We recently caught up with cybercrime investigator and dark web expert Cynthia Hetherington, CEO of Hetherington Group. She has led numerous cyber-intelligence investigations, working side-by-side with Fortune 500 companies, the FBI, and Department of Defense; her firm has also taught almost 300,000 corporate security professionals how to gather evidence from the dark web.
We discussed the high-profile cyberstalking and corporate espionage cases she’s worked on during her career and how users can protect their identities, stay safe online, and clean up the data left in our clickstream, which she calls our “digital exhaust.” Here are edited and condensed excerpts of our conversation.
PCMag: I listened to a podcast in which you described how you got started in the private investigator world. After a graduate degree in library science, local law enforcement professionals in New Jersey asked you to guide them through the pre-browser world of alt.forensics listservs, via the Gopher protocol, and you made it into a career.
Cynthia Hetherington: [Laughs] Back then, in the early 90s, I was Google before Google existed. Being a librarian was the perfect civil service job; I should be retired now and living in some fancy gated community. But when those cops came in and asked me to show them how the internet worked, I quickly realized there was a future in this and haven’t looked back.
The digital culture back then was so great. I miss it.
Me too. There were just a handful of “cybercops” in the country at the time, and I immediately fell into their ranks as a private investigator and specialist in open source “intel.” We all had email accounts via The Well, which started in 1985. They’d ask me how TCP/IP worked and so on. Those cybercops are all still my friends — we refer to ourselves as “The Usual Suspects.”
So you’ve been a geek forever.
Definitely. It was such a different world back then. Everything was just starting. I remember being invited to talk about electronic crimes at the first High Intensity Drug Trafficking Area Program [HIDTA] because all the “letter agencies” (FBI, CIA, etc.) wanted to know what was really going on via the internet. In fact, I was a PCMag reader back when it was still in print form.
We salute you. You set up your firm, Hetherington Group, in 1999. Much of your work today is for Fortune 500 companies and the intelligence community, doing background checks, corporate espionage cases, and high-profile fraud investigations. But when did you first come across the dark web?
The dark web, focused on untraceable communications, crime, counter-terrorism, and human trafficking, has been around as long as the internet has. It was only when TV started covering it that it got “sexy.” But it’s a horrible place. I have a cop mentality, so I know how to compartmentalize. But once you’ve seen stuff, it’s hard to unsee it.
Google doesn’t yet trawl the dark web, and there’s no DNS system down there. You’re literally still typing in dotted quads to locate sites. In your Hetherington Group training sessions, what do you teach security professionals about the dark web and how to navigate it?
We offer a Dark Web Primer, where we go through what makes up the dark web and how criminals take advantage of its anonymous nature to profit in counterfeit products, stolen goods, child pornography, human trafficking, and other nefarious deeds. We teach people about the channels used to institute private communications, sales, and exchanges. By the end, they understand what to do and what not to do when entering the dark web and learn how to conduct investigations on the dark web, plus explore the gateway social media sources that lead to dark web sites.
For individuals, what’s the best course of action to clean up our digital exhaust: the possibly incriminating or at least unhelpful data we leave in our wake?
We provide a straightforward approach to the young professional in our opt-out online instructions. I wrote the very first version for local law enforcement officers who were working undercover in 1998, then updated it for people in the military whose families were being targeted by terrorists. We teach people that a good deal of the information found in online databases is generated by them and they need to be much more aware of what, how, when and why they’re sharing personal data.
We ask: “Are you, or your family members, regularly checking friends’ Facebook and Instagram updates from either a smartphone or a laptop?” “Is your wallet bulging with credit and/or debit cards and not dollars?” “Do your home phones and cell phones receive unsolicited offer/scam calls?” “Is your postal mailbox full of unsolicited offerings?” If any of these scenarios apply to you, you are oversharing your information.
- Look for the annual statement from your credit card company that discusses the opt-out options and act on them.
- Opt out of data vendors to remove yourself from standard consumer data services. Start here.
- Have all your postal mail sent to a United States Post Office Box or your office address.
- Unlist and unpublish your landline phone numbers; check with your mobile service company to find out if it sells its subscriber information and how to opt out of that list.
- Do not participate in DNA collection services (i.e. 23andMe, MyHeritage DNA, AncestryDNA).
- Stop sharing information and liking posts online in unnecessary scenarios.
The problem with data brokers isn’t just about the commodification and exploitation of ‘likes,’ is it? It’s much darker.
Right. We know social media sites are selling “likes” to data providers and farms, but data, at its most dangerous, allows ISIL [Islamic State of Iraq and the Levant] to farm from open sources the personal addresses of our military and threaten their families. Unfortunately, much of this information is shared willingly by us.
Do you have tape over your laptop and smartphone camera?
Yes, but it’s not tape. I have a very cool Michigan State Police on/off shutter.
A while ago, a friend of mine was about to be let go from their job after a long career. They weren’t digitally-savvy, so everything personal — contacts, images, LinkedIn account permissions — was stored under their work accounts. They called me in a panic and I showed up with a couple of 512GB USBs. We started simultaneously downloading to those while uploading to a new Google Drive. What advice would you give to C-suite executives on managing their digital lives and storage while protecting their online reputations?
Well, firstly, I’m not a fan of the cloud. I suggest people do regular digital audits and store everything (bank account details, passwords, email accounts, complete backup) on a 2TB hard drive and put it in a fire safe. Then open up their wallet and take image captures (front and back) of all important cards and store those there, too. When we lose control of our data/identity, people don’t tend to act well. Everyone needs to be prepared.
You were asked to provide commentary on a public cyber harassment case and said, ‘I’ve watched every major public record vendor admit to a compromise in their data stores.’
Everyone in this country has had their information stolen. The criminals just haven’t used that information yet.
All Rights Reserved for S.C. Stuart