D.C., Maryland and Virginia candidates make the final turn and head down the home stretch toward Election Day.
Once again, news of a major online security snafu has users scrambling to change their passwords and wondering why security is so elusive online. Tech Tuesday explores how to create and manage effective passwords and asks why the computer code that secures much of our online commerce and communication is so vulnerable to mistakes and abuse.
- Matthew Green Research Professor of Computer Science, Johns Hopkins University
- Brian Krebs Investigative Reporter; author of KrebsOnSecurity.com
MR. KOJO NNAMDIFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. It's Tech Tuesday. It's a bug in the widely used software named for the heartbeat-like signals two websites send each other, to say they're still connected, even if they haven't traded date for a while. Last week, we learned that instead of replying to the signal with an "I'm still here" message, a website could inadvertently reply by sending actual data, like user names and passwords. Whether anyone on the receiving end of that data realized it was there, or abused it, as still in question.
MR. KOJO NNAMDIBut as hundreds of thousands of websites raced to repair the flaw in their security software, it now appears the fix itself could be fate, and the whole messy operation could cause major internet disruption. Today on Tech Tuesday, we'll explore what the heartbleed bug means for you, what you should expect during the effort to restore internet security, and when it's finally time to change all your passwords to protect yourself online. Joining us in studio is Brian Krebs. He is the author of KrebsOnSecurity.com. Brian, good to see you again.
MR. BRIAN KREBSThanks for having me, Kojo.
NNAMDIJoining us from studios at Johns Hopkins University is Matthew Green, research professor in computer science at Johns Hopkins. Matthew Green, thank you for joining us.
MR. MATTHEW GREENIt's nice to be here.
NNAMDIAll of you joining us on the radio, if you'd like to join the conversation, call us at 800-433-8850. How often do you change your passwords? You can send us email to email@example.com, or send us a tweet at Kojo show, using the hashtag Tech Tuesday. Or go to our website, kojoshow.org, where you can ask a question or make a comment. Brian Krebs, explain why we often see HTTPS at the beginning of a web address, and a little grey padlock lock sometimes. What do they signify, or what did they signify, until the discovery of the Heartbleed bug?
KREBSRight, well, they're supposed to signify that the connection between you and the website is encrypted, which means that if somebody happens to be snooping on the wire between you and the website, maybe they could intercept the traffic, but they wouldn't be able to read it. And unfortunately, what happened with Heartbleed was it kind of threw all that out the window.
NNAMDIAs I understand it, the flaw in the computer code that was made public last week would allow a hacker to steal information, but as yet, there's no evidence that that actually happened. What exactly could be taken, and how would one know if one has been a victim?
KREBSWho else -- first of all, we do know actually -- I think the Canadian tax website came out yesterday and said we are aware of something like, I don't know, it's like 900 people had the equivalent of Social Security number and other information, compromised as a result of the Heartbleed bug. I mean, that was the only sort of concrete confirmation we've seen. I tend to hang out on some less than savory places on the Internet.
KREBSAnd I can tell you that there were a lot of people very excited about this and exploiting it, collecting large tracks of usernames, passwords from various sites that they could get into. And so, you know, this is definitely affecting a lot more places that we know about so far officially.
NNAMDIMatthew, what are companies doing to restore their Internet security if they use the computer code that contains the Heartbleed bug?
GREENWell, I think it depends when the company found out. We recently learned that Google knew about this, at least a couple of weeks before it was made public, which makes sense because it was one of their researchers that discovered the bug. Other companies were notified, and so they were able to patch before it became public. After it became public, it's really a race. What you have to do is you have to first patch your software, so it's no longer vulnerable.
GREENAnd then you have to decide, do I need to change the keys on my server? Do I need to give my users advice to change all of their passwords? It's a big mess to clean up. And the longer you are out there while the bug was known, the more of a mess you have.
NNAMDIMatthew, some new reports are saying that the effort to fix the bug could end up causing major disruption online, essentially slowing down the internet. What should we expect and how long will these repair efforts last?
GREENWell, I'm not sure that many people will notice this. What does have to happen is that smart websites will have to revoke their certificates. That means they're going to have to ask for a new certificate. A certificate is basically an assertion that's made by a company called The Certificate Authority that says, hey, this website, which says it's Google actually is Google. And you have to pay for those things and you have to go get new ones.
GREENAnd then your Web browser, every time you go to Google, has to ask and make sure that, you know, your certificate hasn't been replaced with a new one. That -- all the traffic of all the websites making replacements is likely to increase the amount of work that Web browsers have to do and that could have some effect.
KREBSRight. So the vulnerable component that we're talking about here appears to be in a wide range of hardware and software products. And some of these, I should say, are responsible for carrying some pretty crucial internet traffic and handling some very big operations. So, yes, it is a bit like -- it can be a bit like trying to change the tire on a, you know, car going 60 miles an hour. But, you know, as Matthew was saying, I think the internet is a resilient network. And it, you know, I doubt many people will see many disruptions as a result of their fixing these bigger things.
NNAMDIIn case you're just joining us, it's a Tech Tuesday conversation on the Heartbleed bug and how it affects security online and our passwords. We're inviting you to join the conversation. Give us a call at 800-433-8850. Do you use the same password for more than one website? You can also send us a tweet @kojoshow. A lot of us are still confused about when exactly we should change our passwords to protect ourselves against this bug. How do we know if a site we use has updated its security software and that its new security certificate is not a fake? Matthew?
GREENWell, the good news is if it's a major site like Google or Yahoo or any of the really big sites, Facebook for example, you don't have to ask any questions. We know those sites have already updated their software. If it's a smaller site, then things are a little more complicated. There are a couple of websites you can go to out on the internet that will let you test a website for a vulnerability. I don't have the URL right here. But you can find them by Googling.
GREENThat should tell you whether the site's vulnerable. But it's not a guarantee. And moreover, that doesn't tell you if the site might have been hacked or compromised before they fixed it. So, unfortunately, it's difficult to say what you should do right now.
KREBSI've been telling people to take stock of the important sites that they've been visiting since news of this vulnerability became public. So essentially in the past eight or nine days and really to consider, as Matthew said, using some of the available tools out there to make an effort to see if those are still vulnerable. Some of those tools are better than others and some of them are more intuitive and user friendly than others.
KREBSBut, you know, I think, at this point, you know, it relates -- at least this relates to the bigger sites, it's a good idea to go ahead and change your password. You know, I also just want to touch on something else here, Kojo, which I hope people have given some thought to which is, you know, everybody -- nobody can stand passwords, right? We all have to deal with these things. And we've talked about this so many times on the show.
KREBSBut there are a lot of places on the Web, we're talking social networking sites, email, these kinds of things, that support what they call two-factor authentication. And this just means that if somebody steals your password, they still need something else. They might be, you know, be able to have control over your cell phone so they can send you a code that you need to put in. But the idea is that even if they steal your password, they still need something else to get access to your account.
KREBSAnd there are a lot of services these days that offer that protection, including Facebook, Google, LinkedIn, Tumblr, Twitter, WordPress, and then, you know, Gmail, Outlook, Yahoo, and the list goes on. It's important for people to take a few minutes and figure out if they're taking advantage of enough of these added security measure.
NNAMDIOn to the telephones. We will start with Stephen in Washington, D.C. Stephen, you're on the air, go ahead please.
STEPHENHi. I had a question -- I understand how the buffer overload or the ping overload is working. What I don't understand is how an attacker would be able to latch on to my particular stream and take advantage of it.
KREBSIt's not so much that it's your particular stream, although we're getting some information coming out that older versions of Android operating systems of phones, several years old now that are still running on really old versions of Android, they may be able to do that to you. But most of these attacks that we have seen so far have been fairly opportunistic. So the exploit that was released, it's very simple.
KREBSYou just point it at a website or an internet address and it basically just dumps the last chunk of whatever was in the memory of that server. But the thing is, there's nothing that prevents the bad guys from doing this, just hitting, you know, go, go, go, go and doing this over and over again until the site fixes the problem. And that's what at least I saw signs that the bad guys were doing.
KREBSSo, yeah, the issue is you really don't know if they did that or not. If you logged in to your, you know, into the site or even if you just visited a site that you told it to remember you by putting a cookie on your machine or saving your password or whatever, you may not even think of it as logging in, but, you know, it is more opportunistic and less targeted.
NNAMDIMatthew, you have compared this Heartbleed problem to a safe with a hole in it. Why do we need to change our password even after the hole is patched?
GREENWell, I mean, think of it like a bank safe where everybody's account numbers and all of their personal information are stored inside of the safe. And then somebody discovers that there's a hole in the bottom and that, you know, all of these personal information is leaking out and it's getting strewn all over the place, blown everywhere. Obviously, the first step is to fix the safe, patch that hole in the bottom.
GREENBut unfortunately, that doesn't really help you with all the things that fell out of it. Now the good news is that what fell out of it right now appears to be fairly random. In response to the caller, it doesn't seem like it's very easy for somebody to say, hey, I want to get your information. It's more like whatever happens to blow into their nets is what they get. Which means your particular chance of being the one who is vulnerable is very low. But definitely information has leaked out.
NNAMDIOn now to Cheryl in Washington, D.C. Cheryl, you're on the air, go ahead please.
CHERYLYes, good afternoon. I have a question about the Internet Explorer as it relates to the in private, turning that on. And I'd like to know, could you just give me a sense of -- it says it's supposed to prevent storing data about my browsing session. And I want to know how does that really work and what does that do as it relates to passwords that I might use to get into particular places?
CHERYLIf that makes any sense.
KREBSSure. So when you normally browse with, I think you said Internet Explorer, what it will do is it will keep a record of just about everything you do with that browser. So whatever you search for, whatever sites you visit, where you click around the various parts of that site that you go and you can go back and I think it's Ctrl H and just open up the history pane and you can see where you've been and what you've been doing.
KREBSWhat in private browsing does is it says, all right, we'll keep track of this stuff for you while you're using this browser. But once you close out of it, we'll forget all about it, like it was never there. It's gone. You know, as it relates to passwords saved or passwords used when you are in private browsing, I'm not exactly sure.
KREBSYou know, I think the latest versions of Internet Explorer does let you create a master password, so that if you choose to decide to store passwords in the browser, you know, if something tries to steal your password either by getting on your machine or hijacking your browser, it would still need to have that information to do that. But I don't know whether it's actually stored in in-private browsing. Sorry.
NNAMDICheryl, thank you very much for your call. Good luck to you. Speaking of passwords. Matthew, I'll start with you, what's your advice for creating good, strong passwords? Is it okay to use the same password for lots of sites?
GREENSo I think the lesson that we've learned is that if you put a password into a site, sooner or later that password is going to be public to everybody. That's not a guarantee. But I personally lost my LinkedIn password awhile back, a couple years ago, because there was a breach and passwords were stolen from LinkedIn. And they weren't using proper practices to protect those things. Unfortunately, and I'm not going to go into details but, you know, even as a security professional, I was using that same password somewhere else, which meant I had to change two passwords.
GREENSo the real threat is that you put in your best password you came up with to, you know, some pet food store, and that gets hacked. And then that turns out to be the same password you're using for your Google mail, which you really do care about a lot, and then unfortunately a lot of private information becomes available to attackers.
KREBSYeah, so the password reuse issue really comes up again every time we deal with one of these things. And it's generally a really bad idea to reuse a password at someplace that you care about and someplace that you don't really.
NNAMDIExcuse me. Allow me to interrupt for a second. Hear that Dagmy? We got a tweet from Dagmy who says, "Of course I use one password for many accounts. There's no way I can remember 10 passwords for 10 different accounts." What should Dagmy do?
KREBSWell, look, you know, if you go to some forum and you just want to, you know, sound off and they make you create an account and give a password, as long as they're not storing sensitive information with, I don't see a problem with reusing that password at other sites like that. The problem is, as Matthew says, when you start reusing it at sites that you really care about. I try to steer people away from thinking of passwords, because, you know, nobody can remember the really secure ones, like the jumble of letters and stuff that has no meaning. I try to steer people towards passphrases, which are essentially pretty long strings of words you put together.
KREBSWhen a site does get breached -- and it's almost a question of when, not if, these days -- the bad guys will try to brute-force or guess all of those passwords. They use very powerful computers to do this. And they can crunch through small, short passwords very quickly. The longer the password, the more secure it is, generally speaking. So I would say, you know, that maybe it's a line from a poem that you love or something that's memorable to you.
KREBSThat's not bad. That's not bad.
NNAMDIWhat's the best way to store passwords, Brian?
KREBSWell, there are really a lot of options these days. There are some that are cloud based. And I, you know, I don't want to steer people away from them because they seem, from all intents and purposes, very secure. You basically -- last pass is one example -- you essentially entrust them with all your passwords. They encrypt them in a way that, even if they got breached, they couldn't tell you what your password was. So it all relies, again, on a master password. And god help you if you forget that master password.
KREBSBut that is the key to unlocking, you know, all of the passwords that you've saved with the site, which it will automatically log you in. You only have to tell it what that pass -- or you could say, hey, I don't care what my password is. You figure it out. You make up a password for each one of these sites. If all I have to remember is this master password, then great, you know? So that's a system that seems to work for a lot of folks. But, again, I mean, you know, I -- if you're the kind of person who's paranoid about putting all your eggs in one basket, I don't know. That describes me.
NNAMDISame question to you, Matthew. What's the best way to store passwords?
GREENSo, I agree, that's the -- what Brian said is definitely the first answer. That's the answer for people who like technology and are comfortable with that kind of thing. The other answer, which I think is a very good answer, is get a piece of paper. Come up with some very good passwords. You can even find a big dictionary and...
NNAMDIThat's what I used to (word?) . What's a piece of paper? Go ahead.
GREENFind a piece of paper. Write down your passwords. As long as you keep them in your house, the changes that a hacker is actually going to break into your office and steal your passwords is pretty low. So that's a really good way to remember them. And then you can have a different password for every site. You can pick them by, you know, picking words out of a dictionary and sticking them together -- lots of good ways to pick passwords, as long as you can write them down.
KREBSA friend of mine did that and...
NNAMDIWhat if I'm not home?
KREBSWell, a friend of mine did that and took a picture of her -- of her written-down passwords on her phone, you know? And I'm looking through her pictures and I'm like, what is this? Tell me this isn't a list of your passwords. She got all upset.
NNAMDIOn her phone. You try to develop your own secure method of storing your passwords where nobody else, you think, can get it. We're going to take a short break. But, of course, we're still taking your phone calls. It's Tech Tuesday and we're discussing the Heartbleed Bug. We're talking about passwords and security online. You can send us email to firstname.lastname@example.org. How do you come up with a password that you think is secure? 800-433-8850. Or you can go to our website, kojoshow.org, join the conversation there. I'm Kojo Nnamdi.
NNAMDIWelcome back. It's Tech Tuesday. We're talking about security online, in the wake of the Heartbleed Bug and how we might change our passwords. Matthew Green is a research professor in computer science at Johns Hopkins University. He joins us from studios there. Here in our Washington studio is Brian Krebs. He is the author of KrebsOnSecurity.com. You can call us at 800-433-8850 with your comments or questions. Matthew, how often should we change our passwords, even without a security breach like Heartbleed?
GREENYou know, it's actually a funny -- it's a funny question, because there are different opinions about it. One answer is that we should change them all the time. And some websites actually force you to change them. It's really actually pretty annoying. Every three months, for example here at Johns Hopkins, they make me change my password. So I have to confess, what I do is the same thing everybody else does. I add a one to the end of the password, or I add a two. And I know that's a bad thing. The good news is I don't really care if my Johns Hopkins account gets hacked.
GREENBut the thing is...
NNAMDII'm sure the University will be happy to hear that. Yes.
GREENBut the things about this is that if you force people to change their passwords more than they're comfortable with, they just pick bad passwords. I think the best thing to do is pick a password, keep it around for a relatively long time, but make it a very good password.
NNAMDIAny comment on that, Brian?
KREBSNo, I think that's great advice.
NNAMDIBrian, this Heartbleed Bug was in free open-source software. Explain what open-source software is and why 66 percent of the Web runs this particular open SSL. Why do Internet giants like Yahoo and Amazon rely on free security software maintained by a small group of people outside their company, instead of creating their own?
KREBSWell, open-source is essentially software that you get to see the guts of it. You get to see the code. Anybody can open it up and look at it and say, you know, hey, I feel comfortable with this, or I don't. I want to change it in some way or I just -- I'm happy with the way it works. Versus closed-source, which is stuff like, you know Microsoft Windows, you know, Adobe Reader. You don't get to look at the guts of it. You just sort of have to trust them. But it's secure. And there's a lot -- there's a big debate, I think, within the community about whether one, you know, open source is any more secure than closed source. And I'll leave that alone for now.
KREBSBut you asked about why so many organizations rely on it. And I think, when it comes to open source, again, it's -- there's this idea that, hey, we get to -- if we're going to have so much riding on this, we'd feel more comfortable working with something that we can take a look at and vet to make sure we feel comfortable with it.
NNAMDIMatthew, does open-source software, security software work like, oh, Wikipedia, where anyone can go in and make changes? Whose job is it to monitor open-source code and make sure it works right?
GREENWell, so it's open, in the sense that anybody can read the source. You can go and get the open SSL source code, which is the one that was vulnerable to Heartbleed. You can download it today. I mean, you don't want to, but you could. Then there's the question of who gets to edit it. And different projects have different rules. Some are very easy to get into. Some small project, any volunteer can add code to.
GREENUsually it's reviewed, of course, but anyone can volunteer. Other projects, like open SSL, there's a very small, tight group of managers. And you might be able to get them to take your code changes. But you really have to prove to them you know what you're doing before that's going to happen.
KREBSYeah, that's right. And I -- and so a lot of the folks that maintain the open-source code, they may be employed by a company whose job is to do that. Or they may be just people who are extremely passionate about computer code and efficiency and making things better and, you know, free software and, you know, that whole ethos.
KREBSAnd it is startling, when you see this bug and how, you know, how such a wide impact that it had, at the end of the day to see so much of what we depend on as a society basically rely on the good graces of people to maintain this and ultimately, hopefully, to find the serious vulnerabilities quickly. And I hope we have a chance to talk more about that in a little bit.
NNAMDIWell, doesn’t the fact that this bug was introduced two years ago and not detected until now -- isn't that an argument against the idea that open-source software, with lots of eyes poring over it, has the best chance for success?
KREBSWell, I don't, you know, I don't know. The open- or closed-source, I mean, this is kind of a distraction, this debate over whether it's -- as far as I'm concerned, the open-source proponents say -- oh, yeah, look. The code is available for anyone to review. So, in the end, more eyeballs means it, you know, more secure software. But that's only true if you actually get more eyeballs looking for flaws in open-source code.
KREBSIt may be just the case that this openness makes it easier for individual users and programmers not to test it or just be lazy with it. And, you know, the truth is that a ridiculous amount of software that's used for fairly important stuff in businesses, hospitals, transportation, I mean, you name it, hasn't undergone nearly enough testing for these sorts of bugs. And that goes for both open- and closed-source software.
NNAMDIMatthew, same question to you. Open-source software can mean simply more people not paying attention?
GREENYeah. I mean, there's definitely an opportunity. Just because something's open, doesn't mean that qualified people are looking at it. I mean, the way I would put it, it's the difference between having a kitchen that's open at a restaurant, where everybody can look in and they can see if the chef drops the food on the floor, or having a kitchen that's in the back room where the chef can drop the food on the floor all that he wants, and nobody knows. You feel safer when you, you know, you look at that kitchen and nobody's reporting food being dropped. But that doesn't mean it's not being dropped.
NNAMDIOn to the telephones. We go now to John in Washington D.C. John, you're on the air. Go ahead, please.
JOHNHey, Kojo. I love the show. I just wanted to make a remark about your comment about passwords.
JOHNI bought a -- someone told me about this -- I bought a little wire-bound book off of a company called BookFactory on Amazon. And it -- you can hold all your passwords in it. It's really handy, very easy to update it. And I keep it with me and change my passwords whenever I need to change them.
NNAMDIYou keep the book with you?
JOHNWell, I -- when I go to work and so on, yeah. I travel with it when I'm traveling.
NNAMDIWhat if you get mugged?
JOHNWell, if I got mugged, then I guess I would be in trouble. I guess I'd be in trouble. But I mean, I don't know what else to do. I need all these passwords and...
NNAMDIOn the other hand, if you leave it at home, your home could be burglarized.
JOHNExactly. Exactly. Exactly. There's really -- it's kind of a no-win situation, isn't it?
NNAMDIIf you store it online, somebody might have access to it.
GREENYou need an exotic foreign alphabet or something.
JOHNYeah, I didn't want to put these passwords online or save them anywhere online.
NNAMDIOkay. But thank you very much for sharing that with us.
JOHNOkay. Thank you. Bye-bye.
NNAMDIWe move on to Harry in Silver Spring, Md. Harry, you're on the air. Go ahead, please.
HARRYHi, Kojo. Love your show.
HARRYI've got a question. I've got about 80 different passwords, so it's very difficult for me to remember all of them. So I keep them in a Word file that is password protected with a long phrase. Is that not safe or safe?
KREBSHmm. Well, there's a safer way to do that. You know, typically -- traditionally, the security surrounding the Microsoft password system for their Office Suite has been pretty low and very easily defeatable. So, if somebody were to get on your system remotely or locally, they probably wouldn't have. Now, I don't know what kind of, you know, if you have the latest and greatest or, you know, what they've introduced. But traditionally speaking, this has not been a huge hurdle. There is a free program out there, maintained by -- or it was written, I don't know if it's still maintained -- but it's called, oh, Password Safe.
KREBSAnd it was developed by a guy named Bruce Schneier, who's probably, oh, as somebody said, one of the closest things the cryptography industry has to a rock star. The guy is -- yeah, he's just super smart. And anyway, Password Safe is, it'll sit there and it'll basically take all your passwords and it'll work interactively with your browser. But it keeps it in a very, very secure, highly encrypted environment. And, you know, again, it's a master password type situation.
HARRYIs that available to be kept on something like an iPad or an iPhone as well? I don't know if it works -- I doubt that it works with iOS. But it is -- I think it works on both Mac and Windows.
NNAMDIHarry, thank you very much for your call. Eighty passwords? Here is Secruay in La Plata, Md. A lot of people want to get in on this password conversation. Secruay, you're on the air. Go ahead, please.
SECRUAYHello, Kojo. You know I really love you. And I want you to make some more healthy cooks -- healthy eating habits programs. But my comment is, my password, I'm from Turkey, and I always use like history, you know, dates or names. And nobody can find that. But sometimes my son finds out. That's the time I change my passwords.
NNAMDII was about to suggest, Secruay, that a lot of people here might not know that. But there could be people in Turkey who have a complete understanding of your passwords.
SECRUAYI don't think so, because I'm really, you know, detailed person. I don't know. It's just, nobody can find out yet.
NNAMDIDo you use historical references?
KREBSIf I could just offer an observation here.
KREBSThere are, you know, people tend to think of hacker groups and, you know, hacker individuals as being Eastern European and Russian. But there really are hacker groups in just about every major country in the world. I've not found an exception to this every time I've looked. And there are things like password cracking lists in almost every language and alphabet out there.
KREBSAnd, you know, these lists sometimes contain millions of entries. And I guarantee you they have all kinds of things, you know, names, dates, things like this in them. And so if you're counting on these things to be obscure, that's what they call security by obscurity. And it usually works for a while, but eventually it comes to, you know, bite you in the rear.
NNAMDIForget hyperbolicsyllabicsesquedalymistic because that's an old Isaac Hayes song, everybody knows.
KREBSEverybody knows that.
NNAMDISecruay, thank you very much for your call. Matthew, what's the state of coding today? Is there a way to make it foolproof?
GREENNo. This is one of the biggest problems we have. There are some parts of our field that we know how to do well. In cryptography, the math is very good. And there's some parts we just don't know how to do well at all, like writing secure programs. Software is just this kind of, you know, gaping wound in -- sorry to make this so graphic, but it's a big problem in our field. We don't know how to build programs that can't be exploited. We have some languages that are a little bit better at avoiding the kind of problems we saw with Heartbleed, but they have other problems. And I don't see anything on the horizon that's going to fix that.
NNAMDIWhat did you tell your class about this Heartbleed Bug. Your students are future coders. What is the lesson they can learn from this?
GREENWell, I told them actually the day it happened -- my class was right before it was announced. And I ask them for news at the beginning of every class. And I asked them if anything had happened. And they said, no. And I made a joke, like maybe everything's been made secure at this point. And I think in response to that joke, this is what happened. But, I mean, at the end of the day, this is exactly what I teach my students. I teach them that you can come up with all the wonderful math in the world, but eventually someone's going to write a piece of code and they're going to screw it up.
NNAMDIThanks for the good news. On to Bonnie in Silver Spring, Md. Bonnie, you're on the air. Go ahead, please.
BONNIEHi, thank you, Kojo. I have two questions. The first is, is there a difference with -- if you're using an Apple product? Would it -- would the security be different and would you still need to change your passwords? And the second question is, how about financial institutions? I've been hearing that that's the place, especially, where you need to change your passwords. Do you know anything about that?
KREBSYeah, I think it's important. There are differences between the way that Apple and, say, Microsoft, handles passwords that you choose to entrust to the operating system. But I think it's really important for people who are using a Mac to understand that just because there aren't as many threats out there and bad guys targeting Mac users, that doesn't mean that there aren't threats out there and bad guys targeting Mac users. And a lot of people feel very complacent about this, so much so that they forget to do very simple things, like apply the updates from Apple.
KREBSYou know, apply updates from Adobe for things like Flash and Reader and whatever else they have on their system, because these things plug directly into the browser. And the browser is your interface to the rest of the world, whether it's your bank or some other place that wants you to submit a user name and password or some other personal information.
KREBSAnd that's exactly what today's malicious software targets. It wants to get in your browser. It wants to intercept this information as you're hitting it submit. So I would say focus more on making sure you're keeping your system up to date. And, hey, my rule of thumb is, if you didn't go looking for it, don't install it. And that keeps you out of a lot of trouble.
NNAMDIGoing to take a short break. When we come back, we'll resume this conversation, still inviting your calls at 800-433-8850. What steps do you take to beef up your security online? Shoot us a tweet, @kojoshow, using the #TechTuesday or email to email@example.com. I'm Kojo Nnamdi.
NNAMDIWelcome back. It's Tech Tuesday. We're discussing the Heartbleed Bug and what -- how likely that is to affect our passwords in particular and security online in general. We're talking with Brian Krebs. He is author of KrebsOnSecurity.com. And Matthew Green, he is a research professor in computer science at Johns Hopkins University.
NNAMDIBrian, there was a report last week that the NSA discovered the Heartbleed Bug two years ago, thanks to its huge team of programmers who pore over computer code but that it didn't see anything. The NSA has denied that report. What do you think the government's role in this was?
KREBSOh, well, that's really difficult to say. So I think there's some interesting observations to come out of this. Number one, of course, as you said, the NSA said, wow, we didn't know about this, but if you talk to the researchers who are most familiar with this, they'll say, you know, they have said on the record, look, we looked at this thing after it came out. We're like, how did we miss this? I mean, it was so obvious.
KREBSAnd you got to wonder, the brainiacs over at NSA, how -- if they missed it, how did they miss it? I have my doubts. But it's interesting to note -- and I hope this leads to a different conversation in a few minutes -- but essentially, if you listen to the NSA or the administration's denials, they say, look, we didn't know about this until April. Well, guess what? The researchers found it in mid-March, so what does that tell you about their trust of what's going, you know, the government to handle these kinds of things, so...
NNAMDIWhat do you say, Matthew?
GREENWell, we actually learned a few months ago that the NSA is breaking encryption. We learned this back in September. They're not just breaking encryption. They're actually putting bugs deliberately into products that have encryption built in to them so that they can break these encrypted connections.
GREENThat cost the government a lot of trust in the tech community, a lot of trust. It's actually cost a lot of people a lot of money on top of that. So I think that helps to explain why Google didn't rush off to the government to report this right away. But, in general, I don't know what the truth is with this NSA knew about it or didn't. I would be amazed and disappointed if they were not able to find this bug themselves.
NNAMDIBrian, what's the conversation you want to get to?
KREBSWell, I mean, I think at some point, we need to decide whether it makes sense to have a national conversation about throwing some serious resources at a coordinated effort to look for and eradicate very dangerous bugs in programs and software and hardware that runs this stuff that's so critical to our society. You know, and as ad hoc as the current system is, I mean, you have independent researchers working on their own, and they do a remarkable job -- I don't want to, you know, slight them at all -- finding and getting -- fix some very serious and dangerous security vulnerabilities. But, you know, I think it's...
NNAMDII guess, in the same way that we, as a society, we have auto safety standards, financial disclosure standards, but there's no equivalent for this place where we conduct a huge volume of personal correspondence and private commerce. Are you saying that they might be -- it might be a good idea if a federal agency was dedicated to Internet security, do you think?
KREBSNo. I don't think that's a good idea. I think -- yeah, I tend to believe that, you know, the less the government does, particularly in the technology space, the better off we all are. I think there's one thing that they do -- now, again, setting aside the question of whether we want the government involved in this -- you know, obviously they are involved in it.
KREBSBut whether we want them to take a lead on something like this, setting aside that for a second, you know, I think one of the things that the government does extremely well -- and has proven very useful in the past -- is they're -- when they invest in research and development, good things generally happen. I mean, that's where the Internet came from. That's where a lot of our big technological leaps and bounds over the last 30 or 40 years have come from.
KREBSAnd I think it -- you know, we need to find a way to make a more concerted, more collaborative, and hopefully more public effort to find these vulnerabilities 'cause they kind of get introduced, you know -- I mean, people -- these things are programmed by humans. Humans make mistakes. But, you know, hopefully, the next time something like this comes up, it gets discovered fairly quickly after it's been put in, not three years later.
NNAMDIMatthew Green, sounds like something that researchers and computer sciences at universities might be interested in.
GREENWell, I can tell you how hard it is. So I want to just add one thing to what Brian said before we go there. The government does already spend tens of millions, and maybe even more than that, basically paying researchers to find bugs. What it does with those bugs, when it finds them, unfortunately, is not fix them in every case. The government, meaning law enforcement agencies and the NSA, have a huge stockpile of what they call zero days that are unfound vulnerabilities in software that they can use to break into other people's computers.
GREENSo we know that they already have resources to find these bugs. What's not done so well, though, is to fund researchers to find things like Heartbleed. And I know this because, for example, I tried to organize a crowdsourced audit of a piece of software called Truecrypt. And we were able to collect, I don't know, upwards of $50,000 from people donating, you know $50, $10 at a time. As far as I know, that's the largest effort anyone's -- the most money anyone's ever been able to sort of scrape together in that way.
GREENBut here -- we're basically -- you know, it's the old saying, like, we're holding bake sales to find bugs in fundamental software people use...
KREBSWe're panhandling out there.
GREENYeah. And these bugs affect everybody, including the government. There should be some way to do this right.
NNAMDIWe got a post on our website from Andy who says, "The unfortunate reality is that there are likely other Internet vulnerabilities that have not been identified yet. The best thing we can do is check out our credit reports regularly." Brian.
KREBSYeah, no question. And this is something that I harp on a lot. You have a right to get a copy of your credit report from each of the three different credit bureaus, TransUnion, Experian, and Equifax. You just need to ask for it at a website called annualcreditreport.com. All the rest of them will say it's free, but you have to pay for your credit score or something else or a credit monitoring service in order to get it.
KREBSThat one is mandated by the government, and you can get one copy of your credit report. Basically I say, every four months or so, it's a good idea to get one from another of those bureaus and just make sure there's nothing screwy on there.
NNAMDIMatthew, will we ever get beyond passwords? Is there much movement toward, oh, biometric identification?
GREENWell, biometrics have a problem, which is that you're stuck with your biometric forever, so your biometric could be your fingerprint or your iris. Very hard to change your fingerprint, so there is some weakness there. What seems to be going very well right now is this two-factor authentication that Brian mentioned, which is the idea that I have my phone. I usually have it with me, so I have a combination of one factor, which is a password, and this physical device, my phone, which is kind of hard to steal. And we just hope that nobody's going to steal both of these things at the same time. This seems to work pretty well.
KREBSYeah. And I think, if I could just add, I think biometric is a hard sell for a lot of people. I mean, you know, we've seen over and over again, companies can't be trusted with personal information. And, you know, you're going to ask people to give more personal information that they can't protect. And I know there are ways to take only a dinky part of that personal information. But there are so many different competing ideas about how to do this and how to do it right. And then people are trying to be the first to do it. And that just creates all these disparate efforts and standards. And nothing good can come from that.1
NNAMDIGot an email from Mike in Baltimore. "Could your guests, please, explain two-factor authentication? I do not have a smartphone. I use a pay-as-I-go cellphone, mostly just for rare travel. I do have an iPad, Wi-Fi-only, and an iMac. Can I still use two-factor authentication? Can I use my home phone for it? I don't do texting from my cellphone."
KREBSRight. So two-factor essentially -- so no texting. Some of the two-factor systems can actually be set up to give you a call on your phone and read a code or something, you know, a four-digit number to you. And you enter that in your phone. I know Google does that with their two-factor approach, and several others do as well.
NNAMDIOn to Dale in Baltimore, Md. Dale, you're on the air. Go ahead, please.
DALEHi, Kojo. Years ago, I bought a utility program called RoboForm. And it is used for multiple things, one of which is to generate passwords. But it also can fill in forms on the Internet so that, for instance, if you go to a site and they ask for your name and address, you can just hit the button on RoboForm. And it will fill in the information for you without you having to type it all over every time.
DALEIt saves your Internet addresses. You can name them whatever that you want. You can put them in alphabetical order. So when I want to go to a site, I simply click on the logo for them. It takes me to that website, and then, if I'm shopping, which I do a lot on the Internet, and then I get to the part where I have to fill in my name and address and (unintelligible) credit card, I simply tell RoboForm to fill it in.
DALEAnd it fills it in for me. It's all encrypted. It's safe on my computer. And I only need to remember one master password. So if I want to generate a 20-digit random password, there's a generate button. And I generate it, and RoboForm encrypts it and keeps it. And the next time I go to that website, all I need is my master password, and then it fills in those for me. And you can save it just on your computer.
DALEOr you can use it over the Internet. So I have probably a hundred different pass cards through RoboForm, and all I have to remember is one master password.
DALEAnd it makes life a lot easier.
NNAMDIDale, thank you so much for your call. I want to see how it works for -- I'll put you on hold, Dale, and see how it works for Ed in Frederick, Md. Ed, you're on the air. Go ahead, please.
EDDale did a good job explaining RoboForm. I've been using it for about 10 years. They upgrade it regularly. And I use it -- like Dale said, a strong 20 or 22-digit pass phrase as my master. And it also allows you to go into one of the functions and print out a list of master passwords so that you can keep it in your safe deposit box or securely somewhere in a file cabinet at home under some other name.
EDAnd it's a great -- I believe they've never been hacked. They use a much stronger encryption than typical encryption. And I was talking with one of the principals at a computer show, and he said, Ed, I don't think we've ever been hacked. If we have, I don't know about it. They've never sent me a message in 10 years that I had to change things.
NNAMDIKnow anything about RoboForm, Brian?
KREBSYeah. It's a -- as Ed said, it's been around for a long time. And it's a fairly robust solution. Most people tend to use it as storing passwords on their computer as opposed to something that -- like LikePass, which it lives, you know, on the Internet. And I think it has a fairly vibrant user community. So, you know, if you get stuck on something, you can go on their forum and get answers to your questions.
NNAMDIWell, Dale, Ed, thank you both for your calls. We move on now to Diana in Washington, D.C. Diana, you're on the air. Go ahead, please.
NNAMDIYou're on the air, Diane.
DIANAOkay. I keep a list in a Word document on my computer of my passwords. And I carry it around with me. But what I do instead -- my password might be Debra1, and I write down Grandma1 or something like that. Or my first horse would be the password, and I'd call it Horsey123. So I figure nobody knows my horsey 'cause that was a long time ago.
DIANAOr -- so, anyway, I feel like I can keep a password file like that.
NNAMDIIn which you give you -- the password is a hint to yourself.
DIANAYeah, hint to myself. So if I see Horsey1, I know I have to write Napoleon1 or something like that, or whatever my horsey's name was. But I'm not going to tell you.
KREBSAre you storing your list -- your Word doc, is it just a regular Word doc, your...
DIANAIt's a regular Word doc.
KREBSMm hmm. Okay.
DIANAAnd another thing I heard was it's good to use, like, your old -- a former address or phone number. So if I want to do that, I'll put, like, 3 and an N, and then 888, the number of letters in my (word?) address.
NNAMDIWell, people who are truly interested in stealing your identity can track down your old phone number. Can they not, Brian?
DIANAI don't think so.
KREBSOh, yes, they can.
KREBSOh, sure. Yeah. I can -- you know...
DIANAOkay. I won't do that anymore.
KREBSYeah. I've written about a number of services in the underground that you can go to to find just about everything you want to find on just about anybody.
DIANAReally? I bet you you can't find...
KREBSOh, sure. They did it to the First Lady. They did it to the director of the CIA. They did it to the director of the FBI.
DIANAEven when I went to the sixth grade?
KREBSYeah. So that information is not secret, and it's -- it doesn't make good passwords.
DIANAThey -- okay, not so good. But they don't know my grandma's name, except my sister would. But...
KREBSI don't know. Are you on Facebook?
DIANAI don't tell Facebook anything.
NNAMDIOkay, Diane. Okay, Diane. Well, good luck to you. Matthew, are you surprised that this Heartbleed Bug got as much attention as it did? What does that say about how we -- how much we put online today?
GREENYeah. So there was a vulnerability in open SSL, at least a version of it, back in, I think, 2008, maybe 2009, that was really catastrophic. And it had a similar effect on a lot of servers. And I don't think it's -- I don't think it got anywhere near as much press or attention from people. And the reason is that, even just that far back, not everybody was using the Internet the way we are. We weren't putting our entire lives on the Internet. It's just going to get worse. I mean, we rely on the Internet for enormous numbers of things. And when a vulnerability comes -- like this comes along, we don't know what to do.
KREBSI -- yeah, I don't think there's any question. We're going to see a lot more of these, and probably because there will be hopefully -- hopefully, I should say, more people looking for this. I think it's important to note there have been a couple of very big, fairly big SSL vulnerabilities, or at least in implementations of SSL in various things. Apple had a big oops a couple of months ago.
KREBSAnd they fixed that very quickly. They can do that because they have a closed system. The danger comes when you have a vulnerability in a component that just gets reused in so many different parts of the Internet. And that's where we're -- I think, hopefully because of this attention, we're going to see more people looking for these things. But I'm not going to hold my breath, Kojo.
NNAMDIWe got a tweet from Karen -- and we only have about 40 seconds left -- who said, "Just because something is free and open source doesn't mean it can't benefit from money. Pay for more eyeballs on the code." Would that work, you think, Brian?
KREBSSure. And, you know, I should note that there are a couple of efforts available now that actually will reward -- I'm blanking on the name of it. But they're sponsored by the likes of Facebook and others -- that will reward people who find these vulnerabilities. You know, probably not as much as, say, the black market would pay for this stuff. But, you know, there are some nascent efforts out there.
NNAMDIBrian -- Brian Krebs, he's the author of KrebsOnSecurity.com. Thank you for joining us. Matthew Green is research professor and computer science at Johns Hopkins University. And thank you all for listening. I'm Kojo Nnamdi.
Most Recent Shows
Experts call ISIS the best-funded non-state terrorist organization the U.S. has ever confronted. We explore how ISIS fills its coffers and how the international community is trying to shut off the funding pipeline.
The Red Cross' response to Hurricane Isaac and Superstorm Sandy are in the spotlight this week after an investigation by ProPublica and NPR revealed failures by the organization in multiple areas, as well as a pattern of diverting resources for public relations purposes.
It's a chapter of D.C.'s cultural history that's the subject of on onslaught of new documentary projects: the punk movement that took root in our area during the 1980s and 1990s. But this new wave of nostalgia has provoked tough questions too: is it overkill? Where did the creative and activist energy that fueled the art go? We ponder the past and the future of punk music in the Washington area.