Hacked? What’s your digital safety plan?


Joseph Basgier III

Joseph Basgier III

Local experts point out the ways that we make ourselves vulnerable online and what we can do to fix them.

Written by Rosalind Fournier

Portraits by Beau Gustafson

 

A few weeks ago, I was working in my office when I got a call about a problem with my computer. Had I been seeking help for a problem with my computer, this would make sense, but to the best of my knowledge, it was working just fine.

The man on the phone told me how wrong I was. “Your computer seems to be fine to you,” he said, “but it currently is sending error and warning messages to us. This call is to notify you about it. Alright?”

My curiosity piqued, and I played along. “How, again, would you know there is a problem with my computer?”

“We are working on the global server.”

“Oh. So what should I do?”

For starters, he just wanted some basic information, such as what operating system I was using.

“I don’t think it’s a good idea for me to give out that kind of information.”

“Ma’am, we need to confirm this first thing, okay? We are providing support for Windows….”

 

Now, I am no tech wizard, but since I don’t have Windows, it seemed pretty clear that if my computer was secretly doomed, this guy couldn’t help. I hung up and called Perry Computer Services, a local business that sells and services Apple products. Half a sentence into my story, I was informed this was a scam. The technician said his mother had gotten a similar call—and she doesn’t even own a computer.

Apparently, this scam has been running for years. The callers are hoping you’ll give them remote access to your computer, enabling them to install viruses (a sort of self-fulfilling prophesy—“Ha! We told you your computer was infected!”) that dig around in your system for passwords, bank account numbers, and more. Others make it look as though you’ve purchased phony services, for which you’ll be billed indefinitely.

If you ever get a call like that, keep in mind what Microsoft states on its website: “Neither Microsoft nor our partners make unsolicited phone calls to charge you for computer security or software fixes.” But that’s just one scheme, and an old one at that. What about all the other ways we can become victims via the very computers to which we entrust our most sensitive information?

Most of us have a love/hate relationship with technology: It’s a beautiful thing when it works, a nightmare when something goes wrong. To be fair, not every computer problem is caused by human malevolence. But when it is, the headaches can spread far beyond the computer itself.

So how vulnerable are we? Brandon Trussell, residential services manager for Wilson Computer Support in Hoover and Alabaster, says that if your computer hasn’t been compromised in some way, you’re in the minority.  “Of all the computers we work on, I would say that at least 75 percent are infected,” he reports. “In fact, a lot of people will come in with normal wear-and-tear stuff, and we’ll find out their computer is infected on top of that.”

The strategies today’s hackers use for breaking into your computer vary. Trussell says the days are mostly gone when viruses traveled by suspicious-looking emails containing corrupt attachments. A more current trick is for scammers to advertise free music downloads, which contain viruses along with tunes. “There are countless numbers of ways you can get viruses,” Trussell says. “The scams are always changing, because [hackers] are just going with whatever’s popular.”

Ironically enough, among the most nefarious schemes at the moment are ads offering free virus scanning. “They instruct you to let them in as an administrator (your computer’s primary safeguard against unwanted installations),” he explains, “which gives these programs access to everything on your computer.”

Here seems as good a place as any to mention that Trussell believes that people who think Apple computers are immune to viruses are kidding themselves. “I’m sure you’ve heard people say that Macs don’t get viruses, but that’s not true,” he says. “They can. The only reason they don’t is because 90 percent of the world is still running on Windows, so the people that are doing this are going to where the most users are. They’re after the bigger targets.”

But what exactly do they want, and why? The motives of hackers seem to run the gamut, but they largely mirror the same criminal motives that have been around since Biblical times: namely, greed and sex.

Let’s start with greed.

An international player in the fight against cyber financial crime, Gary Warner is the director of research in computer forensics at the University of Alabama at Birmingham and the founder of Malcovery Security, a fast-growing company that fights financial crime through cyber security intelligence and forensic analysis. Earlier this year, the site BankInfo Security named Warner one of the top 10 influencers in banking information security, recognizing him as an expert in phishing attacks and international cybersecurity fraud.

Warner says he’s been interested in computers since he was a child. Though nothing like the Internet as we know it existed in the 1970s, he says some people and entities were able to dial into modems that enabled some form of online communication. Warner was fascinated by the possibilities. “They used to say a ‘hacker’ is just someone who figures out how things work, and so as a youngster I was probably on the hacker side of things a little bit, just trying to understand the connectivity between systems,” he explains. “It wasn’t illegal, and we didn’t do damage. We thought of it as exploring.”

After college, his first job was as a systems programmer at Samford University, working to put Samford on the Internet for the first time. It wasn’t long before he and his team discovered people were breaking into their mainframe in order to run programs using Samford’s equipment. It was about this time Warner began studying viruses, how they spread, and how to detect them. “That’s when I started understanding hacking from a different perspective,” Warner explains. “Now I was the one in charge of systems and having to realize that all those things people were exploring in the ’70s and ’80s, now they’re actually trying to hurt people and steal stuff.”

Today, Warner has spent more than 20 years working in information technology, including nine as an IT director for a major energy company. At UAB since 2007, he started the Computer Forensics Research Laboratory (CFRL) in 2010 to develop investigative tools for analyzing evidence of spam, phishing, and malware. Malcovery, launched a couple of years later, has an exclusive worldwide license with UAB and hires many UAB graduates who have worked with Warner in the CFRL.

Malcovery’s customers read like a who’s who of major Internet companies—in other words, those with the most to lose if their systems are attacked, including eBay, Facebook, VISA, Citi, and Regions Bank. “Financial crime suspects are the kind we focus on primarily at Malcovery,” Warner says. “And those range from individuals who are really looking at it as ‘lifestyle hacking,’ doing it to make enough to pay their bills, to people who are actually involved in very large criminal syndicates. There are very large crime families behind some of the hacking that goes on.” Also lurking in the netherworld of cybercrime, he adds, are foreign governments looking to steal secrets, or corporate spies in search of valuable government, company, or university research.

“Intellectual property theft is one of the very big forms of hacking where the goal isn’t to steal your money—the goal is to steal the research that you’ve done to give some other organization or country a leg up,” he says. “They don’t have to pay for the research, but they have it all.”

Gary Warner

Gary Warner

Though Warner and his colleagues have garnered the most attention for their work protecting high-profile organizations against security breaches, their efforts at UAB also include helping the rest of us protect ourselves against the pickpockets—as well as pranksters, stalkers, perverts, and identity thieves—of the Internet age. Of course, installing legitimate virus-scanning software from Norton, McAfee, and other companies can help, as can virus protection tools that can be downloaded free from Microsoft.

But when it comes to protecting your personal information, it turns out one of the greatest weapons in our arsenal to protect against cybercrime is none other than the humble password. You know this, of course. You know that secure passwords need to include a mix of capital and lowercase letters, numbers, perhaps a punctuation mark of some sort. You probably know it should not include the name of your cat. But how much thought have you given to the risk of using the same password for multiple sites?

“A study published recently estimated that somewhere around 60 percent of all the people on the Internet use a single password to get to everything,” Warner says. “Well, that means the password you use to log in to play a video game is the same one you use to get to your bank account or log into your company’s site, and so on. So we talk about choosing a strong password, and we talk about changing it from time to time, but the more important message is don’t keep using the same password everywhere—because if you do that, and a hacker gets any of your passwords, they have full control of you and all your accounts.”

He adds that while your bank, for instance, may be spending a small fortune to try and protect clients’ information, it could be the registration site for your daughter’s soccer league that becomes your undoing. “Sometimes the site that hackers infect are the fairly low level, even trivial, ones,” Warner says. “They’re less likely to have strong security, so they open the door for hackers to gain access to your bank account and on and on.” (Think they’ll have any trouble finding out what accounts to look for? Check your email: It’s probably full of payment alerts, renewal reminders, and other messages from every site or service with whom you’ve ever registered.)

Warner recommends using password management software such as LastPass, which encrypts and stores your usernames and passwords all in one place, so you can make them as complicated as you want without having to remember them every time you want to log into an account.

Just as theft has increasingly moved into the cybersphere, the Internet has become a valuable tool for criminals of other stripes, as well. What we used to call “peeking Toms”—those creepy guys hiding in the bushes, hoping to catch a glimpse of their victims in various stages of undress (or whatever it is that floats their boats)—still exist. But today they have far more sophisticated options, and probably none of us is as concerned as we should be.

Browsing Facebook a couple of weeks ago, I was startled to see a picture of my old college friend Bhanu Vanapalli sitting in front of his computer holding a handwritten sign: “CAN YOU EXPLAIN WHY YOU NEED TO ACTIVATE MY CAMERA?”

Apparently, he’d called a help desk for assistance with some new software and allowed the technician to “take control of his computer,” a not-uncommon—though often risky—practice in which you give another party remote access to control your computer as if they were sitting right in front of it. It can help with diagnostics and fixing problems, but it also leaves you, your system, and your information open to all kinds of vulnerabilities.

In Vanapalli’s case, the first clue that the technician had overreached his access was an obscured icon near the bottom of the screen that made it appear the webcam had been activated without his permission. “So I wrote him the note,” he explains, pointing out that the fact the technician saw and responded to a handwritten message only proved he had a clear view of Vanapalli at his computer. “His explanation was that he wanted to make sure I was not walking away while he was on the computer. I disconnected immediately.”

The idea of being watched by a stranger surreptitiously was enough to give my friend pause, whatever the motive. But in many cases, the motive is all too clear, Warner says. “With all the computers having webcams on them now, there are literally tens of thousands of people who get their pleasure by observing people secretly on their computers,” he says. Even without activating a webcam, once a hacker has gained access to your files, he or she now has all of your pictures—of you, your children, and yes, maybe even an ill-advised picture your teenager sent to a boyfriend or girlfriend that was meant for their eyes only.

“With some of the most extreme cases, as you’ve seen in the press, they call it ‘sexploitation’—where someone has pictures of you in the nude or whatever because they’ve taken over your computer, and they use that as leverage to convince you to do other horrible things,” Warner warns. “A predator might then say, ‘You’re going to make a movie for me doing this or that, and if you don’t, I’m going to post these nude pictures to all your friends on Facebook.’”

That begs the question: Is Facebook among the greatest inventions of our time, or the gravest threat to our privacy? Experts say the answer is a bit of both—but it depends a lot on how you use it. The difference here is that it doesn’t take a hacker to violate your privacy on Facebook. Too often, we’re just giving it away, which can have huge repercussions when you consider how many people are on your “friends” list—and how little you might actually know about them or their intentions.

Or, others argue, it’s Facebook itself that’s taking advantage of its massive arsenal of personal details and photos. Prompting the most fury was the report earlier this year that Facebook “conducted a massive psychological experiment on nearly 700,000 unwitting users,” according to a story in the Wall Street Journal. The idea, the WSJ explained, was to “determine whether (Facebook) could alter the emotional state of its users and prompt them to post either more positive or negative content,” using an algorithm designed to “omit content that contained words associated with either positive or negative emotions from the central news feeds of 689,003 users.” Apparently, Facebook was hoping to debunk the widespread notion that people get depressed after visiting Facebook and concluding that others are having more fun than they are. (Facebook “data scientists” claim the study did, in fact, disprove that theory.)

To be honest, my problem was not so much Facebook using me as a lab rat, but the fact that the study seemed ridiculously flawed. Along with helping people connect with their friends, Facebook has always been about social one-upsmanship, and seeing my neighbor looking tanned and beautiful on the beach in Belize—while I’m home, pale, stressed out, and wondering if I’ll be able to afford another vacation this millennium—does sometimes prompt wishful thoughts on my part (however fleeting) that they’re going to pay for all that fun in the sun with a bout of skin cancer down the road. But Facebook’s study would never pick up on those “negative emotions from my central news feed,” because it’s not like I’m going to post them.

Warner is well familiar with the idea of Facebook as Big Brother, and he’s not really buying it. However, here he insists on full disclosure: In 2012, UAB’s Center for Information Assurance and Joint Forensics Research received a $250,000 donation from Facebook for its role in tracking spammers including the international crime ring Koobface, infamous for creating a nasty computer worm that spread mostly through social media sites. Warner adds that he counts people on the Facebook security team among his good friends. But not only does he believe Facebook has a vested interest in protecting its users from cyber criminals, he notes that the company is uniquely positioned to do so.

As an example, he points to Facebook’s efforts to fight against child predators. “Facebook is probably doing more to stop crimes against children than anybody else on the planet,” Warner says, “Because of all the access they have, they’re able to detect when people are lurking and preying on teenagers and very actively sharing that information with law enforcement to protect children.”

Warner is also familiar with the complaint that Facebook, Google, and other email/social media companies are mining your information for profit. He’s not particularly troubled by that. “Friends of mine like to joke, ‘Facebook is free. You know what that means? You’re not their customer, you’re their product.’ And that’s true,” he says. “When someone’s offering you a free service on the Internet, they’re using you to generate advertising revenue. So the more they know about you, the more valuable your presence on Facebook becomes to an advertiser. The marketing people would say that’s of service to you—you’re not going to get ads that aren’t interesting to you.

“I would argue they still haven’t mastered that art very well,” he laughs, “but that’s the trade-off. So when people say Facebook is violating my privacy, I say, ‘It allows me to keep in constant communication with 25 relatives who live out of town and hundreds of friends I’ve met at conferences around the world.’”

Finally, Warner points to the privacy settings Facebook provides that many people fail to take advantage of. “The question to keep in mind is, how much do you want to share, and with whom do you want to share it?” he says. “That’s where people aren’t smart. The fact that someone you really don’t know can go on Facebook and see all your personal family photos means you haven’t looked at your privacy settings properly. You can decide on a photo-by-photo basis or post-by-post basis which people you want to see it. I have at least 25 different groups set up on Facebook, so I have some things I share only with my security friends, and some things I share only with my UAB friends, and some things I share only with family. If you’re not in one of those categories, you can’t see it.

“Where you’re going to be harmed,” he continues, “is by things like your future employer seeing you posting drunk party pictures because you didn’t set your privacy settings properly.”

That’s the kind of indiscretion that drives defense attorney Joseph Basgier III of the law firm Bloomston & Basgier insane. As a former Jefferson County deputy district attorney, he knows all too well the importance of being careful about what you show and tell on social media. “I have seen people post things on social media about drug use which came back to haunt them,” he says. “I’ve seen them engage in affairs they thought might be private come back to haunt them. And as a former prosecutor, I can tell you without a doubt that law enforcement and prosecutors will look at social media, because the amount of information you can learn about a defendant is astronomically higher than what you would learn otherwise.” He adds that in civil cases such as divorce, the stakes can be even higher.

True, the law still hasn’t caught up to the technology in a lot of situations, and in at least one prominent case, law enforcement was deemed to be overreaching. In June, the Supreme Court ruled that police cannot search an individual’s cell phone without a warrant, preventing situations such as police seizing phones, calling people on the contact list to fish for information, reading a suspect’s text messages, and so forth.

While the ruling provides a welcome degree of protection, the openings for our privacy to be invaded in the digital age reach farther still than our computers and cell phones. And as with a lot of these issues, it’s often a fine line between protecting one’s personal information and becoming paranoid.

For my husband and me, for instance, it’s less a fine line than a wide gulf. I have rewards cards—a keychain full—for almost every store I patronize. I sometimes fill out surveys online to enter cash sweepstakes. In fact, I’m pretty convinced one of these days Walgreens is going to give me that $3,000 prize they dangle out every time I fill a prescription, provided I keep logging onto their website to rate my latest experience with the pharmacy. My husband, who refuses any and all rewards cards, cancelled his Facebook account less than week after opening it, and snarls at cashiers who dare ask for his email, thinks I am asking for trouble.

I turned back to Basgier for his opinion, and apparently I lost the debate. I told him I could understand not giving out your email address to stores, because even I get tired of the daily barrage of promotions. But to think any harm could come from the automated tracking of my clothing purchases? “That’s not a stretch,” he responded matter-of-factly. “Not at all.”

Basgier explains that he shuns those store memberships himself—not so much because he believes the government or law enforcement are following them or because he’s concerned about grocery stores knowing his favorite brand of laundry detergent. But by allowing all that data to be collected, consumers do inadvertently leave a trail of information about where they’ve been and when.

“I absolutely worry about (that kind of tracking) from an invasion of privacy perspective,” he says. “For example, I cannot for the life of me figure out why people would use that check-in program for Facebook. Why would you ever want the entire world to know where you are at any part of the day? That’s incredibly dangerous, potentially.” Basgier notes that a client of his recently discovered his cell phone account had been hijacked, with someone monitoring his phone calls, reading his texts, “everything you can think of,” he says.  “So I’ve seen what people can do with this technology. You’d be very scared by what someone who’s decided they’re angry with you can do.”

Still, the fact remains that technology users themselves are often their own worst enemies. Decades before the Internet existed, Nixon thought “secretly” taping his own telephone conversations for posterity was a brilliant idea. Two years ago, then-CIA director David Petraeus met his downfall after it was discovered he was having an extramarital affair with his own biographer; the two of them were outed by emails they’d cleverly (but apparently not cleverly enough) hidden in “draft” files for each other to read without ever actually sending them.

Basgier says it only goes to show that you can never be too cautious. From his first meeting with any new client, he always recommends they remove themselves from social media or at least minimize their activity there. He also echoes Warner’s admonitions to check the available privacy protections on one’s accounts. “If people have not engaged those protections, often anyone can access it. No warrant is needed. Those searches can, have, and will happen,” he says.

Legal concerns aside, Basgier says he’d still be a lot more comfortable if more people understood the potential uses of information being gathered about them every day in the cybersphere. His advice to all of us can be summed up as this: “Limit your digital footprint,” he says. “Everyone has something to hide, even if it’s just for privacy.”

Leave a Reply