Take Charge of Your Personal Cybersecurity in a World of Technology Risks
The world of technology is changing rapidly, and the COVID-19 pandemic rushed the use of remote work, remote school, telehealth, and other technologies. With these new tools and devices come new risks and dangers. It’s essential to know what risks are out there so you can take charge of your personal cybersecurity.
See Former FBI Agent Shares Cybercrime Trends with Eric O’Neill for a complete transcript of the Easy Prey podcast episode.
Eric O’Neill is a security expert, speaker, and author who discusses espionage, national security, cybersecurity, fraud, corporate defense, and hacking. As a former FBI agent, he spent years working in counter-terrorism and counterintelligence, including many years undercover. He is also the founder of Georgetown Group, a premier investigative and security services firm.
Cybersecurity and Cyber Spies
Developing an Interest in Cybersecurity
Eric became interested in security and computer systems in the early days of computers. Back then, you bought the parts, built the system yourself, and adjusted the code on your own to make software work. When he bought his first video games as a teenager, nothing would run. Since everyone was building their own systems, game developers couldn’t test anything. Eric had to go to the game store, talk to the person there, and adjust the code himself to play the game.
He found coding and computers fascinating. That fascination led to him exploring how to break different aspects of a computer system and searching for the limits of what it could do. That was hacking in the early days. It wasn’t anything illegal, just learning how to make something stronger by learning how to break it.
That’s what we might have called a hacker back then. Not doing anything wrong or illegal, but just interested in not only how software works, but how you could make it stronger by learning how to break it.Eric O’Neill
Using Cyber Knowledge to Catch a Spy
As an adult, Eric became an undercover operative for the FBI. He worked in counterintelligence (catching spies) and counter-terrorism. At one point, he spent five years fully undercover. He didn’t have a name in the FBI, just a codename.
In his final case with the FBI, Eric went directly undercover in the FBI headquarters, which had never been done before. His goal was to catch the legendary cyber spy known as Gray Suit, who was selling United States secrets, including nuclear secrets, to Russia. The FBI had a suspect in the information assurance section – the department that defended FBI computer systems. They wanted an undercover agent who both knew how to catch a spy and understood computers to investigate the suspect. They found Eric.
Eric finally caught Gray Suit red-handed. His real identity was Robert Philip Hanssen, a top FBI hacker who had spent 22 of his 25 years with the FBI selling secrets to Russia. It was Eric’s last case with the FBI, but it wasn’t the end of his cybersecurity passion. Eric now works as an attorney, national security strategist, and investigator, and spends a lot of time thinking (and talking) about why there are so many cyber attacks and how we can work towards national and personal cybersecurity.
How COVID-19 Affected Personal Cybersecurity
The COVID-19 pandemic accelerated the use of technology. It was likely that working from home, doing school online, telemedicine, and similar technologies were going to become a way of life. Software like Zoom and Microsoft Teams were around long before 2020. But when the World Health Organization declared COVID-19 a pandemic in March 2020, we needed the technology ready immediately.
Before the pandemic, most workplaces had an IT department that set up and managed security on their work computers. It was a mostly safe environment. With everyone unexpectedly working from home, suddenly people were working on personal phones, computers years out of date, and parking outside coffee shops to use public wifi. Companies who were resisting being “in the cloud” suddenly had to be because it was the only way for employees to communicate. There wasn’t time to build in the necessary security, and the rapid change created vulnerabilities that we’re still trying to manage.
Spies and cyber criminals have had a field day.Eric O’Neill
Since March 2020, 81% of the global workforce has worked from home at one point. We were probably going to get to that point in ten to fifteen years, but all of the sudden we had to be there in one day. Nobody thought about remote worker cybersecurity or personal cybersecurity and nobody prepared for attackers. That partially explains why cyber attacks have quadrupled between 2019 and now.
Cybercrime to Watch Out For
The FBI’s IC3 (Internet Crime Complaint Center) has great statistics about cybercrime. Between 2017 and 2021, they saw 2.75 billion total complaints, with $18.7 billion in losses. In 2021, IC3 received 850,000 complaints reporting $6.9 billion in losses, a record high. It goes up year after year. Between 2019 and 2020, reports increased 69%.
The most-reported attack is business email compromise. Scammers, hackers, and spies are exploiting the fact that people are working from home and learning to work in a new way. They use Teams, Zoom, SMS messages, or email to get people to trust them. They often pretend to be a CEO or CFO and order the employee to wire money somewhere. Learning to detect phishing is an essential part of business and personal cybersecurity.
Traditional espionage in a new technological world … [is] using email as a way to compromise the trust of someone and get them to do something they otherwise wouldn’t do.Eric O’Neill
There are benefits and drawbacks to a world where everything is done remotely, especially for businesses. When you don’t need to ensure a great candidate can move to your headquarters, your talent pool becomes the whole world. But the more you separate community in your company, the less people know who they work with. That makes it easier for a spy or scammer to convince an employee they’re actually a coworker who they can trust.
The Future of Cybercrime
As AI and deepfakes become more advanced, it will be even easier for a scammer to pull the “CEO hack.” They won’t need to send an email and hope you don’t look close enough to realize it’s not from your CEO. They could show up on a Zoom call or Teams meeting with a deepfake of your boss’s face and voice, tell you to wire money somewhere, and stay “live” on the call until you do it.
It will be essential for businesses to add safeguards against these attacks. Some companies require that three executives have to sign off on a wire transfer before it can happen. When Eric does trainings, he tells people to pick up the phone and call to confirm the email or message. If they CEO or CFO actually requested the transfer, great. If not, it’s time to get IT and the security department involved.
Even in personal cybersecurity, deepfakes are going to become a huge issue. They’re already getting people to trust things they shouldn’t, and the technology is still new. When they can use AI to deepfake real people and have them say whatever they want in real time, these scams are going to be even more successful.
Improve Your Personal Cybersecurity by Securing Your Accounts
Eric thinks two-factor authentication should be standard everywhere. There are so many data breaches happening that your passwords are probably already on the dark web somewhere. He thinks we may see a future where there are no passwords whatsoever. At this point, passwords are basically useless anyway.
The number one thing you can do to improve your personal cybersecurity is to turn on 2-factor authentication on everything. You can use an authenticator app or receive an SMS message. SMS isn’t perfect, but it’s far superior to just a password. If you look at the passwords that are exposed in breaches, the most common one is still Password1!.
If you’re logging into something and you’re not going into your authenticator app or getting that text to your phone to enter that code, you have no security on that account. Zero.Eric O’Neill
Even if you come up with a fantastic password, it’s no guarantee of great personal cybersecurity. Say you use the first line of your favorite childhood book, backwards, with an exclamation point in the middle. Nobody will be able to guess that! But they don’t have to. You used it on an account you made to get a free ice cream after your tenth purchase and it was exposed in a data breach and put on the dark web. Attackers buy a thousand usernames and passwords off the dark web for about $3, access a personal account, use your name to find you on LinkedIn and find your company, and try to log into your company account with your name and the password from your personal account. About 75% of the time, that gets them in.
Critical Infrastructure Attacks
The method of using a compromised password to access a company account is how one of the biggest infrastructure hacks in the last few years happened. Attackers bought a password for a VPN account that a company had stopped using but didn’t delete. They got in and shut down Colonial Pipeline, the largest mover of gasoline from the West Coast to the East Coast in the United States. Colonial Pipeline had to pay a $4.4 million ransom to get access back.
In January, the FBI, National Security Agency (NSA), and Cybersecurity & Infrastructure Security Agency (CISA) got together to release a joint statement. These organizations don’t often come together, so when they do, take notice. They warned that Russian cyber spies are targeting US critical infrastructure and have managed to lurk there for a while before being found.
There are three different types of critical infrastructure attacks. The first is destructive attacks, which are just like they sound. The second is ransom attacks, like what happened to Colonial Pipeline. The third is probe attacks. The goal of these attacks is just to get into critical servers within critical infrastructure. They don’t do anything immediately, just have a presence there in case they want to cause a problem later.
Critical infrastructure isn’t just things like power and gasoline, either. Telecommunications, financial markets, and the food industry are also critical. Critical infrastructure is any sector that is essential for society to run smoothly. When critical infrastructure is hit, it causes chaos and makes companies more willing to pay ransoms.
Attackers are getting very clever at seeing that critical infrastructure isn’t just lights and power. Critical infrastructure are all those things we need to live as a society, that if we don’t have them, we’re thrown into chaos.Eric O’Neill
Improve Your Personal Cybersecurity by Preparing for Critical Infrastructure Events
Eric and his wife recently put solar panels on the roof of their home. One of their goals was to be more environmentally friendly. But for Eric, it was also about becoming more independent from the grid. If a critical infrastructure attack happened to the power grid, his solar panels wouldn’t give him power all the time. But he would have more than people who just got kicked off the grid.
Part of having good personal cybersecurity – and personal security in general – is understanding what could happen and being prepared. Have water in your home. Know what to do in case of an emergency. Even if you never have to deal with a critical infrastructure attack, it’s never a bad thing to be prepared for an emergency.
Crisis preparedness is good for anyone, no matter where you are.Eric O’Neill
The Personal Cybersecurity Risks of New Technology
New technology comes with many new possibilities, but also many new risks. Eric personally is concerned about internet-connected devices in general (the Internet of Things, or IoT), but especially internet-connected cars. A self-driving car could potentially be hijacked remotely. When you create a connection to the internet, it’s open to the world. You’ve created a way in for hackers. It might be hard for them to get there, but there’s always a way in.
Another risk is internet-enabled medical devices like pacemakers. The connection is supposed to make it easier for your doctor or other people in your household to monitor and manage your heath. Parkinson’s patients, for example, can have electrodes implanted in their brain to help combat “freezing” episodes. These electrodes are controlled through the internet via a handheld remote. Imagine if you could change the voltage in someone’s brain. That worries Eric.
Wifi-enabled medical devices can be extraordinarily helpful. But Eric thinks it’s important to balance quality of life benefits against the drawbacks of vulnerability to attacks. Attackers are not nice, and they’re often willing to do terrible things.
Imagine if your brain is held in a ransomware attack and they tell you, “We need a million dollars or we’ll kill you, you have five minutes to pay.” These are the situations we’re creating for ourselves.Eric O’Neill
The Balance of Innovation and Security
Innovation is a wonderful thing. But if we’re going to be able to manage our personal cybersecurity, innovation has to involve thinking about security. It may slow innovation down, but it’s critical. The first people to find ways to break something are always the bad guys.
We don’t always think about someone with evil intent would try to abuse devices. Nobody thought that an internet-connected teddy bear that lets you talk to your child could be hacked so someone malicious could talk to your child. Nobody thought about how dangerous production floor robots could be until a hacker broke in and used an arm to knock someone to the ground. In some cases, we almost need a “hacker’s advocate” to think about how devices could be misused.
The Future of Personal Cybersecurity
There’s a lot of doom and gloom and fear around technology. The possibilities for danger and harm seem endless. But what is actually likely to happen? The same things that are already happening. Cyber espionage is already happening. Cyber war is already happening.
The average person concerned with personal cybersecurity mostly has to worry about cyber crime. And the good news there is that most criminals are lazy. They want to use attacks that will take the least energy and get the most profit. These include tactics like spear phishing and other kinds of spam. We get hundreds of spam emails every day. Some are awful, and some are really good. In Eric’s opinion, we just shouldn’t click links in emails ever.
Ninety-eight percent of successful attacks leverage known vulnerabilities. That means things like software updates we forgot to install and spam emails we clicked even though we know we shouldn’t have. But the good news there is that basic personal cybersecurity defense is things that we can control.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
So much of our lives are online these days. This has many benefits, but it also opens…[Read More]
As humans who live in societies with other humans, we have to be aware of the fact…[Read More]
Most of us would have thought artificial intelligence was limited to science fiction just a few years…[Read More]