Hackers may want information you don’t know you have, or intend to use information in ways you have not thought of.
Unsurprisingly, most people think they know what information they can and cannot access. After all, how could you know something and not know you know it? Trivially, “access” is not “knowledge.” After all, everyone reading this post can also access all information online, but they surely do not know all information online. Even with the information you know you—law abiding citizen—don’t think about information the way malicious actors might.
Two common assumptions about information may mislead people to believe they would not be hacking targets. First, people assume the information they use is the same information others would use. Second, people assume that malicious actors will use information in the same way they would use it.
Information flows in and out of our lives daily, and we make use of it however we see fit, but others may not use our information the same way we do. If you have ever told an extended story to a friend, only to have the friend say something that made you say “that’s what you got out of that story” you have lived this experience.
Malicious actors may want information you can access but you think uninteresting, or do not realize you can access. For example, in some companies every manager can access to all relevant databases under their management. Those managers may never access those databases, and may not even realize their position grants them access. In many organizations, especially the military government, it is extremely common to “cc:” people to “keep them in the loop.” As often as not, people cc’d on an email just file the extraneous email in the circular file, because if the email were important, they would have been part of the original email chain in the first place.
Information given to people who will not use it may still be of use to malicious actors, as we learned when many of John Podesta’s leaked emails were forwarded to him, not from or to him specifically. Podesta was the unlucky winner of that prize, but many people in the Clinton organization would likely have had similar copies in their inbox, or unemptied trash. Podesta himself might not even have actively known what his emails revealed, because it was all background chaff to him.
Likewise, some information is only useful when aggregated, in other words your information alone may not be important, but combined with other people’s information, the collective information might be very important. For example, as a committed MAGA acolyte in 2016, you might not care if everyone knows that you bought the new bestseller Hillary Clinton is a Great Big Dooty Head, Who Smells Bad and Kicks Puppies. You also reason everyone knows you love fly fishing, so who cares if they knows how much you spent on that new custom ordered Split Bamboo rod? You might even be right that no one cares about your shopping habits.
Putting your information with a lot of other people, however, might reveal something of value, for example to a foreign entity looking for exploitable political divides in the American electorate. If by stealing Amazon purchase records someone discovered in your Appalachian Pennsylvanian county quite a few people both hate Clinton and love fishing, and if that county has historically broken 2-1 for Democrats, an overseas actors might have identified a prime target for information operations.1
Malicious actors might use information in ways you do not. We tend to assume criminals will use our information like we do, even when using it for nefarious purposes. We “mirror image” our adversary, thinking that they will do something that is just the opposite of what we would do. Mirror imaging a hacker targeting my email, I would think hackers want to read my emails, because that is what I do with email. If hackers access my bank account, since I put money in a bank, and then take it out to spend on things I want or need, a malicious actor would take money out to spend money on things he wants or needs. If I don’t have anything in my email of interest, or have little money in my bank account, why would anyone else want access to it?
First, emails and bank accounts, and other online resources, are more important than for their own sake. Access to your email grants access to almost everything else online, including your bank account. Some may remain unpersuaded of the importance of cybersecurity, because if you already believe that absolutely everything you have is of no value to anyone else, then a chain of access escalation will not persuade you otherwise. Even if you correctly believe that your personal resources are worthless, control of your online assets might be valuable to bad people.
For example, social media is big business, and shady groups sell bots to build the clout of varous social media accounts, making online personas inherently valuable. Social media giants have gotten wise, however, and are starting to crack down on accounts that are transparently bots, but using real people’s online identities is a great way to hide that your bot is a bot. While most bots primarily retweet to drive traffic, retirees also retweet a lot. A persona that retweets a lot, but also periodically posts real pictures from a real vacation conveniently uploaded to the same Google account becomes indistinguishable from a real account.
Criminal organizations use financial institutions all the time, but it can be very hard to prevent law enforcement from recognizing where the money comes from. Money laundering has many forms, and while a strip club is traditional, there is no reason that a successful eBay business selling old Beanie Babies wouldn’t work just as well. Of course, people in the Beanie Baby collectible market are probably less inclined to get mobbed up than strip club owners, but access to email and bank account would allow a nefarious organization to run a couple hundred thousand dollars through your bank account, without breaking a sweat. You might not even realize you were the Walter White of the collectible set until the FBI busts in your door.
Perhaps the most terrifying use (and least probable to be publicly known) would be use by a foreign intelligence service (FIS). FISs have all the same needs criminal organizations do, plus a few, including creating plausible covers and passing information. It might be hard to get someone from Moline, IL to vouch for a foreign national as a long-time friend who just wants to make a new start in the US, but it would be much easier to set up a LinkedIn profile, and have real people, with real accounts write testimonials unawares. In fact, we already have good evidence that LinkedIn is an active hive of foreign intelligence. A patriot would never write a recommendation landing someone a job to forward their intelligence mission, but not securing your information could have exactly that effect, anyway.
One must also remember, you may not be the actual target. A perennial feature of superhero tales is the “secret identity” almost universally adopted, not to protect the superheroes who are capable of defending themselves, but those near them who are not capable at all. You may not be Aunt Mae or Lois Lane, but you almost assuredly lie on a path to information someone values.2
Many techniques to gain access to information, especially social engineering, rely on the actual targets doing something dumb like opening a file they should not have opened. While some people are so unbelievably credulous—or mentally incapable—they will be taken in by the “recently inherited Prince, is coming who into millions of dollars” but most will not. However, almost everyone will open files from their aunt they always liked, but maybe don’t here from as much anymore, though. You probably would’t send a virus on purpose on behalf of the KGB to your cousin who now works for the NSA, but if the KGB can log on to your email, they can send it for you. If the KGB is really smart, they can even read your old emails to make sure the email “you” send looks authentic.
Online security is a “commons,” where many people’s personal benefit to maintaining adequate security may seem lower than the cost, but unlike an actual commons this problem is self-resolving…in the long run. In the short term, while the intellectual startup cost of security may be a little higher than doing the same thing you have always done, it is not especially costly, and is certainly not hard. Even if you personally don’t derive that much benefit from good online security hygiene, do it for you kid in college, or your friend who’s worked all their lives to build that business, or even do it for society in general. If none of those reasons is strong enough for you to get to better security, however, as others who benefit eventually you’ll be the easiest target around. Even if everything you have is only a little, there are always scumbags who are willing to take a little as long as it is easy, and it is still everything you have.
1 There is no evidence whatsoever that any such thing happened in 2016.
2 If you have ever played the parlor game “guess who got rich from our high school” or “I can’t believe he’s a congressman now” you are at risk.