How I Landed on an ISIS Hit List

One morning a few weeks ago three New York City policemen came to my door.  Not ordinary officers, but members of the Counter Terrorism Task Force, working with the FBI.  They wanted me to know that my name and address had just appeared on a ISIS hit list of 3,600 New Yorkers, released on a messaging app under the tag We Want Them #Dead.

Great way to start the day.  However, the officers were quick to say that the FBI didn’t think this was a serious threat--there wasn’t a clear pattern to the names on the list, and some of the information was quite out-of-date. Of course, one said, handing me his card, if you see anything unusual, give us a call. But it appeared to be almost random New York names and addresses picked up from somewhere on the Internet. 

Random?  I asked to see some pages from the list.  By far the most names were from my borough, Brooklyn.  Then I recognized a few neighbors and immediately suspected what had happened. 

Brooklyn may be the world center of worthy causes.  Universal pre-K, ban plastic bags, widen the bicycle lanes--you name it, and we have a group for it.  I’m partial to a worthy cause once in a while, and so are some of my more activist neighbors.  We sign petitions, donate, end up on mailing lists....and in databases.

Many of the worthy causes sooner or later win (or lose) their battles, run out of money, or just fade away.  But sometimes their Internet databases live on, perhaps tended by a volunteer with limited time, perhaps not tended at all.

Aging database software is easy prey for even low-skilled hackers.  I suspect that somewhere among the defunct worthy causes is where ISIS collected their list.  Why did they even bother?  As a kind of psychological warfare, perhaps, as well as a way to get publicity and waste some U.S. law enforcement time. 

But there’s a larger issue here.  For my audiences, Internet security is at the top of everyone’s mind.  Many fear, from the stories they’ve read, that real online security is impossible.  I remind them that most of the big, notorious computer hacks we read about actually used very simple techniques--more often than not, exploiting human fallibility rather than esoteric technology.  Those human foibles range from clicking on links in unknown emails to, well, leaving a database abandoned online. 

The solution is broader than just trying to educate employees; by then it's probably already too late. We need education that starts in elementary school.  We teach kids how to cross the street safely, and that if they leave their bike far from home, sooner or later it’s going to disappear.  It becomes what we call "common sense."  Online security awareness should also be taught from an early age--so that leaving a database of names and addresses untended on the Internet is as unthinkable as leaving for vacation with your front door open.