Every day, you hear about security flaws, viruses, and evil hacker gangs that could leave you destitute — or, worse, bring your country to its knees. But what’s the truth about these digital dangers? We asked computer security experts to separate the myths from the facts. Here’s what they said.
Facebook’s Chief Security Officer Alex Stamos has spent most of his career finding security vulnerabilities and figuring out how attackers might try to exploit software flaws. He’s seen everything from the most devious hacks to the simplest social engineering scams. And in all that time, he’s found that there are two simple solutions for the vast majority of users: strong passwords and two-factor authentication.
Stamos says that the biggest problem is that the media focuses on stories about the deepest and most complicated hacks, leaving users feeling like there’s nothing they can do to defend themselves. But that’s just not true. He told me via email:
I’ve noticed a lot of nihilism in the media, security industry and general public since the Snowden docs came out. This generally expresses itself as people throwing up their hands and saying “there is nothing we can do to be safe”. While it’s true that there is little most people can do when facing a top-tier intelligence apparatus with the ability to rewrite hard drive firmware, this should not dissuade users from doing what they can to protect themselves from more likely threats and security professionals from building usable protections for realistic adversaries.
Users can protect themselves against the most likely and pernicious threat actors by taking two simple steps:
1) Installing a password manager and using it to create unique passwords for every service they use.
2) Activating second-factor authentication options (usually via text messages) on their email and social networking accounts.
The latter is especially important since attackers love to take over the email and social accounts of millions of people and then automatically use them to pivot to other accounts or to gather data on which accounts belong to high-value targets.
So I would really like the media to stop spreading the idea that just because incredible feats are possible on the high-end of the threat spectrum, doesn’t mean it isn’t possible to keep yourself safe in the vast majority of scenarios.
Adam J. O’Donnell, a Principal Engineer with Cisco’s Advanced Malware Protection group, amplified Stamos’ basic advice:
Oh, and my advice for the average person: Make good backups and test them. Use a password vault and a different password on every website.
Yep, having a good password is easy — and it’s still the best thing you can do.
When you unwrap the box on your new phone, tablet or laptop, it smells like fresh plastic and the batteries work like a dream. But that doesn’t mean your computer isn’t already infected with malware and riddled with security vulnerabilities.
I heard this from many of the security experts I interviewed. Eleanor Saitta is the technical director for the International Modern Media Institute, and has worked for over a decade advising governments and corporations about computer security issues. She believes that one of the most pernicious myths about security is that devices begin their lives completely safe, but become less secure as time goes on. That’s simply not true, especially when so many devices come with vulnerable adware like Superfish pre-installed on them (if you recall, Superfish came pre-installed on many Lenovo laptop models):
That’s why the Superfish thing was such a big deal. They built a backdoor in, and they built a really bad, incompetent one, and now it turns out that anybody can walk through.
When you’re relying on code delivered by somebody else, a service online or box that you don’t control, chances are good that it’s not acting in your interest, because it’s trying to sell you. There’s a good chance that it’s already owned or compromised by other people. We don’t have a good way of dealing with trust and managing it right now. And all sorts of people will be using that code.
The other issue, which erupted in the media earlier this year with the FREAK attack, is that many machines come pre-installed with backdoors. These are baked in by government request, to make it easier for law enforcement and intelligence agencies to track adversaries. But unfortunately, backdoors are also security vulnerabilities that anyone can take advantage of. Says Saitta:
I think one thing that is really important to understand is that if you built a monitoring system into a network like a cell network, or into a crypto system, anybody can get in there. You’ve built a vulnerability into the system, and sure, you can control access a little. But at the end of the day, a backdoor is a backdoor, and anybody can walk through it.
Many of us imagine that sufficiently good software and networks can be completely safe. Because of this attitude, many users get angry when the machines or services they use turn out to be vulnerable to attack. After all, if we can design a safe car, why not a safe phone? Isn’t it just a matter of getting the tech and science right?
But Parisa Tabriz told me via email that you can’t look at information security that way. Tabriz is the engineer who heads Google’s Chrome security team, and she believes that information security is more like medicine — a bit of art and science — rather than pure science. That’s because our technology was built by humans, and is being exploited by humans with very unscientific motivations. She writes:
I think information security is a lot like medicine — it’s both an art and science. Maybe this is because humans have explicitly built technology and the internet. We assume we should be able to build them perfectly, but the complexity of what we’ve built and now hope to secure almost seems impossible. Securing it would require us to have zero bugs, and that means that the economics are not on the side of the defenders. The defenders have to make sure there are zero bugs in all software they use or write (typically many millions of lines of code if you consider the operating system too), whereas the attacker only has to find one bug.
There will always be bugs in software. Some subset of those bugs will have security impact. The challenge is figuring out which ones to spend resources on fixing, and a lot of that is based on presumed threat models that probably would benefit from more insight into people’s motivations, like crime, monitoring, etc.
RAND Corporation computer security researcher Lillian Ablon emailed me to say that there is simply no such thing as a completely secure system. The goal for defenders is to make attacks expensive, rather than impossible:
With enough resources, there is always a way for an attacker to get in. You may be familiar with the phrase “it’s a matter of when, not if,” in relation to a company getting hacked/breached. Instead, the goal of computer security is to make it expensive for the attackers (in money, time, resources, research, etc.).
You’ve heard every rumor there is to hear about HTTPS. It’s slow. It’s only for websites that need to be ultra-secure. It doesn’t really work. All wrong. The Electronic Frontier Foundation’s Peter Eckersley is a technologist who has been researching the use of HTTPS for several years, and working on the EFF’s HTTPS Everywhere project. He says that there’s a dangerous misconception that many websites and apps don’t need HTTPS. He emailed to expand on that:
Another serious misconception is website operators, such as newspapers or advertising networks, thinking “because we don’t process credit card payments, our site doesn’t need to be HTTPS, or our app doesn’t need to use HTTPS”. All sites on the Web need to be HTTPS, because without HTTPS it’s easy for hackers, eavesdroppers, or government surveillance programs to see exactly what people are reading on your site; what data your app is processing; or even to modify or alter that data in malicious ways.
Eckersley has no corporate affiliations (EFF is a nonprofit), and thus no potential conflict of interest when it comes to promoting HTTPS. He’s just interested in user safety.
Everything is cloud these days. You keep your email there, along with your photos, your IMs, your medical records, your bank documents, and even your sex life. And it’s actually safer there than you might think. But it creates new security problems you might not have thought about. Security engineer Leigh Honeywell works for a large cloud computing company, and emailed me to explain how the cloud really works. She suggests that you begin thinking about it using a familiar physical metaphor:
Your house is your house, and you know exactly what the security precautions you’ve taken against intruders are - and what the tradeoffs are. Do you have a deadbolt? An alarm system? Are there bars on the windows, or did you decide against those because they would interfere with your decor?
Or do you live in an apartment building where some of those things are managed for you? Maybe there’s a front desk security person, or a key-card access per floor. I once lived in a building where you had to use your card to access individual floors on the elevator! It was pretty annoying, but it was definitely more secure. The security guard will get to know the movement patterns of the residents, will potentially (though not always, of course!) recognize intruders. They have more data than any individual homeowner.
Putting your data in the cloud is sort of like living in that secure apartment building. Except weirder. Honeywell continued:
Cloud services are able to correlate data across their customers, not just look at the ways an individual is being targeted. You may not [control access to the place where] your data is being stored, but there’s someone at the front desk of that building 24/7, and they’re watching the logs and usage patterns as well. It’s a bit like herd immunity. A lot of stuff jumps out at [a defender] immediately: here’s a single IP address logging into a bunch of different accounts, in a completely different country than any of those accounts have been logged into from ever before. Oh, and each of those accounts received a particular file yesterday — maybe that file was malicious, and all of those accounts just got broken into?
But if it’s a more targeted attack, the signs will be more subtle. When you’re trying to defend a cloud system, you’re looking for needles in haystacks, because you just have so much data to handle. There’s lots of hype about “big data” and machine learning right now, but we’re just starting to scratch the surface of finding attackers’ subtle footprints. A skilled attacker will know how to move quietly and not set off the pattern detection systems you put in place.
In other words, some automated attack methods become blatantly obvious in a cloud system. But it also becomes easier to hide. Honeywell says that users need to consider the threats they’re seriously worried about when choosing between a cloud service and a home server:
Cloud services are much more complex systems than, say, a hard drive plugged into your computer, or an email server running in your closet. There are more places that things can go wrong, more moving parts. But there are more people maintaining them too. The question folks should ask themselves is: would I be doing a better job running this myself, or letting someone with more time, money, and expertise do it? Who do you think of when you think about being hacked — is it the NSA, random gamer assholes, an abusive ex-partner? I ran my own email server for many years, and eventually switched to a hosted service. I know folks who work on Gmail and Outlook.com and they do a vastly better job at running email servers than I ever did. There’s also the time tradeoff — running an email server is miserable work! But for some people it’s worth it, though, because NSA surveillance really is something they have worry about.
There are few things more annoying in life than the little pop-up that reminds you that updates are required. Often you have to plug your device in, and the updates can take a really long time. But they are often the only thing that stands between you and being owned up by a bad guy. Cisco’s O’Donnell said:
Those software update messages are [not] there just to annoy you: The frequency of software updates is driven less by new software features and more because of some very obscure software flaw that an attacker can exploit to gain control of your system. These software patches fix issues that were publicly identified and likely used in attacks in the wild. You wouldn’t go for days without cleaning and bandaging a festering wound on your arm, would you? Don’t do that to your computer.
Despite decades of evidence to the contrary, most people think of hackers as the evil adversaries who want nothing more than to steal their digital goods. But hackers can wear white hats as well as black ones — and the white hats break into systems in order to get there before the bad guys do. Once the vulnerabilities have been identified by hackers, they can be patched. Google Chrome’s Tabriz says simply:
Also, hackers are not criminals. Just because someone knows how to break something, doesn’t mean they will use that knowledge to hurt people. A lot of hackers make things more secure.
O’Donnell emphasizes that we need hackers because software alone can’t protect you. Yes, antivirus programs are a good start. But in the end you need security experts like hackers to defend against adversaries who are, after all, human beings:
Security is less about building walls and more about enabling security guards. Defensive tools alone can’t stop a dedicated, well resourced attacker. If someone wants in bad enough, they will buy every security tool the target may have and test their attacks against their simulated version of the target’s network. Combatting this requires not just good tools but good people who know how to use the tools.
RAND’s Ablon adds that malicious hackers are rarely the threat they are cracked up to be. Instead, the threat may come from people you don’t suspect — and their motivations may be far more complicated than mere theft:
A lot of the time an internal employee or insider is just as big of a threat, and could bring a business to its knees – intentionally or inadvertently. Furthermore, there are distinct types of external cyber threat actors (cybercriminals, state-sponsored, hacktivists) with different motivations and capabilities. For example, the cybercriminals who hacked into Target and Anthem had very different motivations, capabilities, etc. than those of the state-sponsored actors who hacked into Sony Pictures Entertainment.
As many of the experts I talked to said, your biggest threat is somebody breaking into your accounts because you have a crappy password. But that doesn’t stop people from freaking out with fear over “cyberattacks” that are deadly. Ablon says that these kinds of attacks are incredibly unlikely:
Yes, there are ways to hack into a vehicle from anywhere in the world; yes, life-critical medical devices like pacemakers and insulin pumps often have IP addresses or are enabled with Bluetooth – but often these types of attacks require close access, and exploits that are fairly sophisticated requiring time to develop and implement. That said, we shouldn’t be ignoring the millions of connected devices (Internet of Things) that increase our attack surface.
Basically, many people fear cyberattacks for the same reason they fear serial killers. They are the scariest possible threat. But they are also the least likely.
As for cyberterrorism, Ablon writes simply, “Cyberterrorism (to date) does not exist ... what is attributed to cyberterrorism today, is more akin to hacktivism, e.g., gaining access to CENTCOM’s Twitter feed and posting ISIS propaganda.”
Ablon writes that one of the main problems she has with media coverage of cybercrime is the misuse of the terms “Darknet” and “Deepweb.”
She explains what the terms really mean:
The Deepweb refers to part of the Internet, specifically the world wide web (so anything that starts www) that isn’t indexed by search engines, so can’t be accessed by Google. The Darknet refers to non-”www” networks, where users may need separate software to access them. For example, Silk Road and many illicit markets are hosted on [Darknet] networks like I2P and Tor.
So get a password vault, use two-factor auth, visit only sites that use HTTPS, and stop worrying about super intricate cyber attacks from the Darknet. And remember, hackers are here to protect you — most of the time, anyway.
This article was originally published in March 2015, and has been updated.