How to compromise Law enforcement

bigstock-Tight-Rope-Walk-1226218Most people believe that everything they do on the internet is protected and secure.  Here is a little tale that may surprise you.

Once upon a time, there was a 15-year-old boy who was looking at gay porn on the internet.  Unknown to the boy, some of the sites that he visited installed malware on his computer.  On one of these infected websites, he had also struck up a friendship with someone through a chat component of the site.  The 15-year-old had kept the fact that he was gay concealed from everyone at home and school.  No one knew except his new internet friend.  He kept it close to his chest.

After a while, he became more involved with the person he was talking to in the chat room—seemingly a like-minded gay teenager of about the same age.  Then one day he received an email from an unfamiliar address.  It had a link to a site that had a huge amount of information concerning what he did online, what sites he was going to, how long he had visited each site, and even video of what he had been doing when he visited those sites.   All very scary stuff for a young, inexperienced gay guy who barely even understood what it meant to be gay.   The email warned that these links would be forwarded to all of his family and friends if he didn’t comply with certain demands.

It was time to panic!  So here we are:  Our young gay guy is being blackmailed.    Blackmailers always want either money or something else of value.  In this case, it was something else:  All the boy had to do was access his father’s laptop and plug in a USB device that they would supply.  

What an impossible position for someone to be in.  The boy couldn’t stomach the alternative, so he did it.  At the time his father was a major player in law enforcement, and the laptop was a company laptop.  

Luckily for the law enforcement agency, the moment that laptop was plugged into the main network, all of the bells and whistles went off and the network shut down access to any information.  Then came the recriminations—and the worst part of all for the 15-year-old, everyone finding out he was gay.

Via social engineering the criminals had found out that his father was a major player in the law enforcement area and was relatively high in management for the agency.    That sort of information is relatively easy to come by, not normally through their own admission but by being associated with family, friends and neighbours posting on social media pages.

The cyber criminals do NOT play fair.  They will use any and every means to compromise you or your technology.  That’s why I always say that there are three ways to protect yourself.   One is go back to the Stone Age before computers existed, and that’s not going to happen!  The other two are being paranoid, and using common sense.  

You might think that the boy in this cautionary tale failed to exercise common sense because he was young and foolish.  But adults who should know better make similar mistakes (visiting sketchy sites, giving their personal information to strangers) all the time.  You can put all of the best defences in place, use the most unguessable passwords and the most up-to-date software, but if you do not believe that they are after you, you still may have a problem.  Technology is great, but throwing more technology at cyber security is not going to save us.

This is a real situation that came up in  2013 and can happen to the most careful and paranoid of people.   What will save you?  Learning about the dangers, and taking responsibility for your own action is important for your safety. 

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.