Here's our interview with Business Insider on digital security & privacy
We spoke with Business Insider to discuss digital security and privacy following the US Capitol building intrusions. Here's the exclusive full interview, only available here.
Timeliness and relevance are two critical factors for intelligence to be useful for decision-making, and Business Insider’s Stavros Atlamazoglou helped ensure the Capitol Hill intrusions drove our fundamental digital security and privacy takeaways home to an international audience.
We used the interview to highlight the power of publicly available data, and how it impacts individual privacy and security. We also offered for free the latest edition of our digital security guide, available for download from our website.
Let us know your thoughts on the full interview by leaving a comment below, or by sharing it with friends.
Insider: How easy would it be for a malign actor to tap/wire/access government technology (phone, laptop, etc.)?
Privacy Matters: This really depends on how accessible the device or network is and the methods used by the malign actors. For example, take the recent intrusions/riots in the Capitol building, where we have news today that the FBI feared a rioter who stole House Speaker Nancy Pelosi’s laptop from her office may have intended to sell it to Russian security services. This makes a great case for both physical and digital security, an even more critical undertaking given the proliferation of mobile devices these days. You can’t have one without the other.
Insider: What steps can a person take if he thinks his digital security has been compromised?
Privacy Matters: For starters, don’t let your devices fall into the wrong hands - this could be leaving it unattended in a coffee shop or not letting it out of your sight when crossing a border, and everywhere in between. Ensure your devices are fully encrypted, and limit unauthorized users from being able to access them physically through the lightning USB port (phones) or by messing with your firmware/boot options. We also recommend keeping tools like the “Find my iPhone” feature enabled which provides you with a remote wipe option should it be required. It would be greatly refreshing to ensure a remote wipe of that laptop stolen from Pelosi’s office. Aside from physical device security, there are a number of things you can do to harden your digital security. We recommend using a password manager, enabling two factor authentication across your accounts, and locking down your online privacy are a few good places to start.
Insider: What trends are we seeing in terms of online investigations? How is online data being used?
Privacy Matters: With our lives moving online, ways to harness or exploit this data also increases. What was previously the purview of nation state intelligence and security services, for example, is now being broadcast (rightfully so) to the world in the form of online investigations and open source intelligence techniques (OSINT). Take digital investigations firm Bellingcat, for example, who has done an outstanding job holding malign Russian actors accountable through their expert application of open source investigative techniques. The picture and context that online data paints can be astounding, as it encompasses such a wide swath of sources, such as: social media, public records, breached or stolen databases, location data, and personal identifiers such as phone numbers, dates of birth, addresses, and more.
For individual citizens, we’re seeing online information being employed at an exponential rate by private and public organizations, news organizations, criminals, and others. Take the practice of “doxxing” as a prime threat to the unsuspecting individual who has their personal data pasted across the web - including their home address, personal emails, passwords, phone numbers, relatives, and much more. People have been mistakenly identified online, which can result in exceptionally grave consequences for the victims.
We're even seeing a version of this in the aftermath of the Capitol riots, where a significant digital “scent” has been tracked by law enforcement and journalists from following the rioters’ social media (i.e. Snapchat and Twitter) accounts back to their “real world” identities and leading to arrests, stuff that’s holding up in court.
While malign nation states like Russia are a serious threat, we also have the insidious and less visible threat from corporate big data companies (and many others like Lexis Nexis, Oracle, etc) such as Google and Facebook, who traffic the sale of individual data for profit that results from targeted advertising. We’re big advocates of the right to privacy and severely limiting others' ability to profit from the sale of your personal data.
Thankfully, many organizations outside government are working to provide security and privacy to clients across the spectrum as well. This could involve limiting or suppressing online information, removing items from appearing in search engines, harnessing publicly available data to inform decision-making in business or litigation, and much more. A gold standard for managing online information and privacy is Michael Bazzell, who wrote what we consider the “OSINT bible” and who helps clients with the removal of online information, privacy, and other similar matters. We also offer similar services that help clients identify risks in the form of online vulnerabilities, leveraging strictly open source data and what’s called publicly available information to paint a picture of vulnerabilities that threat actors could exploit. This is also quite useful in due diligence investigations or litigation requiring insights into potential business transactions, partners, and the like.
Insider: What must people do to protect their digital signatures/footprints?
Privacy Matters: As we were trained, make yourself a “hard target”. Do not make anyone’s job easier. Security cannot be applied retroactively, and an ounce of prevention is worth a pound of cure. What this means practically is limiting your social media presence or not having public profiles, do not publicly list your cell number or personal email, and generally embrace a mindset that maintains awareness of your physical and digital vulnerabilities. In today’s digital environment, it’s becoming the bare minimum necessary to use a password manager, enable two factor authentication, and other forms of security that were certainly not the norm even a few years ago. We wrote a free guide for digital security that covers a few of these critical techniques to help people enter into this mindset and lifestyle.
Insider: Any other important considerations?
Privacy Matters: Clients usually request assistance after something bad has happened, but at that point we’re fighting uphill. Security and privacy are difficult if not all but impossible to apply retroactively. So don't wait for that bad thing to happen to you, whether another data breach, a doxxing incident, or worse. Digital security and privacy are personal efforts but don’t have to be done alone. We exist to help individuals protect their families, neighborhoods, and small businesses from some of these threats. But the work needs to be put in up front.