Diane talks with Mary McCord, Legal Director at the Institute for Constitutional Advocacy and Protection and Visiting Professor of Law at Georgetown University Law Center.
The age of passwords is over. That’s the claim made in this month’s “Wired” magazine. Most of us trust that a string of letters, numbers and characters is enough to protect our bank accounts, email and credit cards. But hackers are breaking into computer systems and hosts of user names and passwords on the Web with increasing regularity. And because so much of our personal information is stored in the cloud, hackers can trick customer service agents into resetting passwords. Some Internet companies say the trade-offs — convenience and privacy –- are necessary to protect our data. Privacy advocates say that price is too high. Diane and her guests discuss the illusion of online security and whether you can make your accounts harder to crack.
- Simon Davies Founder of Privacy International.
- Cecilia Kang Technology reporter for the Washington Post.
- Kevin Mitnick Information security expert and former hacker.
MS. DIANE REHMThanks for joining us. I'm Diane Rehm. Most of us believe if we create long and complex passwords our online accounts will be safe from hackers. But many security experts say that's just not true. And moreover, that the age of passwords is over. Joining me to talk about the illusion of online security and how to make your accounts harder to crack, Simon Davis of Privacy International and Cecilia Kang of the Washington Post. Joining us from Las Vegas Public Radio, Kevin Mitnick of Mitnick Security Consulting.
MS. DIANE REHMI'm sure many of you will want to join in. Give us a call, 800-433-8850. Send us an email to email@example.com. Follow us on Facebook or Twitter. Good morning everybody, thanks for being here.
MR. SIMON DAVIESGood morning.
MS. CECILIA KANGGood morning.
MR. KEVIN MITNICKGood morning.
REHMCecilia Kang, if I could start with you. Do you believe the assertion made on the cover of Wired magazine this month that the age of passwords is over?
KANGI sort of do.
KANGThe age of dumb passwords has long been over. The age of just a password for security is probably over. And what we've seen is that there needs to be more layers of security online. And some companies are grappling with this and dealing with this with new and additional layers. More layers of authentication. So just the password alone is not going to do it to secure your information online.
REHMSimon Davis, how about you?
DAVIESI tend to be a little more optimistic because I think the Internet will always find its way through because, you know, there's a strong communist thread, that being said. So long as people don't lose faith in the Internet, there will be continuing investment in finding better security. But I -- and I agree with what Cecilia said because most people don't resonate with words and numbers. Word-number combinations is completely alien to our language.
DAVIESSo the idea that we can start investing in, not passwords, but tokens, pictures, photographs, film, that's the sort of, and people resonate with that and they'll remember that stuff because it's embedded mnemonically in their brain.
REHMInteresting. What about you, Kevin? How do you see it?
MITNICKWell, I think passwords are okay if you're, like, protecting access to reading the New York Times or something that's really innocuous and not sensitive. But if there's a sophisticated adversary that wants to get into your information or into your accounts, they normally can do it. It's just really too easy. And I really think we need to move towards stronger forms of authentication, like for online banking or anything to do with accessing or interacting with any type of sensitive information.
REHMSo is it true that we're seeing an increase in online security breaches, Kevin?
MITNICKYeah. I mean, we read about it every day. I mean, you hear about all the antics of anonymous and LulzSec and what we see nowadays is there's like a new form of hack-tivism where hackers are breaking into company networks and they're getting access to their passwords that are stored in back-end databases and are basically dumping this out for the world to see. And what we notice from there is not only, you know, are these companies breached but there's a lot of indication of password reuse.
MITNICKSo if a large entity is compromised and customer passwords are dumped for all to see, it is highly likely that those victims whose passwords were dumped will use those same passwords on other sites on the Internet.
REHMWhy don't complex passwords work anymore, Kevin?
MITNICKWell, if for example, like I just mentioned, if a hacker gets into a company, dumps out the passwords and those complex passwords are there for users, you know, for anyone to see and then they could reuse those. But complex passwords, you know, over 20 characters that are a mixture of symbols and numbers and uppercase and lowercase letters actually work to a degree. I mean, you could have a secure password but there's always a way to attack the system.
MITNICKOne way is just asking the user. And there was this conference out in London called the Infosecurity Conference. And I believe they went out to London's Waterloo Station armed with free pens. And what they would do is they would ask passersby for their password in exchange for a free pen. So you'd figure, you know, nobody's going to do it, right? But you know what, 9 out of 10. Nine out of ten people simply gave up the password simply by asking for it.
MITNICKSo you have that, and then you look on -- you know, and then you contrast it to something more sophisticated, like sophisticated phishing attacks. And what phishing is where an attacker will send you an email purportedly from, you know, some business that you do or some company that you do business with over the Internet and they'll send you a hyperlink that looks legitimate. And you'll click it and it goes to a fake site. And it allows hackers to trick you into inputting your credentials into a form.
MITNICKAnd then you have malware. So you basically, you know, you have the spectrum from simply just asking the user for it all the way to more sophisticated attacks. And it doesn't matter if you choose a complex password or simple password because the attacker is going to get it.
KANGWell, you know, what's interesting is we tend to have sort of contradictory views towards security. We say we want security on the one hand, but we don't want to give up convenience and privacy. And I wanted to mention, and it's interesting this example that's mentioned, Kevin, about giving away your password for a pencil. It's amazing. The top passwords, the most common passwords released by a password management company this year called Splash would really surprise you.
KANGThey're so incredibly common. The most common passwords are, password, the word itself, 12345, QWERTY, the keyboard QWERTY, ABC123, the word monkey; the word letmein. I mean, those are the top passwords. It's so easy, in a way, because people would like to trade the security, the level of complexity of remembering that very complicated 20-character password for the convenience of not simply having to write it down and stash that piece of paper someplace.
KANGAnd you see countless examples of how celebrities, the royals with news international where their phones were hacked, voicemail systems were hacked, computers are hacked because often people have the most simple passwords and over and over, for years this has been an issue.
DAVIESThis -- what Cecilia is talking about earlier is what we call cognitive dyspraxia in the information age, which effectively is this. Cognitive dyspraxia is where you hold an idea in your mind, like, I trust -- I don't trust the Internet. I believe in security. I believe in privacy. But you react in a completely different way. With passwords, it's exactly this, according to -- I think I've seen three surveys now on password utilization. Sixty -- around about between 60 and 65 percent of people try to use the same password for every account they've got.
DAVIESAnd they, as Cecilia says, they make it as simple as possible. Now what other -- what some companies have done in response is to try and force a different sort of genetic response. So what they say is you've got to have a capital letter. You've got to have at least three numbers and the numbers cannot be sequential. Now this is fine, except the human mind cannot cope with this. So people write -- they write this down on notebooks, for example.
DAVIESAnd so all of their passwords are written on a notebook somewhere, and you still find a pattern in all of their passwords, which is -- you can guess it. You can guess it, you know?
REHMSo it's pretty easy to break into, Kevin.
MITNICKOh, yeah. Well the, you know, just the patterns, I mean, companies hire me to actually break into their network so I do this all the time. And once I'm able to get certain rights over the network and go through this process and get to, you know, the plain text passwords, I notice that even the administrators, people that are tasked with securing the network for the business actually always have a pattern of choosing their passwords.
MITNICKSo, like, you know, maybe that's their favorite team, you know, their favorite sports team, you know, the Lakers. And then they'll put, like, you know, the month after that. So, like, Laker12. And then in January it's going to be Lakers01, in August it's going to be Lakers08. You see the pattern? Their favorite team and then the month. And I see this time and time again. So, even today if these individuals didn't change their habits, I could predict their password today because people love choosing, you know, using patterns.
MITNICKAnd it's easy to remember because people can't remember ump-thing passwords, right?
MITNICKSo what they're going to do is, you know, for each site if they're going to go through the trouble in trying to make that password unique for each different website out there on the Internet, they're obviously going to choose a pattern. So now, as an attacker, looking from the attacker's viewpoint, I'm going to try to determine that person's pattern. How can you do it? If you can compromise just one site that that individual access, then what you could do...
REHMYou got the whole thing.
MITNICK...is you could -- you get the pattern.
MITNICKAnd then you could use that intelligence to break into everything else that they have access to.
DAVIESAnd presumably, Kevin, presumably, if I check out someone's Facebook page and the Facebook says, I'm a Yankees fan, I'm a die-hard Yankee. You can bet Yankees is going to be in their password.
REHMAh. And Cecilia...
MITNICKAnd guessing is, like today -- in today's world, all the Internet site out there, they should have that after X amounts of password attempts, that it should lock the user out for a certain amount of time. And if there's Internet properties that don't do that, then it gives the attacker the advantage to simple, you know, run a complete English dictionary...
MITNICK...against the person's password and simply guess it that way.
REHMCecilia, how long ago did passwords become sort of obsolete?
KANGObsolete, you know, because so many companies and so many services just rely on a single password still, so they're still very much alive. But really, in terms of it becoming a very porous, easy security mechanism to breach, it's been years. And I think over the last few years you've seen big examples of banks, of government agencies being hacked into. The problem is not just the fear of your data being exposed and the feeling of invasion of privacy. There's real money bottom line problem with this as well.
REHMCecilia Kang, she is technology reporter for the Washington Post. We'll take a short break here. I know many of you have questions. We'll try to get to you as quickly as we can. Stay with us.
REHMAnd welcome back. We're talking about the use of passwords, how in fact they have reached a point where as we currently use them they become somewhat obsolete. In fact, Simon Davies is saying what you've got to do is to create something else. Simon, describe that something else.
DAVIESWell, if you imagine that your account online is like your home and you have a front door. And the front door -- the keys to the front door with a lock is the password. Now you're in control of what that key and what that lock is like. I mean, you can make it a simple latch key which means anybody with a pen could come along and just lift it from the outside. Or you can fashion it into your own design, something only you would know.
DAVIESNow I mentioned before the word mnemonics. Mnemonics is basically the connection between images, stories, words and numbers in your mind. People think in terms of narrative. They think in terms of stories. Now I can give you -- I can remember a 25-number string just by creating a storyline around images that I've already connected with each of the ten digits. So it might be something stupid like two golfers are sitting on a hill and talking to God and they saw three churches on a mound.
DAVIESBut I remember that story. Now all you need to do is teach kids about mnemonics. It's a short lesson at school and they will remember any password. And it's a tremendous mental exercise. But this is why I'm worried about the premise here. Now we say the age of the password is dead. I agree. The age of the secure password is dying rapidly. But the problem is we're never going to have the sort of security that we need for the incident.
REHMWell, and the point I want to bring up with Kevin is, as one of the most famous hackers in the world, Kevin, is there any password that you could not get through?
MITNICKWell, by guessing, yes. I mean, by simply trying to guess the password. But there's so many different ways to break into...
REHMThere are clues.
MITNICKWell, there's so many different ways of -- I can -- if I could load malicious software onto your computer, no matter how complex your password is, I'm going to be able to obtain it.
MITNICKBut what people can do out there is, you know, what, you know, Simon said about, you know -- you know, which I agree to because that's how mentalists are able to, you know, have these astounding feats of memorization is by associating it with a story is. But why should a individual, you know, would have to go through that trouble when for free you can download these password managers out there. One of them is called KeyPass. Another one is called Password Safe. These are absolutely free for anybody to download.
MITNICKAnd what they allow you to do is you could have them randomly -- you could have this tool, this software tool, randomly generate a password for each website or each application that you need access to. And then you have to set a master password, something, you know, that maybe goes along with what Simon was saying, something complex that goes with some sort of story. And you basically unlock this password safe with this master password. And it allows you to completely manage all the passwords that you use that are randomly generated.
MITNICKAnd what's really cool about it is it allows you to use a different password for each different website or application out there. So it makes it so the user doesn't have the problem having to choose the password and manage it. There's already tools out there that allow you to do it. Of course, there's also cons to that. If there's some -- if malware gets onto a user's computer, you know, they could possibly put on a key logger.
MITNICKAnd what a key logger does is it secretly sits in the background and when you're typing in characters, you know, on your keyboard it steals those and sends it to the attacker. Then if they could unlock your master password database then they have access to everything. So there's always pros and cons to how you're going to deal with the problem.
KANGWell, there's certainly man technological solutions in the works. The one thing thought that is tried and true is that a lot of the hacking that's done, a lot of the breeches are done through what's called social engineering, just simply figuring you out. You know, I can just, if you will, Google or Bing you, you know Diane, and figure out a lot about you through what's available on court, public documents, government documents, what's available. What you might've said one day. You know, you're on Twitter as well so I might look at, you know, something you might've said that has some sort of personal reveal that you might've said on Twitter or Facebook or what have you.
KANGWe are so exposed online right now and that's one of the wonderful things about being online is that you can actually be so present online. But that's the other part of it. You are so present online and so you're very revealed and it's very easy to figure you out.
REHMHere's an email from Steve who says, "Why not use one very good password for many sites?" Simon.
DAVIESIt would need to be very good and I would reflect what Kevin was saying earlier, that if you're going to do that then use one of these password managers because people now have dozens of accounts requiring dozens of passwords. There is another -- this is the elephant in the room. Let's talk about this one for a second. There is an argument that the bigger the machine gets -- the internet machine, the more we have to become fused with it to have security. It's almost like an organic biologically.
DAVIESSo fusion of flesh and machine would mean there is a biometric solution, in other words fingerprints. Now I hate the idea of fingerprinting and biometrics and iris scans when it comes to government for example, corporations, but there are ways -- and Kevin, you're probably right on the cutting edge of this -- there are ways that you can securely use a biometric, a fingerprint from your machine where there is, you know, a handshake with a website that recognizes that biometric.
DAVIESNow it's not given to anybody else, it's not disclosed, it's encrypted securely. Now that is a possibility.
REHMIs that where we're headed?
DAVIESWell, I say if it were because I was going to ask Kevin, does the biometric solution actually work?
MITNICKWell, let me tell you a quick story. I was hired by a company that was working on -- a financial company -- a financial services company. And they were pretty much a target rich environment because if their site was compromised it gives the attacker access to cash. And so they were looking at security solutions and one of them was a voice biometric security solution. So they tasked me with testing the security.
MITNICKAnd basically what you would do to register is you'd have to repeat a series of digits a few times. And then it would tell you what digits to say. It'd say, you know, please say 5, 2, 1, 6, 7. You'd say 5, 2, 1, 6, 7 and it'd have you go through the process, you'd register. And then when you had to verify who you were to authenticate it would ask you to please say a series of numbers and you'd say it. And if it recognized your voice it authenticated you. So they said is this secure?
MITNICKSo what I ended up doing is contacted the CEO of the company and asked if I could, you know, try to test the system for security flaws. He said fine. And then a couple days later I gave the -- I called up the CEO and I used a thing called caller ID spoofing which allowed me to change the number that would be displayed on his phone. And what I -- what number I set to display on his phone was 702-354-1689. And that's -- what those digits are it's actually 1 thru 0.
MITNICKAnd so what I did is when I called him I said, oh by the way did you get my new phone number? And he goes, oh yeah, it's on my caller ID. Oh, which one do you have? And he actually goes, 702-354-1689. Oh yeah, you're right. That's the number to reach me on in the future, which, you know, wasn't true. But now I was able to take a recording of his voice saying the digits and break it out into each digit at a time. So then I was able to call into the system and with his voice break through the system.
MITNICKAnd it took all about ten minutes. So there you go. There's always a way to get around the system.
REHMOkay. So that's--okay. So that's a voice metric, but what about some kind of iris scan or fingerprint?
MITNICKWell, once somebody steals your biometric -- it depends how it's -- you know, it's gone forever -- it depends how it's implemented. If your -- if they do an iris scan and it sends a blob of data to a server. And the attacker could intercept that blob of data--it really depends on the implementation--then they could just replay the data, for example. Depending on how the system was implemented. You know, we're talking about, you know, simplistic stuff here.
MITNICKSo if the hacker could replay your biometric authentication well then they can impersonate you. But there's...
DAVIESYeah, this is a problem, isn't it?
DAVIESBut I mean, with iris scans for example, I mean, people think it's fancy technology. It's not. It's just -- it's a snap, that's all it is. And it takes your eye and puts a string of numbers down the line and that authenticates you. Um, but fingerprints could be a bit tougher, though. I don't know if you agree with this (unintelligible) . I mean, I think the fingerprints take a lot -- to steal someone's fingerprint and actually convert it electronically into a way that could be used live online, maybe that's getting a bit difficult.
MITNICKThat's already been compromised. A Japanese guy used gummy bears to actually...
DAVIESOh yeah, but he had to use gelatin and it was a big...
KANGHe used gummy bears?
MITNICKYes, he did use gummy bears.
KANGLet's not miss that point. It's very interesting.
REHMHe used gummy bears to cover (unintelligible) .
KANGThat's -- well, I've also heard -- and I'd be interested to hear, Kevin, from you and Simon, that printing has become so sophisticated with HD printing, 3D printing coming as well, that you can essentially replicate fingerprints and iris, you know, identification going forward.
REHMYou guys are leaving me with nothing. I mean, really what...
MITNICKThere's always a way around the system depending on the attacker.
REHMYeah, and that's what you were saying. And here's an email from Ralph who says, "How does malware get into a computer and how does it work? Cecilia.
KANGWell, Kevin's actually really the pro on this. Well, there's many ways malware can get into a computer, and I think it becomes much easier when we're connected onto the internet all the time. So once you're inside your device through the cloud -- Wi-Fi networks are particularly vulnerable as well -- then you attack the computer. And that's -- and you get whatever information you want. And, Kevin, please correct me, jump in.
MITNICKWell, if you can get his email address I'll send him a PDF file and demonstrate it to him. No, I'm just kidding. But usually it's by opening up office documents or PDF files that have been booby trapped. And the reason that works is because the software that resides on the individual's desktop is vulnerable and probably not updated. Or clicking on a hyperlink that exploits a vulnerability in the browser that the person is using.
MITNICKSo one method to try to remediate this is people out there can go and download a program that's actually free of charge called Personal Software Inspector. And what this does is it actually scans your system, your desktop, tries to find what software is out of date and it notifies you so you can update that software so you don't remain vulnerable. But that's how attackers break in is they send you through email usually a booby trapped file, a booby trapped hyperlink. And when you click on it or open up that attachment the game is over. They're in and you're out.
REHMAll right. So now tell me about the CIA, the FBI, the Department of Justice, all the government email accounts. Kevin, how do you get in?
MITNICKHow does the CIA get in or how does someone get into the CIA?
REHMHow do you get in? How would you get in to the CIA?
MITNICKWell, to be honest with you, you know, it probably wouldn't be that hard. And all you really have to do is -- a government agency like the CIA has a lot of employees -- and if you could do what we call information reconnaissance and try to determine what software that an individual's using on their desktop and the version, like if they're using for example an older version of Adobe Acrobat, you know, as an example.
MITNICKAnd then really all you have to do is try to determine who that person would likely have contact with, what companies, what other government agencies, what individuals? He could usually find that through social networking. And then what you do is you send that person an email with a booby trapped file, that as soon as they open up the file it exploits again a vulnerability in the software that resides on their desktop. And now the attacker is inside the system.
MITNICKAnd this is exactly what happened at RSA, which is a large security company. One employee opened up an Xcel document that was booby trapped and RSA ended up losing extremely sensitive information. It happened to Google. It happened to several DOD government agencies. This is a hybrid of social engineering. You're using social engineering, which is using manipulation, deception and influence to get a target to comply with a request. And that is to open up a file, right, or click on the hyperlink. And then once they do that it exploits the technical vulnerability in the software that resides on the desktop. So this is how you would compromise a government agency.
REHMKevin Mitnick. He's an information security expert, a former hacker. His latest book is titled "Ghost in the Wires." And you're listening to "The Diane Rehm Show." It sounds to me as though you are all saying number one, be careful of what you open when you don't know something or from where that individual email or something is coming from. But as far as passwords are concerned it sounds to me as though you're saying anybody can get into your account at any time. Simon.
DAVIESWell, I think what we're all saying in a way is, yes that passwords are becoming more vulnerable simply because the weight of the attack and the potential attack on you is greater and greater. But remember that's only because people don't understand the risk. People are going to go just opening whatever, as you say, they'll use the same passwords. They don't understand because it's been so -- I mean, human history, this is such a recent development. It's going to be another two generations before people get security and they understand. And people adapt accordingly.
DAVIESIt's why I did -- and now I got quite pessimistic toward the end there, but I do keep my optimism that ultimately we -- and people -- the internet as an organism will adapt. And the one line we absolutely have to draw, though, is the privacy line. There's too much information being demanded. You see it in the real world. I was out last night in D.C. People demanding identification -- I'm a middle-aged man -- identification to go into a bar. So you can imagine what it's like in the online world. People will just -- and everybody was giving their IDs to this bouncer. And I was saying to them, what are you doing? Why are you giving your -- these people want your money for a drink.
DAVIESNow it's the same online. Information is demanded of you by all these sites in the name of security and people will just hand it over without question. Now that's got to stop and that will stop.
KANGI would actually...
MITNICKWell, Scott McNealy says you have no privacy, get over it.
DAVIESYes, I remember that.
KANGI would actually say that people do, to a certain extent, understand the risks. They're just not willing to give up the convenience of a free email provider, a free documents cloud service, a free social networking site. They're not willing to give up sort of the convenience of that, of using these services for the sake of privacy -- I mean, of security.
REHMBut look ahead two generations as Simon has just done. Do you believe that somehow within two generations we will have figured out a new way to have privacy...
KANGWell, definitely there's two competing...
KANGThere's definitely going to be better security. There's great security already out there as Kevin mentioned. Password managers are really simple solutions. There is -- but you're -- competing forces. You have technology that's changing, that's becoming much easier to hack into, making it easier to hack into systems as well as better security technology.
REHMCecilia Kang, technology reporter for the Washington Post. Short break, right back.
REHMAnd here's an email from Nate in Baltimore, "What about double authentication as Google offers for its accounts? How secure is that process?" Kevin.
MITNICKWell, I'm actually -- I love Google's two step authentication. In fact, when it first came out, I tweeted to all my followers that they should immediately enable it. And what Google allows you to do is you could set up the service, the security service, so when you log into your account, not only do you need your password, but you need a six digit code. And this code changes every time you log in. And if you're using an Android or an iPhone, you could download this application onto your phone and it will display the code, or you could choose to have the code sent to you by text message or actually to call you and verbally give you the code.
MITNICKAnd I think that if you're a Gmail user or you're using Facebook or Dropbox or any of these services, you should immediately activate two step authentication, what we call two factor authentication. And has this been compromised? Well, if people set up on their email account a phone number, and the phone number allows you to do a password reset, if attackers could compromise your cellular phone account at AT&T, T-Mobile or whatever, and usually they can by simply just finding the last four digits of your social security number. Then what they could do is they could do what we call an account takeover.
MITNICKWhat they'll do is they'll first compromise your cellular phone account, forward your number to their prepaid cell phone or a pay phone or whatever. Then they'll go through the password reset process. And when Google calls your phone to do the password reset, it actually gets transferred to the attacker's phone and they go through the process and they hijack your account, so...
REHMAll right. Simon, you've had some experience with this.
DAVIESWell, this is a real world sort of as opposed to the cyber world. This is a real world double authentication. I have -- listeners will have this experience where your providers, your cell phone provider, your bank, whatever, will ring you periodically. And how do you it's them on the other end of the line? They ask you for authentication. Would you give us your zip code and date of birth? Well, who am I giving this to?
DAVIESI don't know. So with all of my providers, I've told them on the special instruction field on the account -- and everyone can do this. This is a good fun game for everyone to play. There is a special instruction field. You give them a word to put into that field. And then when they call you, you say, go to the -- scroll down, special instruction field, what's the word there? And they'll say poopsie poo or something ridiculous like that. You know, something that will make the whole call center giggle, you know. And I then know there's no more arguments about this.
DAVIESI don't have to call them back at my expense. You know, I know who they are, they know who I am.
REHMAnd, Cecilia, what about you? How do you use double authentication?
KANGWell, I'm a fan of the double authentication as well. I've done that with my Google accounts and my other accounts as well. The idea is, and you see this -- you see this actually also with credit cards, you know, the security code on the back of your card. So the idea is that your credit card might be all over the internet, your credit card number, but you have in your hand your credit card and only you can see the back security code. I mean, that's the idea at least and that's...
REHMBut you have to put that...
KANGYou do have to -- exactly.
REHM...security code up there as well, so...
KANGAs well. So that sort of defeats the idea...
KANG...is that the idea of double authentication or even multiple authentication is that you have multiple ways of saying this is really you. I'm carrying my phone on me, so only I will see that text message with that security code that I enter in to re-log onto my Gmail for example.
REHMGood. All right. Here is a caller in Bradenton, Fla. Good morning, Chris.
CHRISGood morning, Diane. Good to speak to you.
CHRISI feel in a way this has almost been answered, but, you know, we hear a lot about encryption technology which even the U.S. government can't always decipher. And I wondered whether a password was created with letters, numbers, symbols or was biometric, whether it couldn't in some way be encrypted so that, you know, it would be very difficult to break it.
DAVIESWell, I'll defer to Kevin on this one because he knows the cutting edge on the encrypted passwords, but as he will probably say, it's not quite the solution that it's made out to be.
REHMAll right. Kevin.
MITNICKWell, actually in Windows your password is, you know, what we call hashed and which is, you know, a form of encryption, let's say. And there's tools out there to basically do dictionary attacks and to run it through what we call rainbow tables, which are already pre-computed passwords. So that idea really won't work. I want to digress, Diane, when we're talking about -- well, when Simon was talking about his authentication at his financial institution.
MITNICKI recently called Bank of America because I had an issue with my credit card. And they go, hi, you know, what's your name? I go, you know, Kevin Mitnick. And they go, okay, sir, what's your password? I go, okay, I'm thinking, because I'm trying to remember what password I set up for this account. They said, oh, no problem, sir, we'll help you out. It's a place you'd like to vacation and it begins with an H. And then I wanted to ask the lady, I said, can I -- I wanted to say, could I buy a vowel? I wanted to buy a vowel. You know, and this is -- this is customer service today where, you know, it's all about convenience and customer service and security is, you know, the lowest on the totem pole here, so...
MITNICK...I just wanted to tell you that funny story.
REHMOkay. Let's go to Middletown, Md. Good morning, Stan.
STANGood morning. I just want to talk about the password issue. So I read a security report that said that passwords should be longer than -- should at least be 14 letters. And so the way I solve it is I have two address books that I keep the sites that I go to written down. And I bought a Rubik's Cube. And on the Rubik's Cube I assigned numbers, letters, uppercase, lowercase, and symbols randomly. And all I have to do to generate a 16 code password is to just twist the cube a few times.
REHMHow do you like that? How do you like that, Kevin?
MITNICKThat's awesome. I'd use a password manager, you know, instead of...
STANI don't keep anything -- I don't even keep passwords...
MITNICK...going through that trouble.
STANYeah, (unintelligible) can still be hacked, so I don't keep anything related to passwords on the computer anywhere.
MITNICKAnd, you know, another problem, Diane, is when I'm doing security testing at companies, and I get into their file servers, the first thing I do is do a full directory looking for any files that are password, passwords.doc, .xls, .csv.
MITNICKAnd in 100 percent of the cases I find that my client's users are actually storing plain text passwords in Excel documents, in text documents and basically is the keys to the kingdom.
REHMI'm breathless. I really am. My producer, Susan Nabors, says she's going to move to the woods. I think -- go ahead, Simon.
DAVIESI was going to say, though, we look at the internet and we imagine it as a technology network. It's actually not. It's -- increasingly it's a social network. And it conforms to social norms and moirés. And no social system has ever been perfect. There's always been security threats, whether it's, you know, chasing animals for food or, you know, security within a town. And maybe we don't 100 percent security because God knows what cost that would apply in terms of our freedoms.
DAVIESSo I like this tension. I love the fact that here we are 2012 having this debate with people engaged and we're so generally optimistic and we're aware of the threats. I mean, that wasn't the case ten years ago. You know, so things are moving forward. And like any social system, we will adapt and approve as I said before.
REHMI hope you're right. Let's go now to Burlington, Ky. Good morning, Andy.
ANDYThank you so much for taking my call.
ANDYI appreciate it. I'm a contractor for AT&T. And talking about the issue of biometrics for use and security earlier, I was reading on AT&T's website about a technology that they're developing that they're calling bioacoustical data transfer that, from what I can understand, sends a small little pulse through the user's skeletal frame from a device such as a watch or a smart phone. And everybody's skeletal frame has, like, a unique (unintelligible) and then they can use that to establish identity. So I just wanted to know if any of your panel is familiar with that or might be able to shed some light on it, because I'm feeling that's kind of Star Trek-ish a little bit.
REHMYeah, it sounds that way. What about that, Kevin?
MITNICKYeah, I haven't heard of such a thing, but it did give me a chuckle.
REHMSo what do you think, Simon?
DAVIESWell, in biometrics obviously because there's so much money going into research at the moment, and the European Union I noticed they were pumping some money into body odor biometrics. So, you know, it would basically take -- so it's a pheromone or whatever that was unique.
REHMHow about my perfume?
DAVIESWell, you've got pheromones in your perfume.
DAVIESSee, it would pick that up, but I'm guessing that what they're looking for is a unique -- that unique combination.
DAVIESAnd so nothing surprises me in the biometric arena anymore.
REHMWow. All right. Let's go to Kyle in Wixom, Mich. Good morning, you're on the air.
KYLEGood morning. Thank you for taking my call.
KYLEHello, Kevin, a big fan. So...
KYLE…I'd just like to say that I'm a developer for CRM systems and I administer over them. And one of the biggest security compromises that I've seen is actually the email system itself. The email system is kind of the keys to the castle. If you can get the password to the email, you can go to other services and click on the reset my password button and it will just be emailed to you or a quick way to get into the system. So through one link (unintelligible)
MITNICKWell, hopefully it does a password reset and doesn't send you the plain text password. That's kind of scary. Most sites hopefully will send you the reset, so the victim will eventually figure out they can't get into their account and realize that there's a problem.
KYLERight. But -- yeah, I mean, it's not the best way to get in, but it certainly does happen and people can get in pretty easily actually. You can -- there are services in China and whatnot that will send you a corporate email account for about $100. So I just wanted to give my comments. And I'll take anything else off the air. Thank you.
REHMAll right. Thanks for calling. Anything else?
MITNICKOh, by the way -- by the way what he did say about breaking into a corporate email account for $100, there's a service that you could send $100 to these guys, and what they would do is they would guarantee they would break in to a person's Yahoo account, Hotmail, Gmail, it didn't even matter. And they would charge you $100 that you'd have to send. So I actually wanted to figure out what they were doing. So I set up -- I set up a fake email account for me and I sent the $100, and I said, hey, go ahead and crack this person's account. It's my girlfriend's account, when it was just an account I set up.
MITNICKAnd so what it ended up being at the end of the day is they send a phishing email. And a phishing email is basically an email that contained a hyperlink that once you click it, it looked like you were logging back on to your email service. So it was a very simple type of attack, yet effective because these guys were making money.
REHMYeah, and that's a question I have, Cecilia, who is it that's hacking into our accounts? Who wants them?
KANGSo their -- it's interesting. On the one hand you have organized crime organizations outside of the U.S. that want information that's very valuable. They can get into your bank accounts, actually take money, for example, in the U.S. as well. Then you often have in this Wired article and you've heard this anecdotally as well, just bored people who do this sort of for fun. They wanted the challenge of seeing if they can hack into something.
KANGSo -- and then you also have groups that are sort of semi anarchic, you know, groups like Anonymous who do this with a purpose. You know, if they feel like, for example, the FBI made a decision on something, they'll take down the FBI site. So there's lots of -- there's lots of different groups that try to hack for different motivations, but there's money, they're sometimes bored, and there's sometimes also the thrill and the challenge.
REHMAnd you're listening to "The Diane Rehm Show." Kevin, give us a sense of some of the new techniques that people are working on to try to protect passwords.
MITNICKWell, they're moving to more forms of authentication, not just relying on a single factor, such as a password, going to multiple factor authentication. And then using technologies where you could authenticate to, for example, maybe a business website by -- through your Facebook account or basically by if you, you know, log into your Facebook account, it uses this process to authenticate you to a third party company. So this is becoming more popular. And there's companies out there that are developing new technologies and trying to come up with better ways to authenticate the end user because it is a such a big hole in the system, and to help companies and businesses and people protect themselves in a better way.
REHMAll right. Final caller in Cleveland, Ohio. Shogie, you're on the air.
SHOGIEThank you for having me. I'm a big fan.
SHOGIEI wanted to know if there's a difference whether consumers -- your experts could comment on Windows versus Apple machines. A lot of people buy Apple products. I've been a big fan for the last few years after working in PCs for a while. And if the security and password management on their browsers is any different.
DAVIESI'm not familiar with -- well, I'm an Apple user. I'm becoming a little bit distressed frankly at some of the changes in their design, I'm going to say. So I again defer to Cecilia and Kevin on this one. I've got to say that the Microsoft from what I can see is shifting security and privacy significantly in the right direction. The problem Apple generally as I see is what you might call a magnetic ports problem. It's little things, design problems with Microsoft -- with Apple are starting to become obvious. And I'm wondering whether Apple's kind of losing its grip on a lot of design elements, whereas Microsoft as a kind of operating system seems to be getting its head wrapped around the security and privacy.
DAVIESI don't know. You two may have a different view on this.
MITNICKWell, you know, people ask me that question all the time, what's more secure, having Apple or -- Apple or Windows. And I think actually Windows is a more secure operating system if you actually, you know, had it configured and hardened properly. But what the problem is, is you have a lot of virus or what we call malware writers out there and they develop malicious code to attack the populous. And Microsoft still has the greater market share. So if you have the Russian business network that wants to compromise, you know, as many people as they can, they're going to write a piece of malware for the Windows operating system and deploy that into the wild.
MITNICKAnd so that's why we don't see a lot of problems with people that are using, you know, the Mac platforms is because they're not being as attacked as much as people using the Windows platform. But I think that is going to change. I think now we're seeing -- we're seeing people shift to attacking Mac platforms as well.
KANGYou know, I have a question actually for Kevin. Does that also apply...
KANG...to smart phones? Because I feel like smart phones, everything's connected. Your contact lists and everything are so connected with different third parties.
REHMSure. Kevin, very quickly.
MITNICKWell, the Android platform, for example, is -- you know, there's been lots of exploits for that. If people jail break their iPhone, it kind of opens them up to exploitation. So these -- you know, the iPhone runs pretty much an -- it's running -- these devices run an operating system and they could be attacked just like a computer can. And you're right...
MITNICK...it's a very target rich environment.
REHMWe'll have to leave it there. Kevin Mitnick, Cecilia Kang, Simon Davies, you've given us all tons to think about. Thank you very much. And thanks for listening all. I'm Diane Rehm.
Most Recent Shows
Diane talks with Yoni Appelbaum, senior editor at The Atlantic, about why he thinks impeachment is needed for the country to move forward.
Diane talks with Norman Ornstein,resident scholar at the American Enterprise Institute
Diane talks with Elisabeth Rosenthal, editor-in-chief of Kaiser Health News, a contributing opinion writer for the New York Times and author of “An American Sickness: How Healthcare Became Big Business and How You Can Take It Back."