D.C. Council Member Mary Cheh (D-Ward 3) and Arlington County Board Member Walter Tejada (D) join the Politics Hour crew in the studio.
Has your computer been hijacked by hackers and linked to a giant botnet — without your knowledge? Are you downloading apps you know little about — and unwittingly compromising your mobile phone? Threats to personal cybersecurity have never been greater, with a vast underground world of young hackers attacking people’s devices out of malice or just for kicks. Tech Tuesday examines the perils of being connected and answers your questions about how to stay safe online.
- Brian Krebs Investigative Reporter; author of KrebsOnSecurity.com
- Wayne Rash Senior Columnist and Washington Bureau Chief, eWEEK
Free Security Awareness Poster – You Are A Target
MR. KOJO NNAMDIFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. It's Tech Tuesday. Has your computer been hijacked and linked to a giant spamming network without your knowledge? Are you downloading apps you don't know much about and unwittingly compromising your cellphone? Do you click on links on Facebook and Twitter that open your device to malware?
MR. KOJO NNAMDIThreats to personal cybersecurity have never been greater because cyber criminals are increasingly prevalent and devious, and they're not just after your money or your identity. They may hijack your computer and link it to a network that lets them monetize your computer for their gain. And the worst part is you don't even know your computer has been hacked. So what should you do to keep your devices secure, this Tech Tuesday, we'll explain how to protect yourself from malware and botnets and answer your questions about how to stay safe online.
MR. KOJO NNAMDIYou can ask those questions at 800-433-8850, send us a tweet, @kojoshow, using the #TechTuesday, email to email@example.com, or simply go to our website, kojoshow.org, and join the conversation there. Joining us in studio is Wayne Rash, senior columnist and Washington bureau chief for eWEEK. Wayne, good to see you again.
MR. WAYNE RASHIt's nice to be back again, Kojo.
NNAMDIAlso in studio with us is Brian Krebs, investigative reporter and author of KrebsOnSecurity.com. Brian, good to see you again.
MR. BRIAN KREBSHey, thanks for taking having me back, Kojo.
NNAMDIAs I said, 800-433-8850 is the number. Brian, it seems like there's a booming on the world of young hackers with powerful new tools to hijack personal computers, sometimes to install malware and control the computer remotely and sometimes, well, just for fun. Can you describe these cyber evil doers?
KREBSSure, sure. You're right. There's a huge underground economy here, and it's sort of a big sandbox for people who are involved in taking over people's identities and computers. And that sandbox is a big place, right. They're constantly welcoming in new members.
KREBSThese are the guys that really don't know much, and they're turning to the senior members for help and, in a lot of cases, you know, turnkey systems that let them get up and running without actually really even knowing what they're doing. They can set up a botnet. They can set up a huge criminal operation. Have somebody do it for them, then figure out how it works after the fact.
NNAMDIBack in the days, we would say hacking used to be the domain of brilliant coders, but you seem to be suggesting that these days just about anyone can be a hacker because you can either access or buy tools online that do most of the work for you.
KREBSAbsolutely. We've never had so many cyber criminal services available to the least sophisticated hacker out there. And what -- for example, places where you can pay a couple of bucks and pull anybody's credit report, pay a couple of dollars and get anybody's Social Security number, mother's maiden name, all the keys to their identity. Pay a couple of bucks and you're up and running with a giant crime machine that lets you spam the world. It is really not that difficult anymore.
NNAMDIWayne, we used to hear a lot about computer viruses, but now, malware seems to be the bigger threat. What is malware, and how does it get into my computer?
RASHWell, malware is just what it seems to be by the name. It's bad stuff. It is software that gets into your computer in some fashion, and it tries to do, well, whatever -- whoever put it there wants it to do. Most malware these days either attempts to get private information from your computer because it's usually for banking or something or it's there to take over your computer to use it as part of a botnet.
RASHThere's people who used to do computer viruses just for grins and giggles, don't really do that anymore. It's much more profitable to create what a friend of mine, Eugene Kaspersky, once called crimeware. And when I was having lunch with him in Moscow a few years ago and he predicted precisely this scenario. The fact is, is that people now don't even have to be hackers to get your computer available to their command. They can simply hire a hacker and rent space on a botnet and have somebody attack. It's as simple as that.
NNAMDIExplain, Brian, what a botnet is and how hackers use them to sneak onto people's computers, link them to a giant network and use that network of hijacked computers to send spam or to launch attacks.
KREBSSure. Well, a botnet at its most simple is just a collection of hacked PCs that the bad guy controls remotely to do whatever he wants it to do. It might be, you know, it might be some computational task. It might be sending spam. It might just be to Hoover up all the stored passwords on the infected machines. The most common way that a system will be incorporated into a botnet is they're browsing the Web, they are browsing the Web with some outdated browser plug-ins, like Java or Flash or Reader or something like that, and they stumble on a hacked or malicious site that takes advantage of that vulnerability to silently install malicious software in their system.
NNAMDIWhat's the best way to protect against malware?
RASHHave some software on your computer that detects it when it gets in there and gets rid of it if it is there.
NNAMDI800-433-8850. Have you ever had malware on your computer that you know of? How did you deal with it? You can also send us email to firstname.lastname@example.org. There are callers with questions related to things that both of you already discussed. I'll start with Anne in Washington, D.C. Anne, you're on the air. Go ahead, please.
ANNEIs it safe to use Java again?
NNAMDISimply stated, Wayne Rash.
RASHIt's -- OK, first of all, if you get Java that's really up to date, meaning go to Java.com and download the current version and then turn it on when you need it because you go to a website that requires it and then you turn it off again when you don't need it, then it's safe.
KREBSI think, just a word of caution there. Every time I look around -- and I spend a lot of time in the underground where places where people buy and sell what they call zero-days. These are unknown vulnerabilities, vulnerabilities that the makers of the softwares don't even know about. It's really hard to find the time when a zero-day isn't for sale in Java. I think this is a very, very powerful -- it's a huge target because it's very powerful, and it's widely installed.
KREBSBut I find a majority of people just don't need this program. And if you have an application or something that requires Java, one of the things I've tried to get people to do is, hey, you know, either use a two-browser approach, which is you have a secondary browser that you only use for those sites that require Java and then keep it unplugged from the browser you use to browse the Web.
KREBSThat's one approach. There's another approach that I've outlined in my blog called click to play, which is really -- a really great approach. It basically says, you know, you go to a website, right, and the site wants to load all these videos and ads and stuff, and it takes forever. Click to play just says, hang on a second, you don't get to load all that stuff unless I click the little box that you're in, and that's a much safer approach than leaving Java turned on.
RASHAnd you don't want to just leave it turned on on your computer and have it on all the time. It's -- that is dangerous.
NNAMDIGot that, Anne?
ANNEGreat. Absolutely. Thanks so much.
NNAMDIThank you very much for your call.
NNAMDIWayne, how do anti-virus programs protect a computer against malware?
RASHThey do a number of things. They, first of all, look for specific signatures of known malware and either block them from coming into your computer or if they find that they're somehow there already, they get rid of them. They also look for specific types of activity that is typically carried out by malware and then try to identify what that activity is, what piece of software is doing it, and then eliminate it.
NNAMDIIs there a certain brand or certain features of anti-virus programs that we should look for in anti-virus security software?
KREBSYeah. I'm probably not the best person to ask about that because I sort of take the view that, you know, it's just good to have something on your system at this point. They all do about the same performance-wise, you know, unless we're talking about businesses that have very specific needs for these things. Consumers should just get something on their system.
RASHAny of the major manufacturers, Symantec, which has the Norton series, MacAfee, Kaspersky, there's a free program called Avast, all of these work, and they all work fairly well.
NNAMDIHere is Ellen in Washington, D.C. Ellen, your turn.
ELLENIn your opinion, a virus or a program for the Mac and Apple products. When I bought one, I was told I didn't need to add additional software.
NNAMDIKnow anything about that.
RASHYes. You absolutely, if you have a Mac, need anti-virus software. One of the most popular areas of infection these days is Macintoshes because so many of them are unprotected. And malware from Macintosh is out there. I read a study recently that said something like one-third of all Macintoshes are already infected with malware.
NNAMDIThat's because in the past there was the notion that because people were...
NNAMDI...attacking more Windows.
RASHThey were attacking Windows machine because of the market share. If 95 percent of all machines are Windows machines, that's where you go. But now that Apple has done two things. One of which is it's become unpopular amongst hackers because of basically it's a social thing and also because there are more of them. It's now become much more popular to provide attacks and because of the fact that it's so much easier to break into them.
KREBSYeah. If I could just add something...
NNAMDISure. Please, Brian.
KREBS...Kojo, I think Gartner just came out with a study saying that they believe this year Apple will ship more computers running iOS than Microsoft will Windows. And I think that's important to note whether or not it comes true. It's probably going to get pretty close.
KREBSThe other thing I'd mention is just to echo Wayne's point I mean there have been -- last year, we had a thing called the flashback worm that came out, and it took Mac systems by storm. It infected about 650,000 systems and in a fairly short period of time. And by the way, it did so via Java vulnerability, which Mac users also have to be concerned about.
NNAMDIThank you very much for your call, Ellen. Brian, is there anyway to tell if your computer has malware installed on it? Does it slow down the computer or show up anywhere else?
KREBSThis is a really good question is, one that I get a lot. It used to be the case when you would -- when your computer get infected, you'll have these pop-ups and things would annoy you and everything. And it's kind of obvious that the system was infected. These days, you tend to have systems that are being sold out there that are like mini super computers. You know, they've got super fast processors.
KREBSThey've got a ton of memory of them. And the malware can very happily co-exist with whatever else you've got on your system, and, in fact, the bad guys have gotten so clever about this, they -- a lot of the malware out there will go and uninstall other malware that may be on your machine before it installs itself because it doesn't want that competition. It doesn't want to be discovered.
KREBSSo if you can -- if you find a whole bunch of things that are annoying and popping up and you can't explain it, consider yourself lucky that you have those symptoms because you know there's something wrong. That's why it's so important for people to not let their computers get infected in the first place because it's really hard these days to tell if your system is infected, and it's even harder to get it uninfected.
RASHHowever, you can go to some of the major security sites and have your machines scanned for malware, and that will work with either Macintosh or Windows machines, and they will do it for free.
NNAMDIHere's Diane in Laurel, Md. Diane, you're on the air. Go ahead, please.
DIANEThank you. I wanted to ask you. Last year, I had one of those little viruses that was attacking the Microsoft Windows saying I needed to update my Windows, Macintosh stuff, and, of course, I knew I didn't. But -- and I didn't open it, but I kind of got stuck with it. And I had software I had installed called VIPRE, and that thing went in there and took care of that in flat. And I was just wondering what you thought about that because that's really -- for me and my use has been the best antivirus stuff that I've used thus far.
RASHI have not used VIPRE. I've hear of it. But I don't know much about it.
KREBSI think it's a product from Sunbelt Software, and it does have some pretty interesting and advanced -- or at least it did when it came out. hips -- what they call hips -- is host-based intrusion protection system, and it tries to detect funky behavior on the system, So -- but that experience you described is extremely common type of malicious software threat.
KREBSIt's called scareware, and it just tries to scare you into thinking your machine is so infected that you need to download their malware. essentially that masquerades as a security software. And then they make you pay for it. And, you know, you can't use your system until you do. So that's -- that's the one on there.
NNAMDIDiane, thank you very much for your call. We're going to take a short break. When we come back, we will continue this Tech Tuesday conversation on personal cybersecurity. You can join it by calling 800-433-8850. Send us a tweet, @kojoshow, using the #TechTuesday, or email to email@example.com. I'm Kojo Nnamdi.
NNAMDIWelcome back. It's a Tech Tuesday conversation on personal cybersecurity with Brian Krebs. He's an investigative reporter and author of KrebsOnSecurity.com. Wayne Rash is senior columnist and Washington Bureau chief of eWEEK. You can call us, 800-433-8850. I see a number of you already have.
NNAMDIThe lines are getting tied up pretty quickly, so you may want to send email to firstname.lastname@example.org or send us a tweet, @kojoshow. Cyberattacks used to be more random, Wayne. But now, they're often targeted to individuals. How can hackers gain access to corporate networks through the home computers of those corporations' employees?
RASHWell, a lot of people work from home. And there are many home computers that people use to call into their office computer that are not properly secured. And not every IT department is particularly good about making sure that the computers that call into their systems are properly secured. So what happens, somebody calls in, want to check their email, they want to go do some work.
RASHThey want to download document they're working on Reddit instead of watching of television or having dinner with the family or something. And then they load it back up. And while it's in their computer, it's infected with malware. They put it back on their corporate system. And then it's -- they're on the corporate network for someone else to open up or someone else to get access to and then spread it within the corporate network.
NNAMDIAnything to add to that, Brian?
KREBSYeah. So a lot of companies are struggling with how do they accommodate all the digital devices of people want to use to do their work, right? They don't want to discourage people from working from home. I mean, you know, they want them working all the time thinking about their job and everything. So they don't want to discourage people from using their iPad or their Android device or whatever it is that they want to do.
KREBSAnd so a lot of companies they just going to throw up their hands and said, ah, we just can't, you know, we can't issue these people computers anymore. We just have to expect them to do, you know, come to work with whatever it is they want to -- if they want to work in a work computer, that's great. If they want to bring your own computer, that's great. What you have is a lot of people bringing in stuff that may or may not be secure.
KREBSThat's one way that these things get into a corporate systems, then another is just through the browser. The browser is the most common way that malware gets in anywhere. And, you know, if you got an average workplace, got a 100, you know, 100 -- 200 desktops, they all got browsers, that's a pretty rich environment.
NNAMDIOn to the telephones again. Here is Scott in Takoma Park, Md. Hi, Scott.
SCOTTHello. Thank you very much. Big fan of the program. Thank you for taking my call. Actually, when I first called in, I had one particular question. While I was -- hold, you made another comment, so I've actually got two questions. The one question is you talk most of the security software pretty much all being, you know, quite effective. My question is it's not really related to the security.
SCOTTBut personally, I happen to use Iolo System Mechanic, and I found it very effective as a protection system. But it also has these features that allow you to basically optimize the computer while you're working on it. And I'm wondering if you think those sorts of features of these programs are at all useful.
RASHI did a product review of Iolo System Mechanic. And one of the computers upon which I ran it, it managed to completely erase the partition on which it was installed -- uninstalling Windows in the process and erasing all of the data that was on that partition. I'm not a person who would particularly recommend that one. And when we ran the review of it, we suggested there might be other products that you might want to use.
SCOTTDo you have any particular recommendations of a similar thing? I began using it a number of years ago on the advice of a friend who actually is a programmer. As I said, it was a number of years ago.
RASHOK. Well, he probably didn't have the experience that we did when we tested it in the lab and had it on one of the computers, decide to erase everything. But a number of companies, including Symantec, makes similar products.
KREBSYeah. I just want to put my two cents in here. I don't have much to say about the product you mentioned, Scott. But, you know, I do want to sort of take issue with something you said, and that is that I think any virus and security software is effective. I would never say something like that.
KREBSIn fact, I'd like to try to steer the conversation a little more toward ways that you can protect your system and protect yourself and your identity that don't involve relying on automated tools because what we're seeing over and over again is these tools really aren't up to snuff. They're not, you know, they're not protecting people enough.
RASHThey're not a magic bullet.
NNAMDIScott, you had another question?
SCOTTYeah. The other question was you happen to mention being able to go to various software vendor sites to have them and your computer for malware and things. Is that really the best way and most efficient way to do it as opposed to relying on what is actually in your current version of protection software?
RASHWell, the answer to both questions is no. The best way to do it is follow good practices and avoid getting it the first place. However, you should still have some sort of anti-malware software on your computer for those situations in which you didn't see it coming. I would not recommend running a computer without some kind of protection on it and then rely on the free scans that you can get from the companies. That to me is a good way to be in a lot of trouble in a big hurry.
NNAMDIScott, thank you very much for your call. Brian, last month, you were the victim of a denial-of-service attack, it's my understanding. What is that, and what happened?
KREBSRight. So it's called also DDoS, distributed denial of service. It's a bunch of -- usually, it's a bunch of hacked computers that are made to throw a bunch of junk traffic at a target online just to knock of them offline. In this case, the miscreants used a commercial service that -- and again, we're going back to the services that are out there that you can pay with, you know, pay for with a PayPal account, for crying out loud.
KREBSAnd basically, it's a commercial service you go. Just point and tell what to attack, and, you know, it'll knock it offline. And they're surprisingly effective, at least for short periods of time. So that's what happened there.
NNAMDIYou are -- go ahead, Wayne.
RASHI was going to say and there's not necessary a lot you can do to protect yourself against getting knocked off because what happens is they frequently will still be overwhelmed Internet connection, and you may not actually be affected yourself. It's just that nobody can see you.
NNAMDIBrian, you are also apparently the victim of a so-called attack where hackers use your phone number to call 911 and report a crime that brings a police SWAT team to your front door. What happened to you, and how common are these attacks?
KREBSYeah. So this was a pretty terrifying incident. Thankfully, I had, you know, I had warned the police six months in advance. I said, you know, I write about some pretty unsavory characters who like to do these kinds of things just for giggles, you know, send a deadly police force armed to the teeth to your front door. It sounds kind of funny, but it's really not. It's very dangerous, and that's what they did. So, unfortunately, this is very, very -- this is becoming more common. I wouldn't say it's very common at this point.
KREBSI think it's powered by a lot of younger kids, unfortunately. I do believe it is a number of younger kids that are involved doing this. And they feel like there's a relative anonymity that they can get away with this. I think we've just seen in the last three days another two more high-profile celebrities -- don't ask me to name them. But if you look on TMZ or somewhere else, you could see them. It is a big problem. Every time they do this, one of these swatting -- fake swatting calls, it costs about $10,000, and it endangers people's lives.
NNAMDII read about your attack, and the fact that you're speaking about it in this calm manner, I guess, belies the fact that it can be a very terrifying experience, especially in the early stages, isn't it?
KREBSWell, it is. I happened to be just cleaning up around the house when this happened.
KREBSI'm going out to -- pulling some tape off the door, and I have this giant tape ball in my hand. And I happen to look up, and policemen saying, you know, get your hands up. And I'm looking up, and I'm seeing these assault rifles planted on my face.
KREBSAnd I'm thinking, oh, Lord, you know, what if they think I've got a bomb in my hand, you know?
KREBSIf I make a misstep or I -- they had to ask me to walk down the stairs backwards with my hands up. What if I fall down? You know, are they going to shoot me? So it's very real.
NNAMDIOn to the telephones. Here is John in Crownsville, Md. John, you're on the air. Go ahead, please.
JOHNHi. Good morning. I have a question that relates to Facebook. In my -- I have (unintelligible) an Apple AirPort Network, and I play it on Mac computers. And I occasionally receive emails from people who could only be known to me through my Facebook page. That's the only database where they reside. And so I received emails on my dot Mac Mail from these people, and oftentimes, they'll contain links. I don't open these emails often, but occasionally I do.
JOHNAnd these links often go to, you know, a product demonstration for some kind of diet product or something like that. So my questions are, you know, how do these people with Facebook, one, get my name and email address, and how do they -- you know, what's their intent? And are they just interested in selling something, or could they also be, you know, dumping malware onto my network or my computer?
RASHThe answer is yes. They're getting your address somewhere on Facebook. So you need to check your privacy settings. As far as what's on these emails, I get these, too. I tend to look at them on my Blackberry and look and see what's in there before. I don't want it on my computer. And when I see nothing but a link in there, then I just erase it on site. I don't ever bother to go to these things.
RASHWhether they've got malware or whether they're trying to sell you a diet supplement, I have no idea. I don't want to find out, and I'm perfectly happy to erase without ever looking. Generally, the way that you tell they are is they're -- mine always come from somebody I know and I have frequent communications on Facebook with, and they always say something like, hey, Wayne.
NNAMDIYes, that right.
RASHAnd, you know, now, if they come to you, they probably aren't going to say, hey, Wayne. But...
NNAMDIThey say, hey, Kojo.
RASHThey might say -- that's right. You might get yours saying, hey, Kojo. But that's almost always a giveaway. It was like when the I love you virus first came out. You know, I'm a newspaper -- at the time, I was a newspaper/magazine editor. I still am, and, let's face it, nobody loves us.
KREBS1999, when was that?
KREBSOh, my gosh.
RASHNobody loves us, and nobody loves us 100 times.
KREBSYes. You're not that little snowflake.
NNAMDIJohn, thank you very much for your call. Wayne, we may live in an online world where we have a password for everything. It used to be that the best password had a mix of letters and symbols. But now, apparently, longer is better. Why has length replaced complexity as the key to a secure password?
RASHBecause there's nothing secret about complexity. You know, there's a certain number of characters available that a computer can generate. It doesn't take it very hard to go through all of them for each place in your password. So if you have a very complicated five-letter password, it's still only a five-letter password.
RASHThere's still only about 40 characters that can occupy that particular position in your password, and it doesn't take any time at all to try each one of them in every combination. But if you have a 32-digit or even an eight or 12 or whatever character password, it takes that much longer to do it, and it may take long enough that it's not worth it for the bad guys.
RASHAnd it really -- you don't want to use words that are commonly available and easy to guess, but one good way to do it is to create a sentence, something like -- oh, I know. Here's one you shouldn't use, happy birthday to you, happy birthday to you. And then just take the first letter of each word and use that for your password along with a couple of numbers. But you don't want to use that one because that one is one that everybody uses.
NNAMDIWell, what are your favorite novels, some people say, and take the first sentence and take a first letter of every word and make that your password.
RASHYeah, you can do that. And then try to not use the same password for every system. Use...
NNAMDIAnd try not to use "Moby-Dick" as your favorite novel.
RASHNo. But maybe "Call me Ishmael" might work.
NNAMDIExactly. Any suggestions along that line, Brian?
KREBSYeah. No. I would just echo what Wayne said about past phrases. We have a tendency to think of, you know, words. But it can be a string of words, which I think is a really good idea, or the first or the second letter of each word in a sentence that you can remember. There the rub though, right, I mean, is being able to remember all of these passwords.
KREBSAnd I think for most people, it's important to remember, if they're going to remember something about passwords, it's just the general rules about passwords which is longer is generally better. And never ever reuse the password you use for your email or anything that's important at another site because what happens, of course, is when that site gets hacked, you register with -- what -- your email.
KREBSAnd if you provide them with your password and that site gets hacked, they have that database. First thing they do is rundown all the Hotmail and Gmails and all the passwords they have for those and see how many of them work. And you'd be surprised how many of them do.
NNAMDIBack to the telephones. Here's Brian in Baltimore, Md. Brian, you're on the air. Go ahead, please.
BRIANHi, Kojo, and the group there. Thanks a lot for the show. I think it's very informative. I'm a big fan. My question is related to malware that gets spread around and scares people into trying to put their credit card numbers in. I've been a victim of this a couple of times. And I've helped family members who have gotten things like this on their computers as well.
BRIANAnd what I always think about as I'm spending usually hours on a beautiful Saturday afternoon trying to clean these systems off is I wish I could get my hands around the neck of the person that wrote the software. So what I'm wondering is, how often at all, if any, do these people ever actually get caught to do this? And is there any kind of legislation written, you know, providing in penalties and you know, jail terms or fines or whatever for this kind of behavior? So do people ever get caught, and if so, what happens to them?
KREBSSure. People do get caught for this cyber thing, specifically the fake anti-virus. I think the FTC and then the FBI last year piled on to a case where they went after some folks who were intimately involved in spreading a lot of this stuff and made gajillion dollars doing it. And I think they fined them a gajillion dollars. And one of them, I think, is still on the lam, and I think they put one of them in prison. I'm not entirely certain about that. But they do get caught every once in a while.
KREBSThe issue here is that you're dealing with a lot of diverse systems that working in tangent. I mentioned earlier, there are a lot of source, you know, sort of services that outsource things. Well, there's an industry that makes this fake anti-virus software. They design fake anti-virus software. There's an industry around getting credit card processing for fake anti-virus software.
KREBSThere's an industry around customer service for fake anti-virus software. So there are a lot of components and a lot of people making money off of this. Occasionally, they get taken down. More often than not, they're located in countries where this is not a huge priority for them, or they don't have laws on the books that address it.
RASHAnd they don't have any treaties with the Unites States that allow us to go in and then arrest them. These are people in, like, Eastern Europe, people in countries in the third world, things like that, who happen to be good at this. And it's -- they may have -- we may have laws in the United States, which we do, but going after them, it's impossible because they're not here.
NNAMDIBrian, thank you very much for your call. We do have a number of questions about the password issue. An email we got, someone who says, "What is the rationale behind regularly changing passwords? Is it assumed that users will compromise their own passwords or that we're constantly bombarded by elements that will eventually compromise our passwords if we don't change them?"
RASHWell, you know, there's some discussion about whether the regular changing of passwords is actually necessary or not, if you picked a good one in the first place. There are studies that show that it's a good idea anyway because you may compromise your own password, or somebody may eventually compromise it by continuing to try it again and again and again. And then again there's also the theory that if you've got a good, very difficult to crack password, then as long as you remember it, keep it. It's not clear that either one of those is necessarily figured out.
KREBSYeah. I think it's kind of an artifact of corporation -- you know, corporate security, right? You know, many companies require their users to change their passwords every 90 days or 120 days or something like that. It's not a bad idea. Particularly if you're on a machine that suffered a compromise or some sort, I would say it's an excellent idea to change the passwords that you care about.
KREBSYou know, I've seen cases where, you know, a small business loses a quarter of a million dollars 'cause they got a virus infection, and they got that virus infection many months before. And the bad guy stole that password, and, guess what, they never changed the password. And months down the road, they had money cleaned out of their account. Well, guess what, if they had changed their password...
NNAMDIIt wouldn't have happened. We got this email from Leonardo. "How secure are so-called ID and password safes that are included with security software products from Symantec and others? How secure are the password safes included in browsers, and how do they differ from those included in security software packages?"
KREBSGood question. So just -- I'll take a stab at the browser issue. I don't, and I don't recommend storing passwords in the browser, at least passwords for things that you care about that are -- that offer a gateway to your sensitive information. I don't think that that's a good idea. The first thing that most of the software will do once it gets on your system is yank out those stored passwords, and they know how to do that very well.
KREBSSome of the password storage software options out there, I think -- like KeePass, RoboForm, LastPass -- are actually quite good. They will use custom encryption and store your passwords on your system so that even if the bad guys managed to compromise your machine, unless they can get access to the master password that you use to unlock that password file, you know, they're -- you're in pretty good shape. The trick is, again, keeping your system from getting infected in the first place.
NNAMDIAnd, finally, on passwords, Steve in Washington, D.C. Steve, you're on the air. Go ahead, please.
STEVEI had a stupid question, but with passwords. Why can't you just have something in the computer that says I only accept a password attempt once every 20 to 30 seconds? More than one attempt in that time, I lock you out after three tries that you've failed, so that even if you do attempt to get into a password, you know, one attempt every 20 to 30 seconds, three tries are out, hell, it could take decades for somebody to try and figure out what it is.
KREBSYeah. And some software and websites actually do that. I mean, I will venture to...
NNAMDIMm hmm. I've experienced that.
KREBS...say that your bank probably has some velocity check. They call it velocity checking. You know, you can set your operating system, I think, to do that if you want. Third-party software, not so much, and not a lot of non-bank websites or non-insurance websites will do that.
RASHYeah, a lot of -- most financial services websites have some kind of variation of that. And if you do like I do and you forgot and you put the wrong one in a couple of times, well, you're going to find out you're going to have to call your wife and have her get into her password because you forgot. You already got yourself locked out.
KREBSI should note that most of the cybercrime forums where they sell a lot of the malware out there do have this feature.
NNAMDISteve, thank you very much for your call. We're going to take another short break. If you have called, stay on the line. If you haven't yet and you have a question or a comment, do you look into where apps come from before you download them? That's going to be a part of our conversation coming up. 800-433-8850. How secure is your mobile phone? You can send us a tweet, @kojoshow, using the #TechTuesday, or send us an email to email@example.com. I'm Kojo Nnamdi.
NNAMDIWelcome back to our conversation on personal cybersecurity. We're talking with Wayne Rash. He is senior columnist and Washington bureau chief at eWEEK. And Brian Krebs is an investigative reporter and author of KrebsOnSecurity.com. What's the name of your blog, Brian?
NNAMDIYou mentioned something else that you also host.
KREBSNo, that's pretty much me. I mean, that's where I maintain a presence 24/7.
NNAMDIFor some reason or the other, I thought you mentioned something else. Talk about cyber threats to our mobile phones, Brian. A lot of us download apps we don't know much about just because they seem like fun or click on links people post on Facebook or Twitter. Is that dangerous?
KREBSSo, you know, on many levels, what's going on with the mobile security depends on the platform you're using. Apple, for example, has a very closed platform -- that is, they vet all the third-party programs that can run on the device, just to make sure that they're not doing nasty things. If you don't have an Apple phone, chances are you're running a mobile device powered by Android, which is a very open platform by comparison. And as a result, we've just seen an explosion of malicious apps out there, thousands or more per month, new ones.
KREBSAnd in many ways -- it's kind of interesting because, in many ways, the Android apps are a tiny bit more transparent. They'll actually tell you, before you install them, hey, this app is going to have the ability to send and read your text messages or rifle through your contacts or track everybody, you know, track your every move, whereas on Apple's platform, it's not often as clear what the apps may or may not be doing. But as it relates to Android devices, far too many people don't even take a second to read these warnings, and that can lead to trouble.
NNAMDIWayne, what's the best way to be sure your mobile device is secure, this by way of introducing us to your new BlackBerry Z10?
RASHWhy, yes, Kojo, I do have a BlackBerry Z10, which I'm now holding up and showing you.
RASHAnd if the people at home and in the cars want to stare at their...
NNAMDIWayne, all of that show and tell, yes.
RASH...stare at their radios, maybe they'll see it.
KREBSNow we're there.
RASHBasically, securing your mobile device depends on two things, one of which is where you get your apps. Android has the ability to download apps from non-App Store locations, which means anywhere. Plus, Google has not done the best job in the world of vetting their apps. So they have downloaded -- I should say allowed people to download apps from their apps store that contain a malware.
RASHThe other major mobile platforms -- Windows, Apple and BlackBerry -- do vet their apps, and they don't let malware in. The Windows app store, which if you have a Surface or you have a Windows phone, is the only place you can get apps. Apple is the same way. That's the only place you can get apps. And BlackBerry 10, it's also the only place you can get apps, is from their apps store. They have supposedly vetted everything to make sure there's no malware.
KREBSUnless you jailbreak your phone.
RASHUnless you jailbreak your phone and then you start getting apps in from someplace else. But the other way -- this is something that nobody thinks about -- is most of these phones have an operational browser. And when you go to a browser, you have exactly the same kind of risks you have everything else that's kind of browser. And if you're running Java on your phone, you can get infected with a Java infection there too. The problem with Java is it's a cross-platform device.
RASHAnd some of these types of malware only run on Java, and they will stay there until you turn off your phone. And when you turn your phone off, of course, everything goes, and it doesn't save itself anywhere. But when you turn it back on and go back to that site again, you can download it. With Android, there's a bigger problem, and there is actually anti-virus software out there for Android just like the risk for PCs and Macintoshes.
NNAMDIOnline banking is very convenient, but it still makes some people nervous. Why is it best to access your bank account from home through a Comcast or files connection rather than using the free Wi-Fi at Starbucks? And what precautions do you recommend?
RASHNever ever, under any circumstances, no matter what you do, use the free Wi-Fi at Starbucks or Panera or McDonald's or any number of other places where there is Wi-Fi with no password because it's unencrypted. Somebody can sit there...
KREBSWell, they will use it to get on your banking.
RASHThey'll use it for anything.
NNAMDIOh, come on. Come on. That's why half the people even go to Starbucks.
RASHIt's unencrypted. If you don't have your settings right on your computer, you don't have your firewall set right that's on your computer, people can actually access your computer while you're sitting there trying to use it. They...
NNAMDIEspecially don't use it for banking.
RASHDefinitely don't use it for banking or any other financial transaction that requires anything involving money.
KREBSI think it's -- if you don't control the network, you don't control the network. And if you don't control the computer, you don't control the computers, just like you wouldn't go to random guy's house and use his computer to get on your bank account hopefully. You -- it's probably best to wait until you're on a network that you can vouch for before you do that stuff.
RASHYes. Don't -- just don't it. Plus there's another type of security problem called the man-in-the-middle attack where somebody pretends to be that particular location's Wi-Fi access point, and you connect to that rather than connecting to the one at McDonald's. And frequently, they will then pass you along to the one at McDonald's.
RASHBut in the meantime, they can siphon off whatever information passes through their machine, and frequently that means your username and password because in some cases, that's not encrypted before you connect to the source that you're going to. So just don't do it.
NNAMDIBrian, why is it important to keep an eye on your monthly bank statement if you bank online?
KREBSBecause your bank may have other things to do than to look at your statements...
KREBS...to tell you whether or not you made a charge or took some money out. You know, it could be -- and we talked about this. It could be ATM scammers and, you know, that haven't been discovered yet, could be, you know, you get malware on your system and the bad guys figure out a way to siphon your bank accounts. Either way, you know, you as a consumer, at least in United States, are protected, but you still have to report this stuff. You still have to say, hey, I didn't do this.
NNAMDIWell, here is the scary part. We got an email from Donna, who says, "Someone recently sent a message with my Social Security number in it. What can be done to ensure that hackers do not find and use it?" Well, Donna, you should know that Brian says it's not worth worrying about your Social Security number or other personal information getting into the wrong hands because, in fact, it's already out there and available for sale. How did this happen, and what can we do about it?
KREBSSo I did -- this is what got me swatted, by the way. I did a story about this site called Exposed.su. Now, it's moved to a new place. But basically, they were posting the Social Security numbers, previous addresses, mother's maiden name, all kinds of sensitive stuff on some of the most popular celebrities you can think of.
KREBSWhen they got tired of that, they did that with the director of CIA, director of the FBI, the first lady. Now, if they can do it for those folks, they can do it over anybody. And so that was the point of mine. So I pointed out this service that they were using to get all the stuff for pennies on the dollar, and they didn't like that, that's why they attack me. But I think, you know, people need to take a step back and start taking a little more responsibility for securing their own identity information.
KREBSAnd what I mean by that is there are some tools that are available to folks that are -- they just require maybe a reminder on your calendar. Everybody is, by right, entitled to a copy of their credit report, a free copy of their credit report, one from each of three major credit bureaus one time a year. So you can set your calendar and say, hey, I want to -- I want my -- a copy of my credit report. Review it, see if you see anything weird going on there.
KREBSThe other thing you can do is, by law, you can set a fraud alert on your account, on your credit file so that you can set -- so that they have to call you on the phone number you specify before anybody grants credit in your name. And that is free, and it lasts for 90 days, and you can renew it as often as you like.
NNAMDII've been there, I've done that. When you're still protective of your personal information, what sensitive information should we never store on our home computer?
RASHYour credit card numbers, your bank account number. It's too late for Social Security number if everybody's already got that. Make matters worse is Social Security numbers aren't even unique. So, you know, the fact is that, you know, it -- it's not very useful for our form of identification. Don't keep your driver's license number on there because that is unique, and that can be used as a form of identification.
NNAMDISocial Security number is not unique?
RASHNo. One of the little secrets about the Social Security Administration is they have over the years issued duplicate Social Security numbers.
KREBSSo here's another thing, Kojo. I mean, you know...
NNAMDII'll just make my day.
KREBSDoes -- do you -- are you friends on Facebook with your brother's wife or your brother, sister or your mother's brother?
NNAMDIAll of the above.
KREBSRight. So, you know, somebody goes, and looks, and sees who your aunt is or your, you know, and finds out what your mother's maiden name is. How hard is that? It's not hard these days. This information is out there.
NNAMDIOn to Ed in Hagerstown, Va. Cheer us up, Ed. You're on the air. Go ahead, please.
EDHey, Kojo, and computer guys. I really love the program. I was looking for pictures of Marilyn Monroe. I saw that special on public TV and was looking for that particularly poignant portrait of her and -- to put on my computer. And I've got a thing that said, the FBI has captured your computer.
KREBSOh, no. Ransomware, yeah.
EDYour computer is frozen, and you must send a fine of $200 to this address in order to -- or it will be destroyed in two days.
KREBSPlease tell me you didn't send the fine.
EDOh, no, no.
NNAMDIHow did you respond to this, Ed?
EDWell, I called a friend of mine who's a computer specialist. I didn't know your guys' numbers. But anyway, he said, to download -- but, yeah, I couldn't do it because the computer was blocked. Every time I turn it on, it would go to this screen.
EDAnd so I had another computer, but I downloaded a program called Spybot Search & Destroy...
EDAnd I put it on the flash drive and then plugged this flash drive in my computer and mounted it from that and cleaned it out of the computer.
NNAMDISo does this cure you of your tendency to look for Marilyn Monroe photos online?
EDI found the one I was looking for, and I've got it on my...
NNAMDII'm pretty sure I know the one you were looking for, Ed.
EDOh, I'm serious. It was just a portrait.
EDGoogled portraits of Marilyn Monroe, and they're all size. Well, of course...
KREBSWallpapers, lyrics, screensavers, some of the worst most dangerous sites you can visit.
NNAMDIThank you very much for sharing that information with us. We're running out of time, Wayne, but you have written that we are our own worst enemies when it comes to cybersecurity. Is common sense and vigilance really enough to stay safe online?
RASHWell, it certainly helps. The problem is when you don't use common sense and vigilance, which is unfortunately all too common. When you go to, you know, the biggest problem people have is to go a website of dubious character regardless of what it is you're looking for, whether it's that picture of Marilyn Monroe or any number of other things. But, quite frankly, that's where you get your malware from. Now, it sometimes infects legitimate sites, but you can be assured that if you go into a shady, not so legitimate site, you going to get...
NNAMDIErr on the side of safety. I'm afraid that's all the time we have. Wayne Rash is senior columnist and Washington bureau chief with eWEEK. Wayne, thank you for joining us.
RASHGlad to be here, Kojo.
NNAMDIBrian Krebs is an investigative reporter and author of KrebsOnSecurity.com. Brian Krebs, thank you for joining us.
KREBSThis was fun. Thanks, Kojo.
NNAMDIThank you all for listening. I'm Kojo Nnamdi.
Most Recent Shows
Mohsin Hamid explores the personal and political in this collection of essays about a dual identity as a Pakistani who's spent his life between the West and the East.
Kojo chats with filmmaker Kirby Dick, whose latest work explores how American colleges and universities are struggling to combat sexual assaults on their campuses.
Funding authority for the Department of Homeland Security is set to run out at midnight on Friday. As the Senate moves closer to approving a "clean" funding bill and the House confronts Friday's deadline, we consider the implications of a DHS shutdown and the possible political fallout for both parties.