Online Privacy is a Myth

by David Evenden

When I went to the Tribe of Hackers conference a few weeks ago Marcus Carey asked 10 willing attendees to spend one minute answering a question in front of everyone. The first question was "what do you think will change in cyber security in the next 5 years?". I was so focused on that question I don't even remember the second question.

I encouraged Kylie Martonik (@0xNBE1 ) to go up because she's braver than me, and was willing to share her answer. If I had the courage at the time, this is what I would have said. I should also note that this answer is a good answer to the first question asked to all the contributors of the book The Tribe of Hackers "Is there one myth that you could debunk in cybersecurity?".

It's a good thing I didn't go up in front of everyone, because this answer would have taken more than one minute. Also I'm about to sound like a conspiracy theorist...trust me I'm not.

Privacy in today's world is 100% a myth.

Your communications travel across the open air. Some are encrypted and some are not. This has been happening for a really really long time. The US government has regulations and trainings that 'prevent' them from collecting, storing, and using this data without a warrant for any purposes. Unless, of course, there's probable cause related to specific actions.

Just because the Fed have rules, doesn't mean others do. Capturing SIGINT, (Signals intelligence) is not a difficult task with the right equipment. The conversations that you think are private are not private. Have you ever been able to pick up a local cordless phone conversation over a radio scanner? It's very similar to that, but with more expensive technology.

Everything you say anywhere can be collected, and can be used to track, stalk, steal, and monitor your activity.

Your Email is Not A Safe Place

Google employees can, and do, access users' email to delete virus', or remove potentially unsafe or violent emails. This is a place where you feel like you can have some of the most private conversations of your lives. Guess what, Google employees can access that without a warrant. All they need is for you to have signed the agreement clause when you created your account. I would nearly guarantee all other email vendors are the same way. They'll say they can't, they'll say they don't...but trust me...they can and they do.

Your GPS is Tracking you...Always

Try this one out at home. Open google maps, select a destination and hit go. Then without closing that app, put your phone on Airplane mode. Then go back to the app. Now move towards your destination and watch your blue dot continue to move with you. #scary. GPS communications are normally not turned off when you put your phone on airplane mode.

As long as you have loaded the maps prior to going on airplane mode, you can still use the app within the loaded maps range. However, people capturing your GPS location will continue to be able to collect your Geo-location long after you leave that range.

Your Browsing History Can't be Cleared

This one is scary.

Your browsing history is linked to your identity and is nearly never private, even when you've gone incognito. The data that can be pulled from your browser paints a picture that is horrendously frightening.

You can pull data about installed applications & operating systems, and if you have your name tied to your machine or installed applications it can often store registrant identity. That means a porn site can pull your first and last name, username, stored cookies, etc. This often happens when targeting for active offensive intelligence operations.

You're probably not undergoing an offensive attack, but having your personal information harvested for marketing and demographics purposes feels offensive and invasive.

Your IOT Devices Are Cheating On You

If the last one was scary for you, stop reading.

I recently had the pleasure to see Lesley Carhart (@hack4pancakes) present at BsidesKC about her experience with having IOT devices installed in her apartment. Her story isn't abnormal, but it's a serious issue that isn't being addressed right now.

Have you ever had a conversation around your phone about 'something', then later saw an advertisement on Facebook or Instagram for that same 'something'? Have you ever said a band name around your Google Home or Alexa and then heard that band up next on Google Play Music? Trust me it isn't coincidence.

Having IOT devices in your apartment administered by other "people" provides third party access to private information such as when you sleep, when you're away, and when your children might be home alone. This type of information can be collected, aggregated, harvested, and used to steal from your house, or in the worse case scenario, plan a home invasion.

Our technological world today has no privacy.

When using your phone, you have no privacy.
When you're online, you have no privacy.
When you're around IOT devices, you have no privacy.

Having said all this, more than likely you won't change a thing about the way you live.

That might be the scariest part of this article.

About the author

David Evenden is an experienced offensive security operator/analyst with 10 years of active work experience inside the Intelligence Community (IC). During his time inside the IC, he learned Persian Farsi, worked at NSA Red Team and was a member of an elite international team operating in conjunction with coalition forces to aid in the ongoing efforts in the Middle East.

While he currently works with an ISP and DHS to aid in the efforts to enhance the bidirectional sharing relationship between the US Government and Commercial entities, his passion is educating network administrators and security engineers on best practices when securing your network.

David currently holds Pentest+ and CySA certificates.

The article was originally published on author's LinkedIn profile: https://www.linkedin.com/pulse/online-privacy-myth-david-evenden/

May 16, 2019