February 22, 2021

Privacy in Action: Sean Gallagher, Cyber Threat Researcher

Sean Gallagher, Cyber Threat Researcher

Sean Gallagher is a reporter and researcher with over 20 years of experience. He dedicated his life to researching cyber attacks. As the former IT editor and national security editor at Ars Technica, he covered the impact of technology on the world. Recently, he transferred those skills to a threat intelligence position with Sophos.

Many cyber threats put your privacy at risk. So we enjoyed our opportunity to hear his thoughts about digital privacy and how it’s at risk. You can follow him on Twitter @thepacketrat.

Interview with Sean Gallagher:

Startpage: What does privacy mean to you?

Sean Gallagher: Privacy means having control over information about yourself. We share information about ourselves every day, but much of it–things like financial and health data, relationship data, and things deeply connected to ourselves–should be protected, because they could be used to damage our livelihood, our finances, or reputation. Privacy is the human right to keep those things protected and to share them in confidence with those who need to know them, without the threat of disclosure. It also means being able to control the information gathered about us and opt out of activities or transactions that we don’t feel are in our best interest.

Startpage: We know Confidentiality is the first component of the CIA Triad. Is there a difference between confidentiality and privacy?

Sean Gallagher: Confidentiality is often seen as being synonymous with privacy, but it’s just a fragment of what privacy is. Confidentiality is focused on non-disclosure of specific information, whereas privacy is a larger concept. With health care data, for example, confidentiality would mean not being able to share the data at all, whereas privacy focuses on the controlled sharing of that data while preserving the individual’s rights. Privacy is about consensual disclosure, whereas confidentiality is about secrets. You’d never be able to make a credit card transaction if your credit card number was a secret, for example.

Startpage: How often is user privacy in danger in the cyber threats you research?

Sean Gallagher: Many of the threats we see to individuals are specifically aimed at individuals’ privacy. Malware frequently steals personal information, and we see a whole other class of cyber fraud that focuses on abusing the privacy of individuals for profit. And there are also scammers who use just the threat of privacy exposure–through things like “sextortion” emails, where the scammer claims to have hacked the web cam of the victim and caught them visiting a pornographic website–to extort money from their targets.

Startpage: What should all users know about digital privacy?

Sean Gallagher: There is no such thing as absolute digital privacy. But it’s important to take stock of the personal identifying information that can be used by someone to pose as you to gain access to financial and other critical information, or make transactions as you, and guard it accordingly. Make sure if you’re sharing any bit of information that it’s being shared with who you think you’re sharing it with–and that they’re using the appropriate amount of care. And use digital tools such as anti-malware software and spam filtering to reduce the risk of being targeted by a phishing attack or other scam trying to fraudulently obtain your information.

Startpage: What are some of the biggest misconceptions about cybersecurity in general?

Sean Gallagher: Most people don’t understand that cybercrime is a multi-billion dollar industry in itself, with ever-maturing business models and a collection of organizations that provide the infrastructure needed to run it. But it also attracts people with a wide range of skills, from novice up, who make hundreds or thousands of dollars on the fringes by selling fraudulent mobile apps, running technical support scams, and other confidence scams that most people would spot a mile a way in the physical world. Spam and fraud rings can do as much damage as some of the larger cybercrime operations without sophisticated hacks.

Also, organizations used to be able to assume that if they were hit with ransomware, their data wasn’t stolen. That’s never really been the case, but now ransomware operators use stolen data to extort payments–data that often contains customer or employee privacy data.

Startpage: What are some of the best things developers and network administrators can do to better protect the privacy of their users?

Sean Gallagher: Implementing multi-factor authentication, properly partitioning networks, regularly deploying security fixes as quickly as possible, and monitoring administrative access closely are all essential. But training users on how to handle privacy data and credentials is just as important–as is teaching them how to spot phishing attacks and other fraud attempts. Many of the attacks we see target Remote Desktop Protocol servers that are connected to the Internet without a virtual private network firewall in front of them–that’s a ticket to data loss or theft.

Privacy in Action is a series of interviews with privacy-minded Startpage users from diverse backgrounds. If you are interested in participating in the Privacy in Action or would like to nominate someone to be interviewed by us, reach out to us at privacyplease@startpage.com.

The views expressed in this Q&A are those of the interviewee and do not necessarily reflect those of Startpage.