The book Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It by Marc Goodman is a chilling look at a spectrum of current and future threats to digital security and privacy. Frightening true stories illustrate the dangers. I’d like to share my summary of the book with you. I also encourage you to read the book for yourself!
Note: this post contains affiliate links.
It’s clear that Goodman is a subject matter expert and did his research. The book is engaging, though it would benefit from being condensed.
The book contains some security and privacy tips, mostly in the appendix, but the focus of the book is raising awareness of digital crime in the present and future.
Goodman warns that we’re racing forward with new technologies when we haven’t even secured what we already have:
Given our inability to secure today’s global information matrix, how might we ever protect a world in which every physical object, from pets to pacemakers to self-driving cars, is connected to the Net and hackable from anywhere on the planet?
Author Marc Goodman was futurist-in-residence with the FBI, and worked as a senior advisor to Interpol. He’s founder of Future Crimes Institute, and Chair for Policy, Law, and Ethics at Silicon Valley’s Singularity University.
Goodman gave a TED Talk titled “A vision of crimes in the future” (embedded below) that gives a taste of the contents of this book, though it’s no substitute for the book.
Connected, Dependent, and Vulnerable
By the time security software companies update their software, it’s often too late. The “time to detection” rate (time from introduction of malware to its discovery by security industry) is growing. There has been an increase in zero-day attacks. “The antivirus era is over.”
You’re Not the Customer, You’re the Product
Everything you ask Siri is recorded by Apple for at least 2 years.
Your friends and family leak data about you. Each time someone puts your name, address, birthday, or other info into Google or iPhone contacts or Outlook calendar, or tag you at an event on Facebook, that data is available to those companies.
Even if you don’t have a Google account, if you send an email to a Gmail user, Google has those emails.
Frequently review your privacy settings because companies often change them and can undo your settings.
When you buy an Android app in the Google Play Store, Google gives the app company your name, email address, location where you live.
McAfee reported 82% of Android apps track your online activities and 80% collect location information.
The Surveillance Economy
Data brokers, unlike credit reporting agencies, are almost entirely unregulated by government. No laws require them to safeguard consumer privacy, correct factual errors, or reveal what info they store.
If someone says, “You shouldn’t worry about privacy unless you have something to hide,” ask if they’d object to the following being made public: video of them having sex, their tax returns, video of them using the bathroom.
In the US, social networks are considered public spaces, not private ones, and any info shared there is covered under third-party doctrine, meaning users have no reasonable expectation of privacy in the data that service providers collect on them. This is an exception to the Fourth Amendment prohibition of unreasonable search and seizure.
Big Data, Big Risk
Goodman’s Law: “The more data you produce and store, the more organized crime is happy to consume.” Eventually, your personal details will fall into the hands of criminal cartels, competitors, foreign governments.
75% of people use the same password for multiple websites, and 30% use the same login info for all their online activities. This means if one account is compromised, many or all your accounts can be.
You can’t trust privacy settings to keep data private, because company may change terms of service (ToS) or privacy settings, which may loosen privacy, or your account may be compromised, making privacy settings useless.
Kids are 51 times more likely to be victims of identity theft than adults, according to a Carnegie Mellon study.
4 out of 5 kids can’t tell when they’re talking to an adult posing as a child online.
Criminals monitor social media to see when you’re on vacation, then contact your elderly relatives to tell them you’ve been in an accident and that they need money for your treatment.
I.T. Phones Home
Mobile phones may be the most insecure of all devices. The software is notoriously easy to subvert, the risks are poorly understood, and the systems for device protection are immature and wholly undeveloped.
Malware can give attackers access to your phone’s microphone, camera, and location in real time.
99% of mobile malware targets Android, according to a Cisco study.
Android is insecure due to lack of updates and bug fixes. Carriers are more interested in selling new phones than updating old ones. Carriers and manufacturers tweak each installation of Android, an expensive process that causes them to limit updates. This customization process, and the insecure software added, leads to 60% of Android security threats. Apple controls the entire hardware and software ecosystem, making it more secure.
Third-party Android app sources often lack security screening.
Jailbreaking iOS devices opens them to same security threats common to Android.
In 2012, the U.S. Department of Justice revealed that there were 3.4 million victims of stalking annually among those hundreds of thousands who were tracked by spyware and GPS hacks.
Automatic license plate reader (ALPR) databases allow location tracking of individuals who aren’t charged with or suspected of any crime.
Some retailers track location of customers’ phones in their stores (via Wi-Fi and MAC address).
Criminals will gain access to all this information over time via the digital underground and use it to blackmail, bribe, and stalk targets of their choosing.
So far, major threat to big data has been theft and leakage. In future, worse danger will be unauthorized alteration of info world depends on to operate.
In Screen We Trust
We trust our screens to tell us the truth, but what appears on screens can be misleading, faked, spoofed.
Electronic medical records are often insecure. Hackers can change them, resulting in injury and death to patients.
80% of the time, children under 18 can’t tell when they’re communicating with an adult online. Pedophiles often portray themselves as children.
Mo’ Screens, Mo’ Problems
Set a voicemail password, or bad actors may be able to access it by spoofing your phone number.
FBI has reportedly turned phones into eavesdropping devices. Criminals can do same.
Portable GPS jammers are inexpensive and can affect cars, cellular towers, power grids, air traffic control, ATMs.
Hackers can control navigational screens to cause ships, trucks, cars, aircraft to change course.
All data presented on screens are hackable.
In 2011, it was revealed that US used fake online personas to manipulate online conversations and spread pro-American views on social media. According to Freedom House, at least 22 governments manipulate social media for propaganda.
According to 2014 study by Rand Corporation, 80% of hackers work with or for organized crime.
When All Things Are Hackable
There have been dozens of exploits against RFID, which can be easily hacked, spoofed, jammed. Majority of RFID tags have no effective security, encryption, or privacy protocols.
Hackers can wirelessly capture data from RFID credit cards.
NFC has been compromised many times, as has Google Wallet.
Bluetooth is easily subverted.
Don’t trust public USB chargers. Hackers have infected many, which will infect your phone.
Home Hacked Home
Hackers and pedophiles routinely compromise baby monitors to watch babies and mothers.
Home and office security cameras are vulnerable. More than 20 major brands have widespread flaws. Nearly 70% of users never change default usernames and passwords, making it easy for bad actors to access them.
GM’s OnStar microphone can be turned on remotely without your knowledge.
If a hacker puts an inexpensive tool in your car, they’ll be able to remotely control lights, locks, steering, brakes. They can hack remotely via Bluetooth and Wi-Fi.
While … the Internet of Things may offer Jetsonian convenience, joining all of these objects to the IoT will of course bring its own set of privacy and security risks.
A 2014 study by HP found 70% of IoT devices were vulnerable, with an average of 25 unique security flaws per object.
IoT toys have been subverted, allowing hackers to listen to and watch children.
Hackers go after weakest link in your network, which is likely to be an IoT device.
Security alarm systems are easily hacked. Majority use legacy wireless protocols from 1990s that don’t encrypt or authenticate transmissions. They can be used to spy on you and have alarms suppressed. Newer systems with Z-Wave can also be hacked.
Many smart TVs have security vulnerabilities, allowing hackers to remotely control the camera.
Smart utility meters are vulnerable to malware that can spread from home to home. An infection caused a power outage in Puerto Rico.
Nest thermostat has been hacked. Nest Dropcam cameras have been hacked, allowing hackers to watch video remotely, enable camera microphone, and inject fake video into video stream.
In 2014 a security researcher sized control of power supply to a German town. A hacker could use same exploit to turn off all utilities.
Hearing aids can be hacked just like Bluetooth headsets.
IoT glasses can be switched on with no indication they’re recording.
Between 2004 and 2014, nearly 25% of medical device recalls were because of computer-related failures, and 94% presented a medium to high risk of severe health consequences.
Many devices in hospitals have been riddled with malware and remotely exploitable. In 2013, DHS alerted that over 300 devices from 40 vendors were vulnerable.
Researchers were able to read confidential patient info from a wireless pacemaker, and were capable of delivering would-be fatal electrical jolts.
Wireless diabetic pumps can be compromised with fatal results.
Biometrics are vulnerable because certain biological markers can be copied, and databases containing biometric data can be compromised. When biometrics are stolen, there’s no “password reset.”
Fingerprint, face, and iris scanners can be hacked.
AR [Augmented Reality] will also bring with it a host of security and privacy questions that need to be addressed. … the more we disconnect from reality and accept the virtual in place of the real, the more we open ourselves up to manipulation via ‘in screen we trust’-type attacks.
Rise of the Machines: When Cyber Crime Goes 3-D
Robots, like all IoT devices, can be hacked. “As a result of advances in robotics, cyber crime will finally escape its virtual confines and explode onto our physical space.”
Robots can be used to spy, and will be able to be used to follow, hit, shoot, stab, kill.
Next-Generation Security Threats: Why Cyber Was Only the Beginning
Our genetic material reveals more about us than any hacked online account ever might and … our DNA can be used … to harm us medically.
By gathering genetic material left somewhere by someone, attackers will be able to create a customized weaponized biological virus targeting that person.
Hacking your genetic information will be the identity theft of tomorrow – especially as DNA becomes widely used for authentication.
A quantum computer could potentially bypass encryption protocols. Conversely, quantum tech might also allow for “fully secure, uncrackable communications, since any observation or interception of a quantum encryption key during transit would change its content.”
Too often, software developers follow the maxims “move fast and break things,” “just ship it,” and “done is better than perfect.” “These attitudes … represent perhaps the single largest threat against computer security today.”
“Advertising is the original sin of the web. The fallen state of our internet is a direct, if unintentional, consequence of choosing advertising as the default model to support online content and services.” If companies charged users rather than selling advertising, it would make for a more secure, private Web.
It’s time to kill the password and move on to multifactor authentication and biometrics, tools that, though far from perfect, are an immense improvement over [passwords].
Data breaches and theft would do far less damage if all data was encrypted by default.
All Web traffic should be encrypted.
Encrypt your computer and phone.
4 key strategies from Australian government
These steps mitigate against 85% of targeted intrusions, according to Australian government.
- Application whitelisting (only allow specifically authorized programs to run)
- Automatically update all applications
- Automatically update OS (operating system; Windows, macOS, iOS, Android, etc.), and use latest OS
- Restrict admin privileges and use basic user account except for brief times you truly need to log in as admin
“97% of all data breaches were avoidable by implementing simple or intermediate level controls” according to a study by Verizon and US Secret Service.
Appendix: Everything’s Connected, Everyone’s Vulnerable: Here’s What You Can Do About It
Practical everyday tips to protect from most common tech dangers
- U: Update frequently to patch vulnerabilities. Automatically update all software (OS, software, apps).
- P: Passwords should be long (20 or more digits) and contain upper- and lowercase letters, symbols, spaces. Change passwords often. Don’t use same password across sites. Use password manager from well-known, established company (1Password, LastPass, KeePass, Dashlane, etc.). Use two-factor authentication.
- D: Download software only from official sites (Apple App Store, Google Play, a company’s verified website). Be highly skeptical of third-party sites and free software. Avoid pirated media and software and software available on peer-to-peer networks. Pay attention to apps and their permissions.
- A: Administrator accounts should only be used when necessary. Use a standard user account for majority of use.
- T: Turn off computer when not using it, to reduce threat profile. Turn off services and connections on phone unless you truly need them (Bluetooth, Wi-Fi, NFC, hot spot, etc.).
- E: Encrypt data at rest and in transit. Use full-disk encryption (Bitlocker for Windows, FileVault for Mac). Use a VPN (virtual private network) to encrypt Internet traffic, especially when using public Wi-Fi. Encrypt phone. Always set password on phone, and consider biometric security (e.g., Touch ID).
Additional safety tips
- Be wary of any request to click a link or open an attachment, even when it appears to be from someone you know. When in doubt, check with person who supposedly sent the message, using a different channel.
- Don’t plug USB drives, hard drives, or phones into your computer without first scanning for malware. Disable “auto run” for USB drives.
- Back up frequently. You can use Time Machine on Mac or Windows Backup, and/or cloud backup from Carbonite, Backblaze, SpiderOak. Encrypt data before uploading to cloud. Keep multiple backups.
- Cover camera lens when not in use. Tape or a Post-It note will do.
- Only do sensitive browsing (banking, shopping, etc.) on a device that belongs to you, on a network you trust. Be wary of devices and networks you don’t own.
- Think before you share on social media. Stalkers, burglars, and other criminals monitor social media to learn of vacations, etc.
- Use OS firewall and enable “stealth mode.”
I recommend that you read the book, Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It by Marc Goodman.
What You Should Do
I recommend that you read the book. My summary isn’t a substitute for the book itself. Here are several tips I’ve hand-picked from the book.
- Frequently review your privacy settings because companies often change them and can undo your settings.
- Set a voicemail password, or bad actors may be able to access it by spoofing your phone number.
- Change the default username and password on all network-connected devices.
- Ask about the security of any medical devices you use, and ask how you can increase their security.
- Set all your software to update automatically (operating systems such as Windows, macOS, iOS, and Android, as well as all programs, apps, and other software on computers, phones, tablets, and other network-connected devices).
- Passwords should be long (20 or more digits) and contain upper- and lowercase letters, symbols, and spaces.
- Don’t use the same password across sites.
- Use a password manager from a well-known, established company (1Password, LastPass, KeePass, Dashlane, etc.).
- Use two-factor authentication.
- Turn off services and connections on your phone unless you truly need them (Bluetooth, Wi-Fi, NFC, hot spot, etc.).
- Encrypt your computer using full-disk encryption (Bitlocker for Windows, FileVault for Mac).
- Encrypt your phone. Always set a password, and consider biometric security (such as Touch ID).
- Be wary of any request to click a link or open an attachment, even when it appears to be from someone you know. When in doubt, check with the person who supposedly sent the message, using a different channel (e.g., if you received the message through email, contact them via text message).
- Back up frequently. You can use Time Machine on Mac or Windows Backup, and/or cloud backup from Carbonite, Backblaze, SpiderOak. I also like IDrive. Encrypt data before uploading to the cloud.
- Only do sensitive browsing (banking, shopping, etc.) on a device that belongs to you, on a network you trust. Be wary of devices and networks you don’t own.
- Think before you share on social media. Stalkers, burglars, and other criminals monitor social media to learn when you’ll be away from home.