We here at TOWR hope that you had a good Christmas. Today we’re going to start a series that I have tentatively titled, “The Paranoid PC”. We’re going to look at many ways that your computer could betray you today and in a future Excessive Rule of Law environment. We’ll discuss the capabilities of various different actors. We’ll take a high level view of the supply chain. Then we’ll discuss the vulnerabilities in an example piece of hardware and ways that you can remediate them.
Let’s talk about our enemies. Who is coming after you?
Common criminals are generally just after your hardware. They’re going to steal your computer and sell it on Craigslist. Strong passwords, encryption, and off-site backups will protect your data, which is the most important thing in this case.
These are folks that aren’t necessarily after you in particular. They’re looking to pick off the weak in the herd. They will attack you in ways that are as seemingly innocuous as tracking your browsing habits and pushing ads to your computer, to extorting money from you by locking your data away from you, to having your computer join a botnet be used for attacks. Basic safe browsing and computer maintenance will generally protect you from these attackers.
Personal enemies are those who are after you personally. Obviously, if your enemy is a l33t hacker dude, it’s a different story than your opponent for school board president. Generally speaking, if your enemy isn’t somehow involved in IT or IT Security, your biggest threats will be theft of your equipment and/or poor passwords. A motivated party might spend money hiring an expert to attack, at which point you’ll be happy that you took your security seriously.
If you are targeted by organized crime, it is because you have some kind of value to them. IT Administrators and Security personnel are targets. So are executives, business owners, or anyone who deals with customer data. Even if you don’t have PII (personally identifiable information) on your own computer, an operative for an organized crime organization may attempt to coerce you via blackmail or other pressure points to obtain information for them. Be aware of your pressure points and have plans to deal with it if they are exploited.
Opposing Political Organizations:
Let’s say you run a blog that takes a severe anti-abortion stance and you’re actually starting to get some traction. Do you think that Planned Parenthood, or another pro-abortion organization would take notice and perhaps try to act against your blog? Anonymous is well-known for attacking organizations based on their political persuasion. Opposing Political Organizations may have more compelling motives, more money, more contacts, and more resources in general to attack you with.
For those of us who are Conservative/libertarian this can be a challenge; many of those who are technically proficient black/grey hat hackers fall ideologically with the progressive/socialist/Occupy camp. If you rise to the level that Anonymous is taking notice, then watch out. While many question how technically proficient they are, they are certainly adept at attacking known vulnerabilities and making headlines.
Once the Eye of Mordor turns to you, escape will be very difficult; more to the point, while government and commercial databases are lousy at predicting criminal activity (such as San Bernardino), they are fantastic at putting the pieces together once attention has been brought to a target.
Everything that we said about organized crime and opposing political organizations applies here, but multiplied exponentially. Nation states have limitless (for our purposes) resources, incredibly clever teams of technical people, a monopoly of force, and with a little old national security letter, access to the information of pretty much any company you’ve ever done business with. All they have to do is call you a terrorist.
I want to make this painfully, painfully clear: If a nation state comes after you they will find a way to get what they want from you. We’ll discuss ways to minimize the risk, but their reach is far and their fists are big.
On that happy note, I’ll bid you adieu. Keep learning and keep training. Keep your mind agile. Homework for next time: Think of three ways someone could gain access to your email, what the consequences would be, and how you could counter.
EDUCATE. EMPOWER. RESIST.