Everyone’s information is available. It doesn’t matter how rich, poor, educated or not you are, Brett Johnson, former cybercriminal dubbed the “Original Internet Godfather” by the US Secret Service, said during the Future of cybersecurity conference on Tuesday.
“Everyone’s information is available. There are people out there thinking ‘Hey, what can I do to make sure that a criminal can’t get my information?’ I’ll tell you right now that ship has sailed. Everyone’s information is readily available to them,” - he said during a virtual conference organized by the Cyber News network.
Johnson, known as Gollumfun in the cyber world, was on the US most-wanted list in 2006, before being arrested for cybercrime and laundering $4 million. He’s considered a pioneer in online crime, responsible for the creation of ShadowCrew, the forerunner to the dark web.
Attackers want you to give up one of four things: information, access, data, or cash. That’s what it is, and it has nothing to do with human stupidity. Not a thing,Brett Johnson.
He was caught in 2006, went to prison, ran away, and was caught again, getting charged for 39 felonies that cost him 7.5 years of his life. Currently, Johnson serves as a security advisor to Fortune 500 companies and is a regular speaker at security conferences.
Johnson claims that there were over 1,500 data breaches in 2020 alone, with 2.6 billion records compromised. The Never-ending stream of data breaches, he said, should be an eye-opening moment, enabling people to realize that everyone’s data is on the dark web.
To prove his point, he showed the audience records, social security numbers, and other information of the former US President Donald J. Trump he bought online. Johnson claimed it cost him a mere $4. According to him, records of adults on average cost $30, and data of children is sold for as low as $2.
“Everyone’s information is available. It doesn’t matter who you are. We need to get to that point. We need to get to that realization, that understanding. Because once you understand and accept that, then you can ask what can I do to make sure that if a criminal does get it, he or she can’t use it,” he explained.
The 49-year-old cybercrime pioneer continued pointing to the way we use social media. As long as we post personal information, pictures, and anything personal on social media for thousands to read, there is no privacy since it’s naïve to assume that only friends have access to what we share.
According to Johnson, it all boils down to having ‘good custodians’ guarding the information because it is essential that information is collected, as proven by the attack on the US Capitol building at the start of the year.
“A lot of those people have been arrested because of the data that has been collected over the years on individuals, data that has not been used to target anybody. So, I think that what it boils down to is an understanding that there’s not really any privacy anymore,” - he said.
Over his criminal career, Johnson scammed numerous people over the internet, selling non-existent services and products, making millions out of it. Extrapolating from his experience, Johnson pointed out that cybercriminals prey on society’s attitudes towards victims.
“We blame the victim. We call them stupid. When we do that, it actually causes the victim to alienate themselves from their basic support network of friends, family members, and associates. And they stop sharing information because they’re scared of being judged”, - he explained.
He scoffed at the popular saying that “there’s no patch for human stupidity,” calling the term ‘cute’ and completely false. That’s because that way, the blame falls on the victim’s shoulders. In contrast, the critical problem is not human stupidity but rather tech-savvy attackers who understand human psychology enough to manipulate it.
“Attackers want you to give up one of four things: information, access, data, or cash. That’s what it is, and it has nothing to do with human stupidity. Not a thing,” - Johnson explained.
‘Not a rocket science’
Since it doesn’t take a rocket scientist to carry out cybercrimes, the same can be said about protecting against them. For example, surveys show that 80% of people use the same password for multiple online accounts. According to Johnson, most of us should start here to reduce the threat of easily avoidable crimes such as credential stuffing.
I like to trust people, even as a former criminal. But do not trust without verifying. That’s news, that’s phone calls coming across, that’s if you own a business. Trust, but verify,Brett Johnson.
“So, that’s why I say right now. The answer is to use a password manager. I don’t care which one it is. Just use one. It takes all of that out of your hands,” - he said.
Johnson, who on numerous occasions stated that identity theft is not taken seriously enough, urged users to understand their place in the cybercrime spectrum and to design security around potential threats. He reasoned that all groups of people are targeted, but a CEO and an employee will face different threats and tactics to steal what’s valuable to them.
“Think of a criminal as having a toolbox. And in this toolbox, he has a variety of tools he can use to attack you. He will pick the tool best suited for the job at hand, and you need to have a toolbox as well with a variety of tools in order to protect yourself or your organization from those types of attacks,” - Johnson explained.
His crucial advice – ‘trust, but verify’. As it is impossible to function without trust in people, we are forced to learn to trust. However, Johnson explains, we should always try to verify whether what we hear and see is the truth.
“We cannot live our lives afraid. I like to trust people, even as a former criminal. But do not trust without verifying. That’s news, that’s phone calls coming across, that’s if you own a business. Trust, but verify”, - he said.