I started hacking computers and phones in 1985. After almost getting busted by the FBI as a gangly teen, I decided to use my skills for good, and it turned into a 24-year cybersecurity career.




Most people I meet aren’t aware of the security battles raging daily from all corners. Ransomware, email leaks, and fake news were big headlines in 2016, but the cyber battleground is broader than these. Threats to your security, privacy, and liberty are real and increasing — and in ways you might not expect.

So, pulling back the covers, I wanted to share some security and privacy secrets in case you missed them:

1. The number of breaches reported by media is only a fraction of the hacks that occur. Companies and government agencies work hard to keep hacks secret if possible.1 Take the example of Yahoo, which finally admitted in 2016 that one billion of its accounts were hacked... in 2013.2 Keeping a tight lid on breaches is common, as I’ve witnessed many times; in truth, hacking accounts for as much as $1 trillion in losses per year worldwide.3


2. Roughly 25% of hacks are facilitated by disgruntled insiders.4 In most cases, employees admit after a breach that they knew an insider was unhappy or acting suspiciously — but nobody ever taught them to report it.

3. Most organizations where I’ve worked (Fortune 500 companies included) have no idea where all of their valuable data is stored. This means, of course, that they can’t possibly know if somebody is stealing it.5


4. America’s most damaging hack in modern times was arguably the theft of background dossiers on 21 million federal workers from the Office of Personnel Management, the country’s most incompetent HR department.6 Each file was over a hundred pages long, and packed with blackmail material — financial records, arrest histories, substances abused, you name it. If you’re a federal worker with vices or secret proclivities, foreign agents know about them now — and the names of your children.

5. Almost nobody in Congress has computer security experience — or advanced science degrees, for that matter — and America’s laws reflect this.7, 8


6. The NSA broke privacy laws 2,776 times in a single year to spy on Americans, and the FBI’s record isn’t great either.9, 10, 11 If trends continue, expect Congress to legalize warrantless digital searches that’ll be allowed anytime, anywhere.12, 13 Remember the Fourth Amendment? Nope, me neither.

7. The official U.S. intelligence budget is about $50 billion annually, but thanks to sloppy accounting, the real total may be billions or even trillions higher — even the Defense Department can’t seem to say for sure.14, 15 Specific details of secret “Deep Black” projects are not shared with Congress; in fact, participants are allowed to deny these programs even exist.16 So, UFO conspiracists could be right: Nevada’s Area 51 might be full of extraterrestrials, but we’ll never know, unless a whistleblower comes forward with evidence that can’t be ignored.


8. The federal government has confiscated, and rated as Classified, over 5,000 U.S. patents for inventions created by private citizens.17 If you invent a time machine, better keep it to yourself.

9. A DOJ memo revealed that post-9/11 doctrine permits the assassination of any American citizen anywhere in the world who “poses a threat” to national security, even if there is “no clear evidence that a specific attack will take place in the immediate future.”18


10. The Countering Disinformation and Propaganda Act was signed into law in 2016 to “battle foreign propaganda and disinformation” with federally sponsored “fact-based narratives”.19 In other words, Washington has put itself in charge of determining what’s true, and what isn’t. This doesn’t bode well, given our government’s history of manufacturing convenient “truths.”20

11. Nearly everything you do in the digital realm (Internet, phone calls, credit card purchases, etc.) can be captured, stored, and made searchable to intelligence agencies .21 If you’ve been targeted for surveillance, it’s unlikely you’ll find out, unless you’re arrested.22 If an agency has secret information about you, and you request a copy of it using a Freedom of Information Act (FOIA) form, the agency may reserve the right to pretend that your records do not exist.23 If you run for office against an incumbent who has friends at intelligence agencies, presume that every email you ever sent, website you ever visited, and phone call you ever made may be used against your campaign.24


12. Don’t trust your phone. AT&T and Verizon regularly spy on Americans,25, 26 the NSA can capture any phone call’s audio,27 and many federal, state, and local agencies employ fake cell towers to eavesdrop on mobile calls.28, 29 If you want to have a private conversation, avoid phones. If you’re a journalist, always power off your cellphone before going to meet with a secret source,30 since correlation of cellphone metadata now makes it trivial to identify people in your proximity.31, 32, 33, 34

13. Assume your personal data will be leaked, and plan accordingly. During an intelligence database demonstration, an investigator pulled up my SSN, banking and credit histories, and street addresses where I’d lived, all within seconds — and then the same for my neighbors living on my block. So, somebody somewhere already has your personal data, and it only takes one bribe for bad guys to get it, no matter what you do. Using a credit monitoring service might not be a bad idea.


14. Hackers can guess some 350 billion passwords per second,35 and Snowden believed that the NSA could possibly achieve 1 trillion/second.36 Randomly generated passwords of at least 16 characters should be safe for a while, if you use uppercase, lowercase, symbols, numbers, and no dictionary words. Also, use a different password per website, so one hack doesn’t compromise your entire online life.

15. Federal border protection officers are permitted to search and/or retain your cellphone, laptop, USB devices, or other electronic equipment upon your entry to the U.S., even if you are not suspected of criminal activity.37, 38 If you have valuable data, make sure it is encrypted on your devices, and backed up elsewhere, in case you don’t see your hardware again for months.


16. If a law enforcement agency asks for the alphanumeric password to unlock your phone or computer, you can refuse to divulge it on Fifth Amendment grounds that your speech might be self-incriminating. However, this is not always the case for authentication based on thumbprints or gestures; you might be forced to provide these, since courts have found that they do not constitute speech testimonials against yourself.39 So, use a strong password that you must type from memory.

Although I’ve painted quite an Orwellian picture, there’s good news: you can plot your own countermoves, if you learn how these games are played.




Until Washington figures out how to better balance national security against individual rights, refuse to be a target; insist on your privacy and liberty by taking steps to secure them yourself.

References



1. Pagliery, J. (2016, January 14). We keep too many hacks secret, says ex-NSA director. CNN Money.


2. Newman, L. (2016, December 14). Hack Brief: Hackers Breach A Billion Yahoo Accounts. A Billion. Wired.

3. Kerr, D. (2013, July 22). Cyberattacks account for up to $1 trillion in global losses. CNet.


4. McCormac, A., Parsons, K., & Butavicius, M. (2012). Preventing and Profiling Malicious Insider Attacks. Edinburgh, South Australia: Command, Control, Communications and Intelligence Division.

5. Gold, S. (2014, June 24). 83% don’t know where their sensitive data is located. SC Magazine (UK).


6. Dinan, S. (2015, July 9). Feds acknowledge hack of government computers affected 21 million. The Washington Post.

7. Manning, J. (2016, December 5). Membership of the 114th Congress: A Profile. Washington, DC: Congressional Research Service.


8. Haddon, H. (2015, January 5). Science Advocates Decry Lack of Representation in Congress. The Wall Street Journal.

9. Gellman, B. (2013, August 15). NSA broke privacy rules thousands of times per year, audit finds. The Washington Post.


10. Cameron, D., & O’Neill, P. H. (2016, August 23). FBI authorized informants to break the law 22,800 times in 4 years. The Daily Dot.

11. Nakashima, E. (2008, April 8). FBI Data Transfers Via Telecoms Questioned. The Washington Post.


12. McLaughlin, J. (2016, May 3). NSA and CIA Double Their Warrantless Searches on Americans in Two Years. The Intercept.

13. Savage, C., Angwin, J., Larson, J., & Moltke, H. (2015, June 4). Hunting for Hackers, N.S.A. Secretly Expands Internet Spying at U.S. Border. The New York Times.


14. Gellman, B., & Miller, G. (2013, August 29). ‘Black budget’ summary details U.S. spy network’s successes, failures and objectives. The Washington Post.

15. Pianin, E. (2016, July 31). Pentagon’s Sloppy Bookkeeping Means $6.5 Trillion Can’t Pass an Audit. The Fiscal Times.


16. Maroni, A. (1989, October 24). Special Access Programs and the Defense Budget: Understanding the “Black Budget.” Washington, DC: Congressional Research Service.

17. Schulz, G. W. (2013, April 16). Government Secrecy Orders on Patents Have Stifled More Than 5,000 Inventions. Wired.


18. Greenwald, G. (2013, February 5). Chilling legal memo from Obama DOJ justifies assassination of US citizens. The Guardian.

19. Tyler Durden. (2016, December 25). Obama Quietly Signs The “Countering Disinformation And Propaganda Act” Into Law. Zero Hedge.


20. Marchetti, V. (1989). Propaganda and Disinformation: How the CIA Manufactures History. The Journal of Historical Review, 9(3).



21. Greenwald, G. (2013, July 31). XKeyscore: NSA tool collects ‘nearly everything a user does on the internet’. The Guardian.


22. Spencer, H., & Weiner, R. (2016, October 24). U.S. courts: Electronic surveillance up 500 percent in D.C.-area since 2011, almost all sealed cases. The Washington Post.

23. Freedom of Information Act Regulations, 76 Fed. Reg. Number 54, pp. 15236-15244 (March 21, 2011) (to be codified at 28 C.F.R. pt. 16).


24. Greenwald, G., Grim, R., Gallagher, R. (2014, January 23). Top-Secret Document Reveals NSA Spied On Porn Habits As Part Of Plan To Discredit ‘Radicalizers’. The Huffington Post.

25. Lipp, K. (2016, October 24). AT&T Is Spying on Americans for Profit, New Documents Reveal. The Daily Beast.


26. Greenwald, G. (2013, June 6). NSA collecting phone records of millions of Verizon customers daily. The Guardian.

27. Gellman, B., & Soltani, A. (2014, March 18). NSA surveillance program reaches ‘into the past’ to retrieve, replay phone calls. The Washington Post.


28. Clasen-Kelly, F. (2015, February 15). Secrecy lifts in CMPD StingRay phone tracking. Charlotte Observer.

29. Noble, A. (2015, September 6). Privacy concerns linger over use of cellphone tracking systems. The Washington Post.


30. Pagliery, J. (2016, July 1). FBI’s secret rules to spy on journalists and hunt their sources. CNN Money.

31. Perez, E., & Gorman, S. (2013, June 15). Phones Leave a Telltale Trail. The Wall Street Journal.


32. Coulthart, R. (2015, May 21). ‘Be Paranoid’: How One Reporter Learned The Danger of Metadata. The International Consortium of Investigative Journalists (ICIJ).

33. Blaze, M. (2013, June 19). Phew, NSA is just collecting metadata. (You should still worry). Wired.


34. Mayer, J. (2013, June 6). What’s The Matter With Metadata? The New Yorker.

35. Samborski, J. (2015, December 16). Hi-Tech Guessing Game: 350 Billion Passwords a Second. Scientific Computing.


36. Greenberg, A. (2014, October 13). These Are The Emails Snowden Sent to First Introduce His Epic NSA Leaks. Wired.

37. Electronic Frontier Foundation. (2011, December 20). Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices.


38. Kerr, O. (2015, May 12). Every computer border search requires case-by-case reasonableness, DC court holds. The Washington Post.

39. Mohan, V., & Villasenor, J. (2012, October). Decrypting The Fifth Amendment: The Limits of Self-Incrimination in the Digital Era. University of Pennsylvania Journal of Constitutional Law, Heightened Scrutiny, Vol. 15.


Scotch Wichmann (@countercastle), M.S., CISSP, CEH is a cybersecurity researcher by day, and a performance artist by night. His madcap comedy novel, Two Performance Artists Kidnap Their Boss And Do Things With Him, was published in 2014.