WASHINGTON (Reuters) - Nobody is safe in the digital world and even the smartest minds in the cybersecurity world constantly struggle to fend off hackers in their personal lives.
Be discerning, be suspicious, and be very paranoid, advised top government and private-sector computer security experts at the Reuters Cybersecurity Summit this week.
“There are two types of people: those who’ve been hacked and those who don’t know they’ve been hacked,” said former Homeland Security Secretary Michael Chertoff, sharing an adage commonly repeated in cybersecurity circles.
In their professional lives, cybersecurity experts use the latest technological innovations to defend computer networks from attack. But when it comes to personal protection, many employ surprisingly low-tech tactics.
Chertoff, who formed The Chertoff Group security consultancy after leaving government in 2009, says he did not use email while in office to cut off one channel of access to his networks. Current Homeland Security Secretary Janet Napolitano does not use email either.
Eugene Kaspersky, whose company makes one of the top-selling anti-virus programs, uses a six-year-old Sony Ericsson cellphone as it is more difficult to hack into than the latest Internet-enabled smartphones.
“I‘m a conservative man,” said Kaspersky, whose Moscow-based Kaspersky Lab has conducted some of the most in-depth research on the Stuxnet virus and other malicious software. “I am paranoid ... I suspect every link and every email.”
Other cybersecurity wonks caution people to keep critical data off hard drives, avoid putting sensitive information in writing and post little personal data on social media.
But not everyone listens, sometimes not even family members.
“My sister is a Petri dish for malware... When I go home to New Jersey, I have to play tech support,” said George Kurtz, chief executive of security firm CrowdStrike.
He added, “Yeah, I‘m pretty paranoid at home and even firewall off my kids.”
FBI Executive Assistant Director Richard McFeely said his daughter, who recently returned home after graduating from college, asked him to look at a link she was sent that urged her to download something in order to watch a YouTube video.
“I made a call and sure enough, it’s phishing,” McFeely said, referring to a common online scam in which users are sent plausible-looking links, which when clicked will infect computers with malicious software. “My daughter easily would have done that if I was not sitting there.”
McFeely said his daughter’s Facebook postings have in the past led to the hacker group Anonymous publicizing her college house address to get at him and his family.
Phishing is one of the most common tools used by hackers. It was through a phishing campaign that hackers managed to break into the Twitter account of the Associated Press and send a fake message last month about explosions at the White House, briefly driving down financial markets.
To avoid such attacks, the North American Electric Reliability Corp, which oversees the security of the electric grid, tests its 200 employees with a fake phishing email every quarter, according to CEO Gerry Cauley.
Anyone who clicks on the link has to undergo an hour of training with the IT department and the CEO himself.
“I explain to them how really important it is. It’s the predominant path into any network security,” Cauley said. He added that 20 employees had clicked on the fake link when he first ran the test, and only eight did in the latest test.
Several experts highlighted the importance of being careful about putting personal information online, though there was also a recognition that social media is here to stay.
“If you’re living in the modern world ... if you’re not in the social media, you don’t exist,” said Kaspersky. “But please, keep your mind switched on, don’t post personal stuff.”
Then again, social media can aid cyber investigators as well as crooks. CrowdStrike said it has managed to build profiles of many hackers, including their photographs, thanks to social media.
“We often bemoan, outside of cybersecurity, that we don’t have privacy anymore, that Google (GOOG.O) and Facebook (FB.O) know so much about us,” said CrowdStrike Chief Technology Officer Dmitri Alperovitch.
“That’s true for the adversaries, too, right? They’re all on social networks, they’re all on Twitter, accumulating a digital trail that often goes back years.”
Reporting by Alina Selyukh; Editing by Tiffany Wu and Tim Dobbyn