Mon April 21, 2014
Security Threats Hit Deeper Than Heartbleed Bug
CELESTE HEADLEE, HOST:
This is TELL ME MORE from NPR News. I'm Celeste Headlee. Michel Martin is away. You might have been hearing about the Heart Bleed bug over the past couple weeks. And if you haven't, you might want to check it out. It's important. That is the security flaw the researchers say could have compromised up to half a million websites. So maybe you changed your passwords for your online accounts by now.
But Heart Bleed got us thinking here, what other kinds of threats are out there that we don't entirely know about and what can you do to protect yourself from them? We have Gerry Smith with us now to answer those questions. He's a technology reporter for the Huffington Post, and he joins us from our New York bureau. Gerry, thanks for being with us.
GERRY SMITH: Thanks for having me.
HEADLEE: So one of the cyber threats that we're hearing more and more about recently is ransomware. And I wonder if it appears differently, ransomware when it occurs, what is it and how does appear to, say, an individual as opposed to a company?
SMITH: Yeah, ransomware really takes two forms. For the individual computer user, it's essentially a virus that shows up on your computer if you click on a bad link or visit a malicious website. And it'll be a pop-up on your screen, and it often will, you know, purport to be from, say, the FBI. And it'll say that you've been looking at illegal pornography or piracy, and to avoid any kind of law enforcement action, you need to pay such and such amount of money.
You know, it can range from a couple hundred dollars to a couple thousand dollars. But what that does is it essentially locks the - locks you out of your computer, and you don't have access to any of the files on there. But what we're seeing more and more is actually, there's another sort of cyber extortion that's happening to companies.
There's been a few technology startups in recent weeks that have said that they've been extorted by hackers. And it's a little bit of a different attack where suddenly their website or their online service will crash, will get knocked off-line. And then employees at the company will get an email from an unidentified hacker saying, you know, essentially, I just crashed your website, and I'll do it again unless you pay me.
HEADLEE: Does it work? Do some of these companies pay?
SMITH: Well, the companies that have gone public - there's not too many of them - but they said that they didn't pay. And the reason they said they didn't pay was because if they did, even if it was just a couple hundred dollars, they're afraid that they would essentially have a target on their back and that hackers would tell other hackers that these people, you know, they're willing to pay so you should go after them.
And experts say that you should never pay a hacker ransom, that you should go to law enforcement or contact a computer security company that offers a service that can essentially help you out in that situation. But there has been research done that shows that some people do pay. I mean, it's as little - maybe as little as 3 percent of victims will actually pay the ransom.
But that can actually add up to a lot of money for the hackers because they're - you know, they're going after thousands and thousands of computer users. And so even if it's just a couple hundred dollars, you know, if enough people pay, that's a pretty good source of revenue for the computer hackers.
HEADLEE: But how accurate is our data? Do we know how many companies have been targeted? Are they letting us know when this happens?
SMITH: Right, I mean, the statistics are kind of hard to come by because most people who have this happen to them don't say anything, especially if you end up paying a hacker that's - I mean, a company is very reluctant to disclose that publicly. But security companies - Symantec actually did a study last year where they - their estimate is that maybe 3 percent of victims actually pay.
HEADLEE: Is there anything that requires - security problems, privacy problems that requires a company to let us know if our personal information on that website is in danger?
SMITH: Yeah, there's actually laws in almost every state that require companies to disclose if they've been hacked. And there's actually federal legislation right now that's being considered that would make it nationwide because, oftentimes, companies, when they've been hacked, they take a few weeks to investigate, you know, how many people have been affected or whether their customers have been affected.
And then sometimes companies never say that they've been hacked at all because they have stock prices and reputations to uphold, and sometimes their lawyers will say, you know, you should stay quiet about this 'cause we may be facing some lawsuits. But there is more of a push now for these companies to be more open. I know that they're also, you know, being asked to disclose whether they've had any kind of cyber security incident in their SEC filing. So there's a push to have these companies be a lot more transparent about when they're under any kind of threat from hackers.
HEADLEE: Let's bring this back to individuals. I mean, needless to say, if your computer gets locked up and supposedly FBI tells you to send a money order for a couple grand, don't do it. But what are some of the other things that are showing up that are a danger to someone, especially through email?
SMITH: Yeah, I mean, email, I mean, it's actually a very common hacker technique called spear phishing where you'll get an email that looks a lot like a friend or family member or any kind of trusted source, but it's not. It's a hacker who's impersonating that person, and oftentimes they'll have an attachment or a link embedded in that email. And if you click on it, it allows that hacker to essentially take over your computer.
And if you work at a company, that hacker can jump from your computer to some of the other employees' computers and steal data from that company. So, I mean, that's really - you know, email is a very common way that people are getting taken advantage of. You know, there's also just websites that if you go to that website, you don't even have to click on anything on that website, but the website itself is booby-trapped and you'll, you know, just by visiting it, you'll have - your computer will be infected with malicious software.
HEADLEE: We only have about 30 seconds left. But am I - if I'm running my virus scans and malware scans regularly, am I pretty safe?
SMITH: You know, I mean, that's a good idea. I mean, there's some of the other things that, you know, experts will say is use complex passwords, not just 123456. But use words and numbers and letters. Use different passwords for each site. A lot of popular sites now will use what's called two-factor authentication where you not only have to type in a password, but you also get a second password sent to your phone.
That way a hacker, even if they steal their password, they can't get into your account unless they also have access to your phone.
HEADLEE: It just gets more complicated all the time, Gerry. Gerry Smith is a technology reporter from the Huffington Post. Thanks so much for being with us.
SMITH: Thanks for having me. Transcript provided by NPR, Copyright NPR.