How To Cover Your Asterisk: Interview With A Cyberthreat
18 Jun 2024

Scary interview… Crime is one thing, war is another. Both can come through your computer screen.

Let’s start in the safer world for now… the one of criminals.   

‘Mere’ property crimes are viewed as less serious than murder, but they both come from the same place: a basic character flaw that reveals a psychopathy. It denies the humanity and the rights of the victim, it says that whatever belongs to them – their stuff, their files, their people, their lives – should be taken from them because the perpetrator is so important that the rights of everyone else vanishes into thin air before them. There is no such thing as an unserious crime – or a little crime. The same disdain that allows a person to spray paint a wall, block access on a road, shoplift or pickpocket allows them to hurt or kill. There is a difference of degree – but not much – once MY desires trumps YOUR rights – nothing really is safe.

Society might like to rationalize things because the myth maintains poverty causes crime – an insult to all the millions of law-abiding poor people around the world. But something about posing pathetically once caught instigates a kind of maternal indulgence in the more gullible segments of the social sciences – and the effect is a kind of decriminalization of crime that perpetrators themselves soon cloak themselves in.

There is no more perverse and exaggerated self-delusion of this indulgent kind than exists within cyber-criminals. Sometimes celebrated by popular culture or seen as champions of various forms of hyphenated justice – the cyber-psychopath goes about his or her business completely insulated from the consequences on their victims’ lives. This makes them think there are no victims to their crimes. They fancy themselves skilled and switched on and basically decent – by virtue of being washed clean by binary code, and because they are from a certain place or group and therefore the universe owes them something.

But make no mistake, the cybercriminal is lower than pond scum. They prey on businesses and individuals, in a world that is increasingly reliant on technology to function. Their methods might seem sophisticated to the uninitiated – but they are just brigands with gadgets.

They may prey on the elderly, the young, the gullible, other chancers, regular folks – anyone who can make them a buck.

Occasionally – too rarely still – but sometimes – they mess with the wrong mark, and they are reverse-hacked back into the stone ages, or somebody shows them that hammers speak louder than code once more expressive types manage to figure out, say, their names, and/or the names of their children – and if said expressive types aren’t beholden to the kind of sheepish morals most of their victims simply suffer with.

But short of that, these types often get away with it.

As always – there is no way to be absolutely safe. If some genuine predator decides they have their eyes on you, and they really go for it – there is very little you can actually do to protect yourself. If someone is 1000% focused on harming you individually, they probably can and will. Predators, in turn, might be eaten by other predators… they too can’t rely on whatever resources they have – there are always bigger fish, smarter fish and meaner fish out there. Always.

Most of us don’t want a fight, and most of us don’t actually warrant all the effort and focus such targeting require.

The best we can do is to try to avoid some common errors and try to stay safe. So in order to learn how, I sat down with someone who works outside the system to bring justice to those who hurt others.

They know cyber, better than I do. In my time writing thrillers I’ve talked to all kinds of folks. Some of them scary.

But not like this one. This one is actually terrifying.

“How do we stay safe?” I ask.

“Basically, information is always, ALWAYS, need to know. Be discreet, blend in, don’t call attention to yourself. Limit the opportunities for others to target and exploit you. Don’t try and get rich quick or take shortcuts – it’s a lot harder to con honest people. And ultimately, never trust anything or anyone that comes to you. Unless you made the decision to reach out to them, don’t trust anything that comes your way. And there is no such thing as FREE. Ever.”

What kind of threats are there?

Phishing

Phishing is a simple, straightforward con. Attackers pose as reputable entities to deceive individuals into providing sensitive information, such as passwords, credit card numbers, or personal details. These attacks are typically executed through email, social media, or fraudulent websites. “Your information has value, even if it is of no value to you. Never give out details over the phone, never type it in when requested. Keep the most secret stuff offline, and if you have to write it down, do it in such a way that others can’t decode it. Need to know – NEED TO KNOW – all info, all the time.”

What about security software and multifactor authentication. “Sure. In theory. But every point of interaction is also a potential point of weakness and breakdown. Limit stuff as much as possible, that’s the trick, don’t fool yourself into thinking there’s a foolproof secure system or way of doing things. Very often installing security software IS the point of weakness, the entry point.”

Ransomware

Ransomware is just extortion with an “e” in front of it. Malicious software encrypts a victim’s data, making it inaccessible until a ransom is paid. These attacks often target businesses but can also affect personal users. A business can be stopped from operating. An individual’s sensitive or private data can be withheld or even leaked.

“Back up regularly, ensure all your software is up to date – safety is an arms race and the more cutting edge you stay, the better. And if something is really sensitive – have it backed up in the real world, on paper, offline.”

Malware

Malware encompasses all kinds of malicious software types… viruses, worms, and spyware, designed to harm or exploit any programmable device, service, or network. It can steal information or just make things unusable. “With Stuxnet it was about ensuring that Iran’s nuclear programme imploded before bombs worked. All it did was really cause one type of tech to function too well, all the time, and that was that. Be careful who you trust… what you download and where from. And if you feel you are compromised and you don’t know your way around code – as in really know your way – consider the device compromised and get a different one.”

Distributed Denial of Service (DDoS) Attacks

A DDoS attack involves overwhelming a network, service, or website with a flood of internet traffic, causing it to become unavailable to users. “Say you have a shop in which ten people can stand comfortably. A DDos is basically sending three, four million people into the shop at once. Doors close. Shop doesn’t work. It’s a favourite for reverse hackers too. Someone messes with someone they shouldn’t – you deliver a nice little payload into their system and you crash the bad guys infrastructure. It’s blunt, I prefer precision. You hit them with a hammer, they know. I like to watch them for a while, without them knowing. I like finding out all about them. I like to get on a first name basis with everyone in their lives, especially anyone vulnerable, and strike only at the bits that are the softest, juiciest and least protected. But a DDoS immediately shuts them down. Most targets of DDoS attacks are just regular folks targeted by assholes. It’s the easiest trick to do. Amateurs can do it. It’s not hard.”

Data Breaches

A data breach occurs when sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. “It can be from phishing, or from malware… but the way it is used, it is, talked about, is like… when a company does business with a lot of people and their info gets leaked, that’s a data breach. So when a bank, or a dating website, or whatever, gets hacked and their users become the victims. This is why companies spend money on cybersecurity. They do penetration testing with white hats, they run various, various programs. They have regular security audients and run vulnerability assessments. But yeah, there’s not much you as a customer can do. So even when things are legitimate… need to know, need to know.”

Security Industry

“So around all this, an industry grows up. And there’s some cool tricks and tips and tech that’s developed, and its all sweet. But you have to understand that a lot of the cybersecurity industry is about making people feel safe. At some point you need to feel safe because otherwise you’ll never sleep. But again, you’re never – well – safe. The thing with cyber is that it scales really cheap and easy. Say you and me are in a fight. I buy missiles, so you buy missiles. At some point cost alone prevents escalation. I or you can’t keep up buying bombs because, well, bombs are expensive, and we run out of space, and infrastructure to service the bombs, and whatever. But with cyber there are often no real-world constraints. We can infinitely escalate. That’s why safety, in cyber, is an illusion. You can be the biggest and baddest guy on the block and microseconds later you’re at the bottom of the barrel. Most of the mainstream, commercial stuff, will keep the amateurs away. That’s worth something. It is. Go with it. As for the big boys, there’s also Mutually Assured Destruction. Because we can escalate infinitely, everyone else can too. So if you are going to go all out attacking someone, then at some point they can also strike back the same way. This alone keeps the peace. The idea that the walls are impenetrable and the shields are too sophisticated to be… be shattered is a fantasy.”

AI

“Sure. Computers themselves are peaceful things, but they are used by criminals and they are used as weapons. So anything that is invented, anything that comes along, any trend, any new tech or invention or whatever, is used, or can be used, offensively or defensively. AI is no different, but AI isn’t really new… in the cybersecurity space it’s been used… practically, under various different names but essentially, since the days of cryptography. So AI is great and whatever but it’s not the next level shit.”

By now I’m almost too terrified to speak, but I do ask: “What’s next level?”

“I think Quantum is going to rock boats. It’s early days there, so we still have to see… that’s still in the future in many ways. A lot of what is called quantum computing isn’t really… it’s simulated quantum rather… approximating the theoretical. Right now, living in breathing, I think the cutting edge is biomimicry. There are systems that behave like immune systems. It’s not the AI, it’s how you use it. Get an immune system up and running that learns as new threats come along. That trains itself. Classic AI in a way… but the newsflash is that it is built to function like the immune system, or a beehive, or a wasps nest. But I realize as I’m talking that as the words leave my mouth the concepts become outdated. It’s a rush out there… it never ends.”

So What Chance Does A Normal Person Like Me Have?

“If you’re no one, no one big really targets you. Grannies might be preyed on, but its by lowlifes, bottom feeders. Run of the mill security protocols and awareness to keep info to yourself and trust only the contacts you initiate is enough to take care of that. If you are someone, bigger, then the fight becomes more real. Your best defence is a credible offense, in that case, in a way. So in a weird way it’s the destructive power that keeps us ‘safe-ish’. Sure, you can crash my power generation facilities. But I can set off all your ICMBs to explode in their hangars. And then you can take my air traffic control and crash every last plane in the sky. But then you can switch off all my medical machines nationwide. How badly do you want to fight? How crazy are you willing to be? How far are you willing to go? That’s the only limit. The tech is secondary.”