Bob Gourley

Bob Gourley is co-founder and CTO of OODA LLC, a cybersecurity and artificial intelligence consultancy. Gourley is publisher of CTOvision and OODAloop, and the author of the bestselling book The Cyber Threat. Named as one of InfoWorld’s top 25 CTO for 2007, Gourley has served as the CTO for the U.S. Defense Intelligence Agency.

This article is by Featured Blogger Bob Gourley from his CTOvision column. Republished with the author’s permission.  

Watching the cyber threat evolve over the last few decades has made it clear: we are all targets. As individuals we need to do what we can to minimize the threats to our personal information. Corporate leaders should do what they can to educate employees on these personal threats. Do this for two reasons: 1) Because you love your employees and want to make them aware, and 2) Because increasingly bad guys target employees at home to get to corporate data. 

Who is spying on us? 

Here is a categorization that will be helpful in deciding the best defensive measures to mitigate the impact of modern tech enabled surveillance: 

Companies: Firms that make money selling ads (like Google, Twitter and Facebook, but also the many firms that act as intermediaries that work in the Internet ad ecosystem) devise well thought out systems to gather info on individuals. These companies want to keep getting better at serving ads that will get clicks so they seek to know more and more about individuals. Other companies, like credit card providers, credit reporting agencies, airlines, media companies, may all collect personal info and sell it without a person’s knowledge. And increasingly those that sell data will work with the ad provider infrastructure. 

Journalists: This is a broad category. The journalists we are referring to here are those that have decided to probe into an individual’s personal life or business. This could include journalists that might be trying to find out the identify of a pseudonymous account that may have been set up by an individual seeking to exercise freedom of speech. 

ISPs: These may want to participate in the ad ecosystem by selling information about individuals, but also want to know viewing habits for their own uses. 

Mobile Providers: The data your devices exchange with cell phone services can be collected and mined and sold in ways that reveal surprising amounts of information on who you are, where you live and work and what you do. 

Criminals: Bad actors want to learn more about individuals so they can conduct social attacks and conduct fraud directly against people, or pose as someone to conduct fraud against others. 

Automated “bots”: These worms can self replicate and get into systems automatically and then signal back to controllers when they find interesting information. 

Governments: This can include hostile governments who may see an individual’s computer as a launching pad for attacks against others, including our government. Hostile governments also fund attacks designed to steal corporate intellectual property. Frequently these attacks will involve targeting individuals. 

Employers: In many cases companies have legal rights to watch what employees are doing on their systems and, depending on what was agreed to, may have some surprising rights when it comes to tracking activities elsewhere. 

Miscreants and thrill seekers: There are people who get a rush when they can compromise a person’s account and an even bigger rush when they can share embarrassing info online. 

Snoops: The bad news is that sometimes we have nosey neighbors, prying office workers, and in some bad situations, family members who spy. Stalking is another horrible threat where spying is frequently a component of the threat. 

Devices: This is really a subset of the corporate spy, since spying done by devices is designed into the architecture. For example, spying done by your phone includes insights into where you are and what apps you use. This can be used by Apple or Google for their ends (in generally, we believe Apple to be best at protecting personal privacy, but still there are threats here to be aware of).