest way to avoid either is to not take such images or share them, but if you do share sexy photos, be sure the recipients know what you expect of them in terms of respecting your privacy; don’t be afraid to ask for them to be deleted.
If you want to keep that data, consider storing it on a USB or other portable drive disconnected from any computer and the internet, with the images encrypted or otherwise secured.
As always, use strong passwords. And keep your webcam secured or cover up the lens with a sticker when you’re not using it. Also, avoid visiting any sketchy sites that might end up hijacking your webcam with malware.
REVENGE PORN One particularly disturbing result of the ease of taking and sharing of digital images is the rise of what’s commonly known as “revenge porn,” the public sharing of sexually graphic images without the consent of the subject, usually with the intent to harm.
The standard case involves vengeful ex-posting images that might have been taken consensually at a happier time but was never intended to be made public.
After a breakup, the ex-decides to try and hurt their former partner by publicly humiliating them or, even worse, opening them up to harassment, blackmail, or even attack.
Malicious culprits can also post images online with doxxing, which means revealing personal information, such as someone’s name, address, or work details, which can bring cyberstalking offline and physical harassment to the victim.
According to the Cyber Civil Rights Initiative (CCRI), 45 percent of revenge porn victims are stalked and harassed online by people who have viewed these images, with 30 percent also stalked in person.
Some 77 percent of victims have faced social and occupational repercussions, and 48 percent say they have contemplated suicide. In the wake of suicides and lawsuits, 34 states have passed laws against revenge porn.
WHAT TO DO IF YOU ARE A VICTIM Revenge porn is illegal, and if you are victimized, there are laws and nonprofits that can help. Many places have laws on the books, and cases have been successfully prosecuted.
Document the Violation For sites to remove images, you must have the original in order to prove you own the copyright. Document the usage. Don’t just save a link; take screenshots of the pages, especially if they are on 4chan, Reddit channels, or revenge-porn sites, or in Twitter direct messages. Be sure to include the URL bar or the name of the poster in the screenshot.
Identify the Perpetrator If you can identify the person who posted the information as the person you shared the image within the first place, you can likely press legal charges.
Remove the Images Many sites will remove the images through a Digital Millennium Copyright Act (DMCA) takedown if you can prove you own the copyright. Other sites explicitly extort money from victims to remove the images. Document all communications: Save emails, take screenshots of text messages, make notes of any phone calls.
If you own the image—for example, you were the one who took the picture—you own the copyright and can ask Google and other search engines to remove it from search results through a DCMA takedown notice. This won’t remove the image from the website where it is posted, but the image won’t show up in search results.
To begin the DMCA takedown process, you will need to submit a report to each search engine for each instance. This is why it is important to take screenshots. The search engine will require that you:
Give the URL of the website that is infringing on your copyright.
Prove you own the copyright by attaching the original image to identify the copyrighted work If you don’t have the original, you might not be able to prove you are the copyright owner.
Sign swore statements, and sign and date the submission.
Press Charges There are laws against revenge porn in thirty-four states as well as Washington, DC. Revenge porn laws fall under stalking and harassment, unlawful distribution of sexual images, disorderly conduct, violation, and invasion of privacy, nonconsensual pornography, and unlawful dissemination of sensitive images.
YOUR WEBCAM CAN BE HACKED
TRUE The good thing is that this is a bit complicated. Before hackers can take over your webcam, they have to convince you to install malware. How do they do that?
They could send you an email with a link to launch a script starting an installation process, or they can send the script hidden in a document, image, or video file.
Once the malware is installed on your computer, it takes some skill on the hacker’s part, but your cam can be compromised. How do you protect yourself from this scenario? Don’t open or download unusual documents from people you don’t know. Also, use a piece of tape or other webcam covering when it is not in use.
PRACTICING SAFE SOFTWARE If you want to view naughty images or video online, you can do so safely with a few precautions. Use a web browser that doesn’t automatically run scripts, Java, Flash, or Adobe Reader—or add a plug-in such as NoScript, which lets you control the scripts run by each site you visit.
And use an ad blocker— some ads can have malware and executables in them. This also helps to stop sites from redirecting you without your consent.
You can also use browser plug-ins such as Ghostery to show what scripts are running in the background of every website. As you browse, check the link in your browser bar at the bottom of your browser to see where it is taking you.
Stay away from sites that redirect your ride, and avoid the chance of infection by steering clear of downloads of any kind. You can still watch sexy streaming videos online.
KEEPING YOUR MACHINE CLEAN As with any online activity, use common sense when browsing sexy sites. Legit porn operators know their sites can be targeted for attacks and infiltrations, so they’re incentivized to catch problems fast in order for their customers have a positive experience.
Research which is the safest porn sites online, and asks open-minded friends for recommendations. Here are some added levels of security you should employ.
Limit Your Devices Whatever device you use, be sure it’s secured. Update virus protection and run malware and spyware checks on a regular basis.
Clear your caches, too; your phone could be stolen, or your cloud account could be hacked, revealing your browser history, so delete images and clear your trash on a regular basis.
And consider keeping it to one device—some people choose to view porn only on certain devices to lower their risks. For example, only watch it on a computer with up-to-date security software.
Keep It out of the Office It should go without saying not to use work devices for porn or sexting, but news stories tell us that this advice hasn’t gotten through to everyone.
In fact, a recent UK study reported that 10 percent of office employees admitted to watching porn at work—and those are the ones who fessed up, so we can imagine the real numbers are much higher.
Depending on where you work, this can be a firing offense—and even if it’s not, you really don’t want to have that conversation with HR, especially if you’ve also infected your company’s network with malware.
Go Virtual A virtual machine is a separate environment that runs on top of your existing operating system. Running a virtual machine enables you to browse without putting your whole operating system at risk.
If you download malware or a virus, it infects the virtual machine, not your whole computer, and when you end the virtual session, everything in it disappears, including that infection.
Pay Safely Legitimate free porn sites do exist, many with limited material and incentives for membership. If you pay for content, be careful who you give your information to.
Some credit card companies will give you a virtual number; when used, it charges to your main account, but if stolen, it’s easy to turn it off without canceling the basic card. You can also use reloadable prepaid cards.
When looking for love on the internet, sending racy images to a special someone, or viewing racy images yourself, you’re vulnerable. Practice safe sexting!
Secure access to your devices (using PINs and lock codes) and use two-factor authentication.
Use different email addresses and anonymous accounts for dating or hookups. Never use your work email for anything dating-related.
Use a private SMS and voice call app to communicate with potential dates or hookups.
Watch free porn, or use prepaid credit cards and stop subscription payments after you cancel.
Use bitcoin for payment.
Hide your face and anything that would make you identifiable when taking sexy pictures.
Use secure apps only for sensitive messages and set a timed message delete.
Never send a photo or video that you wouldn’t want to have made public if it goes astray.
INTERNET VIGILANTES AND MOB RULES
Welcome to the dark world of trolling, doxxing, Anonymous ops, and online mobs.
The internet has decentralized everything, and harassment and mass protesting are no different. Online harassment can escalate to death or rape threats, prank calls to police departments, canceled speaking events, ruined careers—even driving some victims off the internet completely. Who are these trolls?
Some want to entertain themselves or get off on manipulation, but the majority are bored teenagers who have turned to the internet to create their own drama, to get back at their friends, or win one-upmanship points. Having said that, the same technology can also be used for positive ends—stopping animal abuse, shutting down spammers, and protesting unfair internet laws.
Technology brings out the best and the worst in humanity. Learn how to protect yourself when the worst of humanity unleashes itself on the internet.
MEET YOUR INNER TROLL It used to be thought that mean people are born that way. But a new study from Stanford University suggests that, under the right conditions, anyone can be a troll.
The experiment exposed subjects to negative moods and/or comments and then asked participants to make their own comments.
Those exposed to either the negative mood or comments were more likely to post negative statements; subjects exposed to both negative mood and comments were even more likely.
Negative comments can have serious emotional power—causing a downward spiral, with users returning to defend their statements and dig in their heels deeper.
The negativity builds on itself and keeps growing. It’s true: Just like laughter, trolling is contagious. Next time you’re cranky and tempted to troll, pause, take a breath, then step away from the internet to cool off.
TROLLING The word “troll” conjures up images of a monstrous figure lurking under a bridge, but its origins are a different beast altogether. The word comes from the verb “to troll,” which describes the fishing method of dragging a lure as bait. Internet trolls are similarly using “bait” when they post incendiary, hostile, and provocative information in order to lure others into having an argument with them.
Trolls love to provoke people to get a reaction, and they also enjoy keeping the game going as long as possible, indulging in all of the anger and frustration they evoke.
In internet-speak, lulz, derived from the slang term LOL (from “laugh out loud”), is laughter at the expense of others, a sort of modern schadenfreude. “Doing it for the lulz” means that trolls do what they do specifically so they can get an emotional rise out of their target.
BAD BEHAVIOR Trolling, harassment, and bullying create emotional distress and can lead to offline violence and real-world crimes, such as stalking or swatting. Trolls pop up in video game chats, review sites, on forums (especially 4chan, 7chan, and Reddit), and social media sites, including Twitter and Facebook.
Trolls love all comment sections—in news stories and on YouTube, Tumblr, and even your blog if you’ve caught their attention. Companies have been trolled on Yelp, and individuals (including a White House spokesperson) have even been trolled on the payments platform Venmo. One thing is certain: Trolls are creative, and where they can troll, they will.
What They Do Online harassment includes sending nasty emails, sharing victims’ personal information online, and calling for violence against targets. Many women even receive death and rape threats.
Stay Clear Trolls have no rules and will contradict themselves. They aren’t logical, so don’t bother trying to reason with them. They start arguments, post negative and shocking comments, give wrong information, and get people riled up. They’re after angry reactions that keep the reprisals coming—they delight in creating chaos.
Trolls sometimes work together, posting targets in shared troll forums so that many of them go after the same target. These trolls get cred for participating in such ops.
GOOD TO KNOW
KNOW YOUR ENEMY Trolling takes a number of forms, including these common ones.
Dogpiling An internet cybermob descends on their target, trying to overwhelm, exhaust, and humiliate the victim.
Concern Trolling Someone gives “helpful” advice that’s actually meant to belittle and demean the target.
Gaslighting The act of manipulating victims to make them doubt their own perception, memory, and sanity. If an abuser says it’s not abuse, you are being gaslit.
Gish Galloping The objective in gish galloping involves a nonstop attempt to wear victims down, waste their time, and distract and sidetrack them. It’s death by a thousand micro comments.
Impersonation Trolling As a way of discrediting targets, some trolls create fake social media accounts in their names and post provocative statements. Trolls might even take these false statements from the fake social media account and accuse the account holder of having made those statements.
Newbie Trolling There is always newcomers to online communities, and these folks can be taken advantage of by those sharing bad advice or giving misdirection.
Sea-Lioning These trolls join an online conversation and ask targets for their evidence. While generally civil, they question the facts and constantly challenge them—and then play the victim when their harassment is called out.
Shock Trolling Similar to radio DJ “shock jocks,” these trolls go into a sensitive community (usually a religious or political forum) and stir up trouble by posting incendiary responses, images, or links.
RANDOM ACTS OF TROLLING
It’s theorized that the anonymity of the internet allows people to unleash their worst selves and hassle complete strangers. The facts as reported by victims of harassment online seem to bear this out.
KEEP CALM AND CLICK ON Trolls poke at you in order to evoke an emotional reaction. The most important thing to remember is “don’t feed the troll.” Sure, it’s hard to control yourself when someone is pushing all your buttons, but that’s what the cyberbully is after.
Stop a moment, take your hands away from the keyboard, take a breath, and get up and go for a walk. If you don’t respond, the troll will get bored and go after an easier target.
Online communities have dealt with trolls from the beginning of the internet, and many have developed rules and software to keep trolls out. Soft banning is a technique that basically hides troll posts from everyone except the troll. If no one sees the post, it won’t get attention, so the troll gets bored and goes elsewhere.
You can’t predict whether you will be the target of online harassment. Women are typically harassed more than men, but anyone can be targeted for any reason, including political or religious beliefs. If you end up the victim of a troll or online harassment, here are some helpful responses.
Don’t Engage Do not respond or show emotion when provoked. If you show the slightest reaction, they will go in for the kill. They can be relentless, and sometimes when they don’t get a response, they will escalate further to provoke you into responding.
Document Everything Take screenshots of incendiary texts, tweets, and comments immediately, as they can be removed. Keep a harassment diary. If it’s too upsetting for you to do it yourself, have a friend take over for you.
Protect Yourself Use strong passwords, and turn on two-factor authentication to make it harder to hack your accounts. Remove your personal information from the internet to make it harder to be doxxed.
Take Legal Action Contact the appropriate authorities. Make the police the report, although officers may not be able to help much unless the harassment goes outside the internet.
Vent Safely Trolls delight in upsetting people on the internet; responding or complaining online reads them. Instead of venting online, talk to a friend or family member you trust about your frustration or anger.
Get some exercise, spend time with friends or loved ones, get out in nature, take care of yourself—eat well, drink water, and meditate to let the anger go. If it gets really stressful, seek the help of a professional.
Shut Them Out Unfriend, block, mute, and report trolls. Most systems have ways to block and report unsavory behavior—Twitter, YouTube, and Facebook, for example, all have block and reporting capabilities.
Give No Comment If you are posting an article or blog post that you think will be controversial, turn off comments. If a troll is responding to a blog post on your site or a Facebook post you started, you should feel free to turn off commenting midstream or to just delete the offending comment.
Disappear from Sight As a last-ditch option, consider creating a new identity for the forum or site on which you have been trolled.
doxxing Short for “documenting,” doxxing is when your personal information, such as your legal name, your address, phone number, email address, or other data is posted online—along with an open invitation for others to harass you. If people know your name and address, they can take harassment offline and it can get violent.
Prank calls to law enforcement about a false threat associated with a target’s home is called “swatting.” The goal here is to have armed police show up aiming guns at innocent people.
These techniques exploded during the alt-right media coverage of the 2016 election. And to think that this all started out with a jilted lover wanting revenge on his ex when he was ditched.
STAYING UNDER THE RADAR Do you know if your personal information—like your full legal name and your home address—is available online? Many sites have made a business model making this kind of information public. Others are looking to make it easy to create family trees.
And on some sites, your information comes up with a simple search. Recently passed laws, however, require these sites to remove you from their databases if you request to opt out.
Of course, there are companies, such as DeleteMe, looking to make a profit by doing this automatically for you. The reason you might want to remove your data from these databases is that this is where trolls get the information to doxx you and bring online harassment offline. Make it harder for trolls to find your information by removing as much of it as you can now.
MEET YOUR INNER TROLL
Everyone has a little bit of a dark side, and trolling can bring out the worst in our natures. Here are some of the personality factors that make a troll.
WHAT MAKES A TROLL? Just as there will always be some unpleasant or troublesome people in society, ultimately the same is true on the internet.
Trolling is unlikely to ever truly go away until humanity itself changes. A combination of distance, anonymity, and opportunity are a temptation that can sometimes bring out the worst in others, giving rise to their inner troll.
But there may be a higher predisposition in some people. Psychological studies on sociopathy and antisocial behavior have presented the concept of the dark triad, a combination of three personality characteristics, that when combined, paint a dark picture of a malevolent individual.
The nefarious traits that are referred to by the dark triad are Machiavellianism, narcissistic behavior, and psychopathy, which, when combined, create a personality that has low empathy, a thrill-seeking nature, enjoys manipulating other people, and is focused on ego gratification.
If you compare this to the activities of trolls—causing distress, doing it for the lulz, seeing victims as their source of entertainment, and “operations”—you can see how trolls fit this description. Given the opportunity, anyone has the potential to be a troll— but there are some people who may be born for it.
Remember the Good All this talk of trolls, vigilantes, 4chan, Anonymous, and Gamergate can, of course, paint a bleak picture that the internet is a foreboding place filled with potentially hostile figures waiting to bully or harass you for their own entertainment. But you should still keep in mind that there are also a lot of good people doing good things on the internet.
By taking measures to avoid becoming a victim of trolling—and not becoming a troll yourself—you can guarantee that there will always be more good people than bad on the internet.—Heather Vescent
Don’t let your internet experience be ruined by a bunch of creepy kids and sad puppies. Here’s how to avoid trolls or, if the worst happens, deal with them deftly.
Block, mute, hide and unsubscribe from troublemakers.
Stay away from the comments section below online articles.
Step away from social media if you start getting too worked up.
Don’t take even the worst attacks personally,
Lock down the privacy settings on all social media.
Use two-factor authentication for all accounts.
Ask site admins if comments are moderated and stay away from any sites where they’re not.
The only post under a pseudonym,; don’t use your real name for any social media or forums.
Create an email account you only use for social media (or other high-risk functions, such as online dating or gaming). Make the name nothing like your own and don’t link it to anything else.
Document online harassment and take it to the police.
GOOD TO KNOW
DOING TROLLING RIGHT We can’t, in all good conscience, actually, tell you to go out there and troll others when you get bored. But we do know there are some people who can’t resist the urge. But you should really know what you’re getting into if you’re going to let your inner troll out. If you’re going to troll, do so with class.
Use wit and refined thought as much as possible to point out the issue you’ve taken exception to. Pick a proper target—this means, as they say in comedy circles, “punching up.”
Choose an organization that has been problematic or harmful to innocent victims rather than belittling someone smaller and weaker (“punching down”). And always, always, be prepared for the backlash. People out there will eventually decide they don’t like how you’ve expressed yourself. Hey, we never said trolling was easy.
WIKILEAKS AND WHISTLEBLOWERS
The internet allows all sorts of operatives and opportunities to get access to treasure troves of data that would have been unimaginable back in the days of Watergate when actual burglars had to break into bricks and mortar hotel to lift a few measly documents. These days, millions of pages of classified records can be liberated with a little stealth and skill.
This means that it’s easier than ever for legitimate government agencies (or of course jack-booted thugs, depending on your perspective) to obtain all kinds of information from voice and written communications surveillance.
This type of intelligence gathering traditionally falls into the realm of what is known as signals intelligence, or SIGINT. Our national intelligence agencies concerned with the capture and analysis of SIGINT have never had such an advantage, and they have risen to the task.
The flip side? What’s good for the goose has turned out to be far better for the gender who wants to steal that SIGINT. This affects governments trying to protect information as well as businesses that are vulnerable to corporate and industrial espionage Ultimately “Information wants to be free,” as the saying goes… but at what price?
THE SECURITY TRIAD The guiding principle of the security field is that you need three factors to ensure a secure system. Confidentiality You simply must know that data stored on your system is protected against unintended or unauthorized access.
That certainty is immensely complex to implement since, for example, Chelsea Manning was authorized to access—but not to copy and share—files.
Integrity The data’s consistency, accuracy, and trustworthiness must be maintained over its entire life cycle, with contingencies for human error, server crashes, and viruses.
Availability The best data in the world is useless if you can’t consistently and reliably access it, no matter what technology you’re using.
WIKILEAKS AND SIMILAR SITES In the last several years, mentions of WikiLeaks and other associated websites and individuals have become more and more prevalent in media and conversations about security. But some people may still be a bit fuzzy on just who they are and what they do.
What Are They? WikiLeaks—as well as its wiser, more mature, and, from a policy perspective, more lastingly impactful older brother, Cryptome (as well as thousands of similar sites that have sprung up around the world from time to time)—provide varying levels of anonymity to those willing to disclose to the public information or data that they feel is of interest.
This information can range from government documents (such as intelligence reports, diplomatic communiqués, program outlines, and planning descriptions), to insider stock trading records.
Other examples include logs of computer network breaches, inside corporate policy documents not intended for public consumption (for example, internal pricing or policies on pharmaceutical distribution), customer records, naked photographs of celebrities, and anything else considered interesting or titillating.
Why Do They Exist? Reporters, muckrakers, short-sellers, investigators, opposition researchers, and suspicious spouses have always looked to insiders for these kinds of disclosures. The internet has simply made them easier to find.
What’s Useful About Them? It can be argued quite well—and I do argue it—that our founding fathers had a hearty and healthy distrust of government, and they empowered the people to foment regularly this distrust through a vigorous and free press.
If you believe that assertion, then you simply must believe that anything that empowers such a free press is, by definition, “useful.” Regardless of your position on Edward Snowden, WikiLeaks, Chelsea Manning, or Daniel Ellsberg, that they are a part of public debate and discourse is ultimately better than why they are not.
What’s the Downside? It is my personal belief that the kind of leaks inspired by Julian Assange—and committed by Chelsea Manning and especially by Edward Snowden—ultimately do more harm than good.
When leaking is relatively easy (provided of course you have the access and the know-how), the kinds of thought and agonizing put into “what to leak” and “whether to leak it” exhibited by an Ellsberg or a Russo give way to the immediacy and the instant global celebrity attendant with the act of leaking, as we saw with the way Snowden gathered and disseminated some potentially deadly intelligence.
SURVEILLANCE AND SECURITY
Snowden leaked as many as 1.7 documents on a wide range of NSA operations, far more than we could ever describe here. Just as a small sampling, here are 10 notable things we learned that the NSA did.
EDWARD SNOWDEN A former CIA employee, Edward Snowden rose to prominence in the public eye when, during his time as a contractor for the National Security Agency (NSA), he leaked over a million classified U.S. government documents to journalists.
In June 2013, the U.S. Department of Justice charged him with espionage and theft of government property. He subsequently fled to Russia, where he currently has been given asylum until 2020.
Snowden has claimed that he leaked the classified documents because he felt their contents were unconstitutional and that he had become disillusioned with his government.
As he has become a subject of much heated debate in security circles and the media, Snowden has been hailed as a hero and a patriot by some and reviled as a dissident and traitor by others.
The hardest thing to do on a network is classified data. Humans tend to overclassify data, and it’s particularly difficult to classify the information that is already on the network after it’s there (ex-post facto classification), as opposed to the classification of data that is being newly created.
As we said, Snowden was a systems administrator, so by the nature of his job, he would have had extensive access across the network; getting access to the data was fairly trivial for him at that point.
Getting the Goods The actual difficulty would have been getting the data out of the building. On TS/SCI systems, all removable media capabilities (like USB, CD, and DVD) are disabled, so there is no means for regular people to get information off the systems. There is an exception, though, for systems administrators.
Within a sysadmin shop, there are typically one or two systems that have the ability to write CDs or take a USB drive. Sometimes, there are completely legitimate reasons why one would have to transport data between non-networked systems.
For Snowden, the theft was not rocketed science but a matter of abusing his trusted position.
Two things could have been implemented but weren’t (and probably are now) to stop this: better internal data segmentation and two-person integrity controls (TPI) for systems administrators who want to use removable media—think of nuclear keys and you get the idea. It’s a pain in the ass and it’s inelegant, but it does work.
The fact is, getting that kind of access, despite how easy it may have looked, wasn’t easy. It may have taken him five minutes to steal the data, but it took him years to know which data to steal and to be placed in the position that enabled him to steal it.
GOOD TO KNOW
BAD PRACTICE It’s easy to look at the glamorous, freedom-loving aspect of whistleblowing without seeing the potential dark side or unintended consequences.
In addition to facts and figures, Snowden’s leaked documents also revealed the methods and capabilities of programs used by multiple governments to monitor covert communications on the internet—including methods to monitor those involved in child sex trafficking.
Once these programs were revealed, these kidnapping, slaving criminals changed their tactics, forcing international law enforcement to find new ways to intercept and decode these transmissions. On that basis, forgive me if I don’t refer to Snowden as a hero.
BLOWING A WHISTLE Not all informants are created equally. A “whistleblower” and a “leaker” are actually two separate types of individuals.
In the case of the former, these are typically dutiful people who happen to discover something that is illegal or unethical, and then try to report the problem through the proper internal mechanisms; when they fail or are unable to do so (there can be a variety of reasons for failing), they report the wrongdoing to an external source but limit their reporting to only what has gone wrong.
A leaker, meanwhile, can be considered someone who, whether out of carelessness or a desire to seek fame, avoids or ignores the standard channels followed by a whistleblower and instead disseminates the information in a less-conscientious fashion, without making much effort to do so discretely or with regard to the repercussions.
JULIAN ASSANGE AND WIKILEAKS Australian-born journalist and publisher Julian Assange is the co-creator and director of
WikiLeaks, which publishes leaked sensitive documents. WikiLeaks has existed since 2006 but came into prominence as a result of the documents leaked by Chelsea Manning. By 2015, WikiLeaks had published more than ten million of what Assange describes as “the world’s most persecuted documents.”
As with other key players, Assange has been called a hero, traitor, an opportunist. In 2010, Assange visited Sweden, where he became the subject of sexual assault allegations.
He was allowed to leave, but later Sweden asked for him to be extradited. He has spent the last several years living in the Ecuadorian embassy in London. In 2017, WikiLeaks published a trove of CIA hacking documents said to be the largest ever.
WHY AND HOW INFORMATION GETS OUT One key difference between a Daniel Ellsberg, an Edward Snowden, and a Julian Assange is that Snowden and the like are individual actors, whereas Assange’s WikiLeaks is a clearinghouse—a brokerage of information if you will. And thus, their methods, their motives, and their reception by media and security experts vary.
Snowden’s Motivation As an individual operator, Snowden’s claims as to why he did what he did are quite divisive. One side sees a freedom fighter: a man truly dedicated to the idea that his government had run amok, conducting mass surveillance of literally every adult in the United States and Europe through extensive monitoring of a wide range of technologies.
Your personal beliefs about Snowden probably depend a lot on what you do for a living, whether you’ve served in the military and your general political stance. And the “truth” probably lies in the middle.
From what we have seen, there appear to have been some terrible abuses in the U.S. the system of checks and balances, especially when it comes to the Foreign Intelligence Surveillance Act of 1978 and its court.
Many of the programs were described to the world by journalists who admittedly knew nothing of intelligence, surveillance, or even encryption before Snowden quite literally dropped the materials into their hands (saying, cynically, that as journalists they would know best how to release the information).
Assange and the Profit Motive Where Snowden might claim to be inspired by Ellsberg, Assange sought to influence and provoke leaks by people like Chelsea Manning.
In that sense, Assange’s WikiLeaks behaves in a manner that is similar to an intelligence service: Assange and his associates act as officers, who seek agents in various positions of authority in governmental office to provide them with intelligence.
The agents may turn over the intelligence for a range of reasons that they believe justify their actions, which may be anything from misplaced patriotism to revenge to idealism (WikiLeaks is not known to pay for leaks).
Depending on your viewpoint, this may be “better” or “worse” than traditional espionage, but espionage it is.
Chelsea Manning’s turning over of the documents that would ultimately make up the trove of diplomatic cables released by WikiLeaks presented the United States with a situation in which the entire world became privy in one fell swoop to the most intimate minutiae of its diplomatic communications—petty, trivial, damning, controversial, telling.
It was an intelligence bonanza for any nation intent on understanding how the United States does this kind of thing.
INTELLIGENCE AND DATA COLLECTION For all the glamour that spy movie give it, intelligence is simply data that has been collected and then analyzed for a purpose.
If you hide your lingerie in the top drawer of your dresser, and your child says that he’s seen your sexy lingerie, you can conclude that your child has been in the top drawer of your dresser.
There’s certain intelligence in both WikiLeaks and in the stolen Snowden documents from which a foreign intelligence service can deduce or otherwise conclude our sources and methods. By giving adversaries insight into these, Snowden allowed them to close pathways of information collection.
If they can conclude the sources, the sources are endangered. Arguably, others must presumably be placed at risk in order to establish new means of collections.
WHY IS IT SO HARD TO PROTECT INFORMATION? Data classification is highly complex, and because it is contextual, machines just aren’t any good at it.
Technical Issues Data theft technology, which is referred to by the industry as data loss prevention (DLP), is fairly complex, but it’s still very rudimentary in terms of intelligence. DLP is best at strings of defined lengths—credit card, social security, and account numbers are easiest to detect. But even within those, we have tremendous variation.
For example, consider how you write phone numbers: 888/235-1212; 888-235-1212; 888.235.1212; (888)235-1212; (888) 235-1212; 888) 235-1212. These are all ways of writing the same thing.
Now do it with words. How to compare all these variants in real time, as someone’s trying to send an email and you’re trying to scan it and determine whether the email contains something sensitive before the email goes out the door?
Well, the trick is to buffer everything, truncate and stem all the words and phrases, remove all the extraneous characters, then hash everything, then compare hashes. It’s faster. This can be done in an amazingly small amount of time. But it’s still nowhere near foolproof; what if the file is encrypted?
The Enemy Within What if, as we’ve just discussed, the data thief is your system administrator?
The fact is, catching data thieves is very hard unless you’ve classified it all very well in advance, limited access to it, removed the removable media options and limited the ways to get data off your network. For most companies, that’s not commercially feasible.
Bottom line? Data classification is very difficult. Businesses should pay close attention to how they classify and provide access to important data, and how people can get access to it. And data theft is incredibly hard to stop.
What do government security and international espionage have to do with you? The lessons learned here are more helpful than you might think.
Classify your data in two categories: public and private. Make sure to keep those records separate!
Treat employees well. This is always a good idea, but particularly relevant if potentially disgruntled workers have access to classified information.
Encrypt your private data whenever you email it and wherever you store it. And be incredibly careful about who has the keys.
Destroy all data you don’t need, regularly.
Use DLP software to detect data leaving your business.
Go beyond the basics and classify documents and emails to understand when sensitive information may be leaving your network, and then speak with or take punitive action against employees who break your policies.
INTERNATIONAL CYBER SECURITY
We close this blog by taking a look at cybersecurity on a global scale. Know who’s already doing that? Every government on Earth and each has been at it for a very long time. Nation-states consider “cyber” to be a key area of operations. It’s where they communicate, spy, command, and control—and sometimes, where they attack.
Cyberspying against the United States became so problematic by 2011 that the military changed its policy on cyber attacks to “equivalency”— essentially, online attacks are now viewed just like physical ones. An unnamed military source told the Wall Street Journal that “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
It was as a clear warning to Chinese and Russian hackers, the latter of whom had recently used cyberattacks to turn off the lights in Estonia, and then again in Georgia, as precursors to invasion.
Nations have a number of ways to rattle their cyber sabers. At the low end of aggression is intellectual-property theft and piracy. At the high end is the notion of crashing another nation’s infrastructure or hacking its military. And what about non-nation-states doing such things? Could a teenage hacker really start a world war?
TRADE SECRETS Intellectual property, or IP, is how businesses turn ideas into money—maybe a new fabrication process or the ingredients that make up their secret sauce. Here are key things companies keep in their IP portfolios.
Business Processes A closely guarded list of materials used to make products.
Bill of Materials A list used to make products, and closely guarded by manufacturers.
Software Firmware and apps are included. This is the core of many firms’ IP portfolios and what makes a hunk of plastic into a beloved consumer electronic device.
Road Map The list of product features and functions that a company plans to introduce.
R&D The research and development of new products and features.
STEALING OUR GOOD STUFF So, what is intellectual property (IP) anyway? The legal definition is “creations of the mind, such as inventions; literary and artistic works; designs; and symbols, names, and images used in commerce.”
The term covers everything from art and music to apps and code. Theft of IP isn’t super glamorous, so most cases, even multibillion-dollar ones, don’t make the news outside of the business pages.
The U.S. government recently estimated that cyber theft of intellectual property costs the economy $300 billion USD a year. If you find yourself wondering why cyber espionage is so prevalent, it’s simple: It is substantially cheaper and faster to steal stuff than it is to build it from scratch.
“The only adversary one needs to worry about,” says David Etue, from cybersecurity firm Rapid7, “is the one who figures out that he can steal for $2 million what it takes you $2 billion to research and develop.”
Etue is right. It’s much easier for foreign government-controlled companies to simply steal their way to success than it is to build it through R&D.
Industrial Espionage It’s not just commercial IP that gets ripped off. Drug trials, oil and fuel formulations, and other industrial secrets are in great demand. And it’s not just the Chinese and the Russians doing the dirty work.
Industrial espionage is top of the pops in France, as well as in many other nations. What a lot of people may not realize is that, to China and Russia, commercial adversaries count as targets for government espionage.
Chinese and Russian companies are often owned by the government, so interference from government or military hacking groups against American competitors is seen not business chicanery but a matter of national security.
It’s not about the money, per se. It’s about securing the future— especially in the realms of critical infrastructure, energy, medicine, and finance. It’s business as usual.
THE COST OF CYBER THEFT
The thing about IP is that it frequently forms the core of a company’s identity. A stolen computer can be replaced, stolen money can be recouped. A cyber breach of this kind is more like identity theft on a grand scale, and the real and intangible costs can be staggering.
VISIBLE COSTS OF IP THEFT
Need to Notify Customers
Monitoring Customer Security Post-Breach
Regulatory Compliance Issues
PR to Combat Negative Publicity
Upgrade Cyber Security & Training
Lawyers’ Fees, Other Legal Costs
HIDDEN COSTS OF IP THEFT
High Insurance Premiums
Lower Credit Rating
Lost Productivity & Low Morale
Loss of Potential Future Business
Reputation and Value of Brand Suffer
R&D Time and Investment Wasted
National Security That’s why, when the United States began shouting its protestations about Russian involvement in the 2016 hack of the Democratic National Committee, none other than Shawn Henry—the former assistant executive director of the FBI, for which he had largely established its cyber practice and the man who led the investigation into the DNC hack for CrowdStrike—spoke out in the press about it in no uncertain terms:
“It’s the job of every foreign intelligence service to collect intelligence against their adversaries,” he told the Washington Post. For the Chinese and Russians, commercial secrets and commercial organizations are considered legitimate nation-state adversaries.
SECURITY BASIC BORDER SECURITY
A relatively new concern in 2017 was searches of electronic devices by U.S. Customs and Border Protection. The law allows these searches, but they are still rare—in 2016, there were 390 million crossings and 24,000 searches.
Still, if you don’t want Uncle Sam plowing through your hard drive, power down devices fully before crossing borders (cold boot security is often stronger than when merely suspended or locked) and minimize the amount and sensitivity of data and equipment you transport across borders.
Be aware that citizens cannot be denied entry but can be detained briefly for questioning. Under no circumstances should you lie to CBP officials. If they request or demand a password, it is your right to refuse to comply, but equipment can still be detained for weeks or months. If this happens, you should consider legal assistance. —Ryan Lackey, Founder, Reset Security
ZERO-DAY Security researchers seek out vulnerabilities in code. When they find one, they have several courses of action. If they work for a government spy agency or a criminal gang, they may choose to create code that can exploit the vulnerability they have found—this weaponized code before it is disclosed to anyone else, is called a “zero-day.”
It comes from the amount of time, in days, once the vulnerability is known until the maker of the software can fix the problem. On day zero (which is actually the first day—as computers always count everything starting from zero), the weapon is active.
The ethics of selling zero-days is debatable. Companies that sell them to governments argue that, so long as the transaction is legal, the ethics are beside the point. Critics say that governments can use zero-days to attack and monitor dissidents. It’s a tough call.
INFRASTRUCTURE ATTACKS In March of 2007, researchers at Idaho National Laboratory sent a test cyberattack to breakers that protected a 2.25-megawatt diesel-powered generator. Within a minute, the generator, weighing tons, literally jumped in the air, began to smoke, and was destroyed.
Official video of this attack—considered the first public demonstration of a successful cyber attack on critical infrastructure—was leaked to CNN.
The “Aurora Vulnerability,” as it was called, was shocking for its simplicity, and cybersecurity experts began pointing out that America’s supervisory control and data acquisition (SCADA) networks and industrial control system (ICS) networks are aged, fragile, overwhelmingly small, and privately owned—so this problem is not something that the U.S. government can simply order fixed.
Ultimately, if a local power department decides not to invest $3,000 USD in patch management, that’s a private business decision that the government can’t overrule, absent clear threat and a court order.
The media became fascinated by attacks on SCADA and ICS, seeing every shutdown as a potential hack. Several attacks on critical infrastructure have happened, and each has been denied vocally by some.
In 2009, widespread power outages in Brazil were reportedly caused by hackers; experts reported that it was soot, not hackers. Senior U.S. officials countered “nuh-uh,” and it’s never been settled.
Russian Aggressions No such uncertainty exists when it comes to Russian tactics: Russian government-mounted cyber attacks in the form of website takedowns, DNS attacks, and ultimately the complete blackout of Georgian internet traffic, which served as a precursor to the invasion in 2008.
This tactic has become a standard by Russia, which rather openly cyber-attacked the Ukrainian power grid in 2016, shutting down more than fifty power substations.
No matter the time of year, criminals, activists, and others are busy with cyber attacks and other operations.
What’s at Risk? The scary news is that the SCADA systems in control of the nation’s power are not any worse off than the systems that protect water, sewage, or other critical infrastructures, such as oil and gas.
The good news is that, over the past few years, the federal government, along with the North American Electric Reliability Corporation and other groups, has been focusing intensely on SCADA and ICS issues.
The problems are not yet solved, but we are in marginally more aware than we were a few years ago. That said, attacks have indeed been weaponized, and more things are connected to the internet than ever before (even though they shouldn’t be), so it all may be a wash.
GOOD TO KNOW
According to a 2016 report, this practice opens them to malicious hacks and espionage. In the report, researchers from security firm Trend Micro collected more than fifty-four million pages during a four-month span using low-cost hardware.
In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. According to the report, “These unencrypted pager messages are a valuable source of passive intelligence, the gathering of information that is unintentionally leaked by networked or connected organizations….
Taken together, threat actors can do heavy reconnaissance on targets by making sense of the acquired information through paging messages.
Though we are not well versed with the terms and information used in some of the sectors in our research, we were able to determine what the pages mean, including how attackers would make use of them in an elaborate targeted attack or how industry competitors would take advantage of such information.”
Your mobile device’s signal and data could be intercepted mid-transmission, and you might never know it.
Mobile Privacy Today During the past handful of years, the privacy community has begun to seriously question how good law enforcement really is at intercepting cellular signals and harvesting mobile phone data. The equipment for doing this sort of thing has been available to federal agencies and to some larger law enforcement agencies for several years by now.
Technical advances have brought the costs down, while increased reliance on smartphones by individuals has increased the bang for the buck these products can provide, so more agencies are using them. These include tools called IMSI-catchers, which we’ve discussed briefly earlier in this blog.
IMSI stands for “international mobile subscriber identity”—that is, the unique identification number tagged to each mobile phone, which then allows a cellular network to distinguish each user from another. This device works as a man-in-the-middle platform for eavesdropping on phones on the GSM (global system for mobile) network.
Essentially, IMSI-catchers are portable base stations that can simulate a powerful cellular phone signal tower so that your phone, which always seeks out the most powerful signal within range, associates itself with it.
Once that happens, the IMSI-catcher will intercept your signal before passing it on to a real tower (so that your call still does go through), but it captures everything that both sides say all the while—and you probably won’t even notice.
Spying on the Airwaves Think IMSI-catchers are the thing you need to worry about if you want to avoid being eavesdropped on? Unfortunately, that’s far from the case.
The emergence of 4G LTE (long-term evolution) networking, also known as LTE, addressed some of these privacy issues, but, in 2015 researchers released information about kits that run about $1,200 USD and allow anyone who has a laptop and a universal radio software peripheral (USRP) and the proper software to intercept and locate 4G LTE traffic.
As these tools to interact with increasingly smarter phones become less expensive and more commonly available, and as we rely more on our mobile devices for everything, we can expect even more attacks on cellular phones and mobile networks using this vector.
BURN, BABY, BURN A number of apps out there let you create a new, anonymous, and theoretically untraceable phone number that you can use from your mobile.
These are helpful even if you’re not engaging in international espionage. They’re great for talking to potential dates, selling things on Craigslist, or in a dangerous situation where someone like an abusive spouse or parent is monitoring your calls. Here are some popular options:
Burner One of the best and easiest-to-use apps, but it only works in the United States and Canada.
Hushed Works in forty countries over VoIP, so it will cut into your data plan if you use your cellular internet connection.
CoverMe This app has numbers that appear to originate from the United States, Canada, UK, China, and Mexico.
We won’t hear anything useful about SIGINT being gathered today (unless it’s being proffered as a justification for military actions or economic sanctions), because our intelligence agencies focusing on that (mainly the National Security Agency) are incredibly good at not saying things. But we do understand from a few peeks inside how chatter is used by professionals to track terror groups.
Typically, the IB Cyber Unit focuses on detection and investigation of radicalization and various threats as they pertain to New York City. In a nutshell, the team focuses on the enormous pile of people saying stuff that sounds radical, separating out people who are just spouting off or exercising free speech from those truly thinking about radicalization, then investigating and separating the curious from those with true intent.
WHO’S BEING ATTACKED?
As one might expect, the vast majority of cyber attacks are launched at the USA, but many other nations fall victim as well.
YOU ARE FOR SALE In 2017, the U.S. Congress approved measures to roll back privacy laws, allowing ISPs to access and sell data about their consumers’ browsing histories to advertisers and other third parties.
This means that there will be more general access to the specifics of every darn page that you visit (yep, even those ones) than ever before. Because of this, using your own domain name server and anonymizing traffic is very important.
CYBERTERRORISM In the last five years, many of the cyber-attack tools that were once used exclusively by nation-states have become easier to obtain, meaning that they can now also be used by criminal gangs and—at least in theory—terror groups as well.
But buying a great piano really cheap doesn’t mean you can suddenly play Chopin. The money and training that go into a cyber operation is the true barrier to entry.
During the 2016 election, hacking by Russia caused tremendous disruption in the United States. We now know that during the six- to nine-month gestation period after the Russians gained entry to the network of the Democratic National Committee, but before they began to release email publicly, their activities consisted mainly of lateral movement within the network.
During that time, the attackers engaged in rather routine but essential activities of a long-term network reconnaissance operation, including data classification and location. The hackers were answering the questions: What does the DNC have? Where do they keep it? How do they use it? How do they access it?
Basically, they were learning the answer to “What does ‘normal’ look like in this organization?” All this showed one important difference between a nation-state attack and those mounted by terror groups: tradecraft.
Art and Craft Tradecraft is the techniques, methods, and tools that together form the art of spying, and it’s not something that comes easily. It takes years of experience, lots of money, and great leadership and training.
Mostly, when we look at terror groups, we see them spending what money and leadership and training resources they have not on tradecraft but on material and logistics for attack: moving men, guns, and bombs across distances; getting them training; smuggling them across borders; and mounting attacks.
Hackers Are Everywhere The barriers terrorists being able to launch a cyber attack are getting lower. When we look at the troubles that groups like Anonymous and LulzSec have caused law enforcement and other government groups, the disruption was significant.
Their success was based on a commonly agreed-upon mission, a decentralized command, and control, and the availability of free, easy-to-use, and easy-to-learn hacking and attack tools.
This sounds like the basis of a classic terrorist attack, and it can be used by groups such as ISIS once the cyberweaponry they would need has be simplified to the point that it’s easily adopted by groups with minimal resources. It just takes a small group of radicalized, computer-literate believers to tip these scales.
Protecting your data when you travel is fairly easy. Stopping a global cyber war—not so much. Still, there are always ways to be prepared.
Protect your IP online and when traveling.
Encrypt all products and IP-related communications.
Use purpose-built devices for cross-border travel.
Maintain minimal mobile mail settings (no one needs more than thirty days of email on their phone at this point).
Minimize data sets provided to business partners.
Audit partners’ security as you would your own.
Prepare for an infrastructure attack.
Get off the electric grid with solar power.
Prepare to have an interruption in your water supply.
Use different strong passwords for every login (website, desktop programs, phone apps).
Use a password vault program.
Password-protect and disable remote management on your modem, router, and any other Internet-connected devices using unique passwords.
Password-protect home Wi-Fi and encrypt with WPA-2 PSK at a minimum—never WEP.
Never share your login information with anyone.
Don’t click on suspicious links or download unexpected files.
If anything you’re offered online seems too good to be true, it is.
Never give private information out over email or text. Always call the bank, utility, or service that’s ostensibly asking for your information.
If you lose your wallet, report missing cards immediately. Carry the minimum set of cards, and never your Social Security card.
Set all social media privacy settings as high (private) as possible.
Monitor kids’ social media usage, and talk to them about online sharing and safety.
Use a minimum of 8-digit screen lock codes (not fingerprint or face recognition) on all mobile devices.
Encrypt your phone.
Always use two-factor authentication (2FA) when possible.
Don’t get your children Social Security cards if possible.
Check your credit report regularly; do so for all family members including kids.
File a police report after fraud of any amount.
Only use CHIP-and-signature cards (or CHIP+PIN where available).
Only use the internet in incognito mode.
Never use public Wi-Fi without a VPN or SSH tunnel.
Restrict and lock down your home network, starting with DNS.
Install GPS tracking apps on kids’ phones.
Limit location services and Wi-Fi use on your phone.
Ensure the minimum metadata is saved with all photos.
Only use credit cards that offer fraud and identity protection.
Maintain minimal mobile mail settings.
TINFOIL HAT BRIGADE
Eschew electronic communication wherever possible.
File your taxes the old-fashioned way: on paper.
Don’t use banking apps on your phone.
Don’t shop online except through guest accounts and one-time credit cards.
Don’t shop at stores with older, swipe-only (non-Chip) POS terminals.
Post online only under anonymous usernames; change them frequently.
Lockdown all social media accounts to private; ensure your children have done the same.
Cover all computer webcams and microphones with electrical tape; remove cameras and microphones from mobile devices if you can.
Use spyware to track all of your children’s online activity.
Use a private LAN for kids’ computers, IoT devices, and TVs, and aggressively blacklist sites at the router.
Use encrypted DNS.
Regularly reflash your phone to factory settings.
Prepare for an infrastructure attack with off-the-grid self-sufficiency measures.
WHAT’S NEXT NICK SELBY
We are approaching an inflection point, at which consumers begin to demand security as a fundamental consumer right. The next five years will be tumultuous, as companies and governments worldwide test the public’s commitment to this new reality: first, of course, with lip service and waving hands.
I am optimistic about the future, though. More people are encrypting their communications every day, and applications to help them do so are finally becoming user-friendly.
THE NEXT BIG THING(S) Political upheaval and cyber activism will combine in a storm of new defections by government employees and contractors releasing more code and program and strategy depictions.
Foundationally insecure municipal, county, and state systems, as well as critical infrastructure, will be betrayed by attempts to provide app-based access-convenience to an IT fabric incapable of supporting it.
WHAT I’M EXCITED ABOUT The disruption of transportation industries on Earth and in space, along with new autonomous and energy technologies, will create opportunities while providing more data than ever conceived about how we live, travel, and interact.
THINGS THAT WORRY ME It still seems cheaper to build fast, get to market, and fix the bugs later. Several generations of medical technology— especially implantables—out there now were built that way, and vendors have shown they won’t fix problems unless forced to.
Until manufacturers truly adopt the idea that it’s cheaper and better to fix security during development, the speed of innovation will result in unsound and dangerous products.
THINGS THAT DON’T Nation-states like Russia, China, France, and the United States hack. It’s how the world works. Intelligence services conduct intelligence operations. It’s their job, and it’s necessary. Yelling about it won’t help.
The world changed as we wrote this blog. Hacking attacks as part of information operations against our government, political institutions, and businesses didn’t just become mainstream knowledge, they became political footballs.
Bad security exposed not just credit cards, but the deepest secrets of the most powerful people and countries on Earth. All that stands between us and better cybersecurity is customers refusing to accept insecure code or apps. Vote with your money. Support secure applications.
As soon as people hear that I’m a futurist, they almost always ask for a few predictions. I’ll let you in on a little secret: No serious futurist makes predictions. The best thing about the future? It hasn’t happened yet. If you don’t like the present, you can actively work to improve the future.
Although I won’t make predictions, I certainly hope something in this blog changes your future. Maybe you’ll beef up your security settings or pause for a moment before blindly accepting cookies from that sketchy website.
THE NEXT BIG THING(S) Get used to hacks and security breaches because they aren’t going away. The silver lining to these corporate freakouts? Security will improve and software will get better for everyone. Hackers will adapt and new breaches will happen on all-new technologies (especially watch IoT).
WHAT I’M EXCITED ABOUT The Internet of dogs! Think, IoT + working dogs + dog-computer interfaces. Augmenting man’s best friend makes him even more powerful. Search and rescue dogs can work on a much higher level simply by adding sensors to their harnesses.
They can be taught to interface with their wearable technology, interacting with humans in a variety of environments. It might not be long before your dog can really engage you in the conversation!
THINGS THAT WORRY ME Who owns the data we create every moment we spend online? Right now, it’s not us. As we continue to augment ourselves with technology and create online personas in walled gardens, we may forfeit ownership of our online identities.
THINGS THAT DON’T Many of today’s problems seem new and insurmountable, but we will solve these problems just like we solved the problems that came before them.
For example, Global cyberwar is a big problem today, but like all seemingly impossible situations, we’ll solve it. We’re living in the best and most exciting times, even if the natural byproduct of our innovations is a series of new problems.