The Illusion Of Online Security

MS. DIANE REHM

11:06:57
Thanks for joining us. I'm Diane Rehm. Most of us believe if we create long and complex passwords our online accounts will be safe from hackers. But many security experts say that's just not true. And moreover, that the age of passwords is over. Joining me to talk about the illusion of online security and how to make your accounts harder to crack, Simon Davis of Privacy International and Cecilia Kang of the Washington Post. Joining us from Las Vegas Public Radio, Kevin Mitnick of Mitnick Security Consulting.

MS. DIANE REHM

11:07:38
I'm sure many of you will want to join in. Give us a call, 800-433-8850. Send us an email to drshow@wamu.org. Follow us on Facebook or Twitter. Good morning everybody, thanks for being here.

MR. SIMON DAVIES

11:07:57
Good morning.

MS. CECILIA KANG

11:07:57
Good morning.

MR. KEVIN MITNICK

11:07:59
Good morning.

REHM

11:08:00
Cecilia Kang, if I could start with you. Do you believe the assertion made on the cover of Wired magazine this month that the age of passwords is over?

KANG

11:08:14
I sort of do.

REHM

11:08:15
You do?

KANG

11:08:16
The age of dumb passwords has long been over. The age of just a password for security is probably over. And what we've seen is that there needs to be more layers of security online. And some companies are grappling with this and dealing with this with new and additional layers. More layers of authentication. So just the password alone is not going to do it to secure your information online.

REHM

11:08:41
Simon Davis, how about you?

DAVIES

11:08:44
I tend to be a little more optimistic because I think the Internet will always find its way through because, you know, there's a strong communist thread, that being said. So long as people don't lose faith in the Internet, there will be continuing investment in finding better security. But I -- and I agree with what Cecilia said because most people don't resonate with words and numbers. Word-number combinations is completely alien to our language.

DAVIES

11:09:08
So the idea that we can start investing in, not passwords, but tokens, pictures, photographs, film, that's the sort of, and people resonate with that and they'll remember that stuff because it's embedded mnemonically in their brain.

REHM

11:09:21
Interesting. What about you, Kevin? How do you see it?

MITNICK

11:09:26
Well, I think passwords are okay if you're, like, protecting access to reading the New York Times or something that's really innocuous and not sensitive. But if there's a sophisticated adversary that wants to get into your information or into your accounts, they normally can do it. It's just really too easy. And I really think we need to move towards stronger forms of authentication, like for online banking or anything to do with accessing or interacting with any type of sensitive information.

REHM

11:09:57
So is it true that we're seeing an increase in online security breaches, Kevin?

MITNICK

11:10:07
Yeah. I mean, we read about it every day. I mean, you hear about all the antics of anonymous and LulzSec and what we see nowadays is there's like a new form of hack-tivism where hackers are breaking into company networks and they're getting access to their passwords that are stored in back-end databases and are basically dumping this out for the world to see. And what we notice from there is not only, you know, are these companies breached but there's a lot of indication of password reuse.

MITNICK

11:10:42
So if a large entity is compromised and customer passwords are dumped for all to see, it is highly likely that those victims whose passwords were dumped will use those same passwords on other sites on the Internet.

REHM

11:10:59
Why don't complex passwords work anymore, Kevin?

MITNICK

11:11:06
Well, if for example, like I just mentioned, if a hacker gets into a company, dumps out the passwords and those complex passwords are there for users, you know, for anyone to see and then they could reuse those. But complex passwords, you know, over 20 characters that are a mixture of symbols and numbers and uppercase and lowercase letters actually work to a degree. I mean, you could have a secure password but there's always a way to attack the system.

MITNICK

11:11:38
One way is just asking the user. And there was this conference out in London called the Infosecurity Conference. And I believe they went out to London's Waterloo Station armed with free pens. And what they would do is they would ask passersby for their password in exchange for a free pen. So you'd figure, you know, nobody's going to do it, right? But you know what, 9 out of 10. Nine out of ten people simply gave up the password simply by asking for it.

MITNICK

11:12:06
So you have that, and then you look on -- you know, and then you contrast it to something more sophisticated, like sophisticated phishing attacks. And what phishing is where an attacker will send you an email purportedly from, you know, some business that you do or some company that you do business with over the Internet and they'll send you a hyperlink that looks legitimate. And you'll click it and it goes to a fake site. And it allows hackers to trick you into inputting your credentials into a form.

REHM

11:12:38
Yeah.

MITNICK

11:12:39
And then you have malware. So you basically, you know, you have the spectrum from simply just asking the user for it all the way to more sophisticated attacks. And it doesn't matter if you choose a complex password or simple password because the attacker is going to get it.

REHM

11:12:53
Cecilia?

KANG

11:12:54
Well, you know, what's interesting is we tend to have sort of contradictory views towards security. We say we want security on the one hand, but we don't want to give up convenience and privacy. And I wanted to mention, and it's interesting this example that's mentioned, Kevin, about giving away your password for a pencil. It's amazing. The top passwords, the most common passwords released by a password management company this year called Splash would really surprise you.

KANG

11:13:24
They're so incredibly common. The most common passwords are, password, the word itself, 12345, QWERTY, the keyboard QWERTY, ABC123, the word monkey; the word letmein. I mean, those are the top passwords. It's so easy, in a way, because people would like to trade the security, the level of complexity of remembering that very complicated 20-character password for the convenience of not simply having to write it down and stash that piece of paper someplace.

KANG

11:13:54
And you see countless examples of how celebrities, the royals with news international where their phones were hacked, voicemail systems were hacked, computers are hacked because often people have the most simple passwords and over and over, for years this has been an issue.

REHM

11:14:09
Simon.

DAVIES

11:14:11
This -- what Cecilia is talking about earlier is what we call cognitive dyspraxia in the information age, which effectively is this. Cognitive dyspraxia is where you hold an idea in your mind, like, I trust -- I don't trust the Internet. I believe in security. I believe in privacy. But you react in a completely different way. With passwords, it's exactly this, according to -- I think I've seen three surveys now on password utilization. Sixty -- around about between 60 and 65 percent of people try to use the same password for every account they've got.

DAVIES

11:14:49
And they, as Cecilia says, they make it as simple as possible. Now what other -- what some companies have done in response is to try and force a different sort of genetic response. So what they say is you've got to have a capital letter. You've got to have at least three numbers and the numbers cannot be sequential. Now this is fine, except the human mind cannot cope with this. So people write -- they write this down on notebooks, for example.

DAVIES

11:15:15
And so all of their passwords are written on a notebook somewhere, and you still find a pattern in all of their passwords, which is -- you can guess it. You can guess it, you know?

REHM

11:15:24
So it's pretty easy to break into, Kevin.

MITNICK

11:15:28
Oh, yeah. Well the, you know, just the patterns, I mean, companies hire me to actually break into their network so I do this all the time. And once I'm able to get certain rights over the network and go through this process and get to, you know, the plain text passwords, I notice that even the administrators, people that are tasked with securing the network for the business actually always have a pattern of choosing their passwords.

MITNICK

11:15:56
So, like, you know, maybe that's their favorite team, you know, their favorite sports team, you know, the Lakers. And then they'll put, like, you know, the month after that. So, like, Laker12. And then in January it's going to be Lakers01, in August it's going to be Lakers08. You see the pattern? Their favorite team and then the month. And I see this time and time again. So, even today if these individuals didn't change their habits, I could predict their password today because people love choosing, you know, using patterns.

MITNICK

11:16:30
And it's easy to remember because people can't remember ump-thing passwords, right?

REHM

11:16:35
Right, right.

MITNICK

11:16:35
So what they're going to do is, you know, for each site if they're going to go through the trouble in trying to make that password unique for each different website out there on the Internet, they're obviously going to choose a pattern. So now, as an attacker, looking from the attacker's viewpoint, I'm going to try to determine that person's pattern. How can you do it? If you can compromise just one site that that individual access, then what you could do...

REHM

11:17:00
You got the whole thing.

MITNICK

11:17:00
...is you could -- you get the pattern.

REHM

11:17:02
Yeah.

MITNICK

11:17:02
And then you could use that intelligence to break into everything else that they have access to.

DAVIES

11:17:07
And presumably, Kevin, presumably, if I check out someone's Facebook page and the Facebook says, I'm a Yankees fan, I'm a die-hard Yankee. You can bet Yankees is going to be in their password.

REHM

11:17:17
Ah. And Cecilia...

MITNICK

11:17:19
And guessing is, like today -- in today's world, all the Internet site out there, they should have that after X amounts of password attempts, that it should lock the user out for a certain amount of time. And if there's Internet properties that don't do that, then it gives the attacker the advantage to simple, you know, run a complete English dictionary...

REHM

11:17:43
Yeah, right.

MITNICK

11:17:44
...against the person's password and simply guess it that way.

REHM

11:17:45
Cecilia, how long ago did passwords become sort of obsolete?

KANG

11:17:53
Obsolete, you know, because so many companies and so many services just rely on a single password still, so they're still very much alive. But really, in terms of it becoming a very porous, easy security mechanism to breach, it's been years. And I think over the last few years you've seen big examples of banks, of government agencies being hacked into. The problem is not just the fear of your data being exposed and the feeling of invasion of privacy. There's real money bottom line problem with this as well.

REHM

11:18:30
Cecilia Kang, she is technology reporter for the Washington Post. We'll take a short break here. I know many of you have questions. We'll try to get to you as quickly as we can. Stay with us.

REHM

11:20:07
And welcome back. We're talking about the use of passwords, how in fact they have reached a point where as we currently use them they become somewhat obsolete. In fact, Simon Davies is saying what you've got to do is to create something else. Simon, describe that something else.

DAVIES

11:20:35
Well, if you imagine that your account online is like your home and you have a front door. And the front door -- the keys to the front door with a lock is the password. Now you're in control of what that key and what that lock is like. I mean, you can make it a simple latch key which means anybody with a pen could come along and just lift it from the outside. Or you can fashion it into your own design, something only you would know.

DAVIES

11:21:00
Now I mentioned before the word mnemonics. Mnemonics is basically the connection between images, stories, words and numbers in your mind. People think in terms of narrative. They think in terms of stories. Now I can give you -- I can remember a 25-number string just by creating a storyline around images that I've already connected with each of the ten digits. So it might be something stupid like two golfers are sitting on a hill and talking to God and they saw three churches on a mound.

DAVIES

11:21:32
But I remember that story. Now all you need to do is teach kids about mnemonics. It's a short lesson at school and they will remember any password. And it's a tremendous mental exercise. But this is why I'm worried about the premise here. Now we say the age of the password is dead. I agree. The age of the secure password is dying rapidly. But the problem is we're never going to have the sort of security that we need for the incident.

REHM

11:22:03
Well, and the point I want to bring up with Kevin is, as one of the most famous hackers in the world, Kevin, is there any password that you could not get through?

MITNICK

11:22:22
Well, by guessing, yes. I mean, by simply trying to guess the password. But there's so many different ways to break into...

REHM

11:22:29
There are clues.

MITNICK

11:22:31
Well, there's so many different ways of -- I can -- if I could load malicious software onto your computer, no matter how complex your password is, I'm going to be able to obtain it.

REHM

11:22:40
Okay. Right.

MITNICK

11:22:41
But what people can do out there is, you know, what, you know, Simon said about, you know -- you know, which I agree to because that's how mentalists are able to, you know, have these astounding feats of memorization is by associating it with a story is. But why should a individual, you know, would have to go through that trouble when for free you can download these password managers out there. One of them is called KeyPass. Another one is called Password Safe. These are absolutely free for anybody to download.

MITNICK

11:23:11
And what they allow you to do is you could have them randomly -- you could have this tool, this software tool, randomly generate a password for each website or each application that you need access to. And then you have to set a master password, something, you know, that maybe goes along with what Simon was saying, something complex that goes with some sort of story. And you basically unlock this password safe with this master password. And it allows you to completely manage all the passwords that you use that are randomly generated.

MITNICK

11:23:46
And what's really cool about it is it allows you to use a different password for each different website or application out there. So it makes it so the user doesn't have the problem having to choose the password and manage it. There's already tools out there that allow you to do it. Of course, there's also cons to that. If there's some -- if malware gets onto a user's computer, you know, they could possibly put on a key logger.

MITNICK

11:24:11
And what a key logger does is it secretly sits in the background and when you're typing in characters, you know, on your keyboard it steals those and sends it to the attacker. Then if they could unlock your master password database then they have access to everything. So there's always pros and cons to how you're going to deal with the problem.

REHM

11:24:29
Cecilia.

KANG

11:24:30
Well, there's certainly man technological solutions in the works. The one thing thought that is tried and true is that a lot of the hacking that's done, a lot of the breeches are done through what's called social engineering, just simply figuring you out. You know, I can just, if you will, Google or Bing you, you know Diane, and figure out a lot about you through what's available on court, public documents, government documents, what's available. What you might've said one day. You know, you're on Twitter as well so I might look at, you know, something you might've said that has some sort of personal reveal that you might've said on Twitter or Facebook or what have you.

KANG

11:25:06
We are so exposed online right now and that's one of the wonderful things about being online is that you can actually be so present online. But that's the other part of it. You are so present online and so you're very revealed and it's very easy to figure you out.

REHM

11:25:21
Here's an email from Steve who says, "Why not use one very good password for many sites?" Simon.

DAVIES

11:25:34
It would need to be very good and I would reflect what Kevin was saying earlier, that if you're going to do that then use one of these password managers because people now have dozens of accounts requiring dozens of passwords. There is another -- this is the elephant in the room. Let's talk about this one for a second. There is an argument that the bigger the machine gets -- the internet machine, the more we have to become fused with it to have security. It's almost like an organic biologically.

DAVIES

11:26:04
So fusion of flesh and machine would mean there is a biometric solution, in other words fingerprints. Now I hate the idea of fingerprinting and biometrics and iris scans when it comes to government for example, corporations, but there are ways -- and Kevin, you're probably right on the cutting edge of this -- there are ways that you can securely use a biometric, a fingerprint from your machine where there is, you know, a handshake with a website that recognizes that biometric.

DAVIES

11:26:32
Now it's not given to anybody else, it's not disclosed, it's encrypted securely. Now that is a possibility.

REHM

11:26:38
Is that where we're headed?

DAVIES

11:26:39
Well, I say if it were because I was going to ask Kevin, does the biometric solution actually work?

MITNICK

11:26:45
Well, let me tell you a quick story. I was hired by a company that was working on -- a financial company -- a financial services company. And they were pretty much a target rich environment because if their site was compromised it gives the attacker access to cash. And so they were looking at security solutions and one of them was a voice biometric security solution. So they tasked me with testing the security.

MITNICK

11:27:10
And basically what you would do to register is you'd have to repeat a series of digits a few times. And then it would tell you what digits to say. It'd say, you know, please say 5, 2, 1, 6, 7. You'd say 5, 2, 1, 6, 7 and it'd have you go through the process, you'd register. And then when you had to verify who you were to authenticate it would ask you to please say a series of numbers and you'd say it. And if it recognized your voice it authenticated you. So they said is this secure?

MITNICK

11:27:34
So what I ended up doing is contacted the CEO of the company and asked if I could, you know, try to test the system for security flaws. He said fine. And then a couple days later I gave the -- I called up the CEO and I used a thing called caller ID spoofing which allowed me to change the number that would be displayed on his phone. And what I -- what number I set to display on his phone was 702-354-1689. And that's -- what those digits are it's actually 1 thru 0.

MITNICK

11:28:03
And so what I did is when I called him I said, oh by the way did you get my new phone number? And he goes, oh yeah, it's on my caller ID. Oh, which one do you have? And he actually goes, 702-354-1689. Oh yeah, you're right. That's the number to reach me on in the future, which, you know, wasn't true. But now I was able to take a recording of his voice saying the digits and break it out into each digit at a time. So then I was able to call into the system and with his voice break through the system.

REHM

11:28:29
Whoa.

MITNICK

11:28:30
And it took all about ten minutes. So there you go. There's always a way to get around the system.

REHM

11:28:34
Okay. So that's--okay. So that's a voice metric, but what about some kind of iris scan or fingerprint?

MITNICK

11:28:48
Well, once somebody steals your biometric -- it depends how it's -- you know, it's gone forever -- it depends how it's implemented. If your -- if they do an iris scan and it sends a blob of data to a server. And the attacker could intercept that blob of data--it really depends on the implementation--then they could just replay the data, for example. Depending on how the system was implemented. You know, we're talking about, you know, simplistic stuff here.

MITNICK

11:29:13
So if the hacker could replay your biometric authentication well then they can impersonate you. But there's...

DAVIES

11:29:19
Yeah, this is a problem, isn't it?

MITNICK

11:29:20
Yep.

DAVIES

11:29:21
But I mean, with iris scans for example, I mean, people think it's fancy technology. It's not. It's just -- it's a snap, that's all it is. And it takes your eye and puts a string of numbers down the line and that authenticates you. Um, but fingerprints could be a bit tougher, though. I don't know if you agree with this (unintelligible) . I mean, I think the fingerprints take a lot -- to steal someone's fingerprint and actually convert it electronically into a way that could be used live online, maybe that's getting a bit difficult.

MITNICK

11:29:51
That's already been compromised. A Japanese guy used gummy bears to actually...

DAVIES

11:29:55
Oh yeah, but he had to use gelatin and it was a big...

KANG

11:29:58
He used gummy bears?

MITNICK

11:29:59
Yes, he did use gummy bears.

KANG

11:30:01
Let's not miss that point. It's very interesting.

REHM

11:30:03
He used gummy bears to cover (unintelligible) .

KANG

11:30:07
That's -- well, I've also heard -- and I'd be interested to hear, Kevin, from you and Simon, that printing has become so sophisticated with HD printing, 3D printing coming as well, that you can essentially replicate fingerprints and iris, you know, identification going forward.

REHM

11:30:23
You guys are leaving me with nothing. I mean, really what...

MITNICK

11:30:29
There's always a way around the system depending on the attacker.

REHM

11:30:31
Yeah, and that's what you were saying. And here's an email from Ralph who says, "How does malware get into a computer and how does it work? Cecilia.

KANG

11:30:45
Well, Kevin's actually really the pro on this. Well, there's many ways malware can get into a computer, and I think it becomes much easier when we're connected onto the internet all the time. So once you're inside your device through the cloud -- Wi-Fi networks are particularly vulnerable as well -- then you attack the computer. And that's -- and you get whatever information you want. And, Kevin, please correct me, jump in.

MITNICK

11:31:08
Well, if you can get his email address I'll send him a PDF file and demonstrate it to him. No, I'm just kidding. But usually it's by opening up office documents or PDF files that have been booby trapped. And the reason that works is because the software that resides on the individual's desktop is vulnerable and probably not updated. Or clicking on a hyperlink that exploits a vulnerability in the browser that the person is using.

MITNICK

11:31:33
So one method to try to remediate this is people out there can go and download a program that's actually free of charge called Personal Software Inspector. And what this does is it actually scans your system, your desktop, tries to find what software is out of date and it notifies you so you can update that software so you don't remain vulnerable. But that's how attackers break in is they send you through email usually a booby trapped file, a booby trapped hyperlink. And when you click on it or open up that attachment the game is over. They're in and you're out.

REHM

11:32:07
All right. So now tell me about the CIA, the FBI, the Department of Justice, all the government email accounts. Kevin, how do you get in?

MITNICK

11:32:24
How does the CIA get in or how does someone get into the CIA?

REHM

11:32:25
How do you get in? How would you get in to the CIA?

MITNICK

11:32:32
Well, to be honest with you, you know, it probably wouldn't be that hard. And all you really have to do is -- a government agency like the CIA has a lot of employees -- and if you could do what we call information reconnaissance and try to determine what software that an individual's using on their desktop and the version, like if they're using for example an older version of Adobe Acrobat, you know, as an example.

MITNICK

11:32:59
And then really all you have to do is try to determine who that person would likely have contact with, what companies, what other government agencies, what individuals? He could usually find that through social networking. And then what you do is you send that person an email with a booby trapped file, that as soon as they open up the file it exploits again a vulnerability in the software that resides on their desktop. And now the attacker is inside the system.

MITNICK

11:33:25
And this is exactly what happened at RSA, which is a large security company. One employee opened up an Xcel document that was booby trapped and RSA ended up losing extremely sensitive information. It happened to Google. It happened to several DOD government agencies. This is a hybrid of social engineering. You're using social engineering, which is using manipulation, deception and influence to get a target to comply with a request. And that is to open up a file, right, or click on the hyperlink. And then once they do that it exploits the technical vulnerability in the software that resides on the desktop. So this is how you would compromise a government agency.

REHM

11:34:05
Kevin Mitnick. He's an information security expert, a former hacker. His latest book is titled "Ghost in the Wires." And you're listening to "The Diane Rehm Show." It sounds to me as though you are all saying number one, be careful of what you open when you don't know something or from where that individual email or something is coming from. But as far as passwords are concerned it sounds to me as though you're saying anybody can get into your account at any time. Simon.

DAVIES

11:34:52
Well, I think what we're all saying in a way is, yes that passwords are becoming more vulnerable simply because the weight of the attack and the potential attack on you is greater and greater. But remember that's only because people don't understand the risk. People are going to go just opening whatever, as you say, they'll use the same passwords. They don't understand because it's been so -- I mean, human history, this is such a recent development. It's going to be another two generations before people get security and they understand. And people adapt accordingly.

DAVIES

11:35:27
It's why I did -- and now I got quite pessimistic toward the end there, but I do keep my optimism that ultimately we -- and people -- the internet as an organism will adapt. And the one line we absolutely have to draw, though, is the privacy line. There's too much information being demanded. You see it in the real world. I was out last night in D.C. People demanding identification -- I'm a middle-aged man -- identification to go into a bar. So you can imagine what it's like in the online world. People will just -- and everybody was giving their IDs to this bouncer. And I was saying to them, what are you doing? Why are you giving your -- these people want your money for a drink.

DAVIES

11:36:13
Now it's the same online. Information is demanded of you by all these sites in the name of security and people will just hand it over without question. Now that's got to stop and that will stop.

KANG

11:36:23
I would actually...

MITNICK

11:36:24
Well, Scott McNealy says you have no privacy, get over it.

DAVIES

11:36:27
Yes, I remember that.

REHM

11:36:28
Cecilia.

KANG

11:36:29
I would actually say that people do, to a certain extent, understand the risks. They're just not willing to give up the convenience of a free email provider, a free documents cloud service, a free social networking site. They're not willing to give up sort of the convenience of that, of using these services for the sake of privacy -- I mean, of security.

REHM

11:36:54
But look ahead two generations as Simon has just done. Do you believe that somehow within two generations we will have figured out a new way to have privacy...

KANG

11:37:13
Well, definitely there's two competing...

REHM

11:37:14
...secure privacy?

KANG

11:37:16
There's definitely going to be better security. There's great security already out there as Kevin mentioned. Password managers are really simple solutions. There is -- but you're -- competing forces. You have technology that's changing, that's becoming much easier to hack into, making it easier to hack into systems as well as better security technology.

REHM

11:37:35
Cecilia Kang, technology reporter for the Washington Post. Short break, right back.

REHM

11:40:03
And here's an email from Nate in Baltimore, "What about double authentication as Google offers for its accounts? How secure is that process?" Kevin.

MITNICK

11:40:18
Well, I'm actually -- I love Google's two step authentication. In fact, when it first came out, I tweeted to all my followers that they should immediately enable it. And what Google allows you to do is you could set up the service, the security service, so when you log into your account, not only do you need your password, but you need a six digit code. And this code changes every time you log in. And if you're using an Android or an iPhone, you could download this application onto your phone and it will display the code, or you could choose to have the code sent to you by text message or actually to call you and verbally give you the code.

MITNICK

11:40:59
And I think that if you're a Gmail user or you're using Facebook or Dropbox or any of these services, you should immediately activate two step authentication, what we call two factor authentication. And has this been compromised? Well, if people set up on their email account a phone number, and the phone number allows you to do a password reset, if attackers could compromise your cellular phone account at AT&T, T-Mobile or whatever, and usually they can by simply just finding the last four digits of your social security number. Then what they could do is they could do what we call an account takeover.

MITNICK

11:41:40
What they'll do is they'll first compromise your cellular phone account, forward your number to their prepaid cell phone or a pay phone or whatever. Then they'll go through the password reset process. And when Google calls your phone to do the password reset, it actually gets transferred to the attacker's phone and they go through the process and they hijack your account, so...

REHM

11:42:01
All right. Simon, you've had some experience with this.

DAVIES

11:42:05
Well, this is a real world sort of as opposed to the cyber world. This is a real world double authentication. I have -- listeners will have this experience where your providers, your cell phone provider, your bank, whatever, will ring you periodically. And how do you it's them on the other end of the line? They ask you for authentication. Would you give us your zip code and date of birth? Well, who am I giving this to?

REHM

11:42:29
Yeah, exactly.

DAVIES

11:42:29
I don't know. So with all of my providers, I've told them on the special instruction field on the account -- and everyone can do this. This is a good fun game for everyone to play. There is a special instruction field. You give them a word to put into that field. And then when they call you, you say, go to the -- scroll down, special instruction field, what's the word there? And they'll say poopsie poo or something ridiculous like that. You know, something that will make the whole call center giggle, you know. And I then know there's no more arguments about this.

REHM

11:43:00
Yeah.

DAVIES

11:43:01
I don't have to call them back at my expense. You know, I know who they are, they know who I am.

REHM

11:43:05
And, Cecilia, what about you? How do you use double authentication?

KANG

11:43:10
Well, I'm a fan of the double authentication as well. I've done that with my Google accounts and my other accounts as well. The idea is, and you see this -- you see this actually also with credit cards, you know, the security code on the back of your card. So the idea is that your credit card might be all over the internet, your credit card number, but you have in your hand your credit card and only you can see the back security code. I mean, that's the idea at least and that's...

REHM

11:43:34
But you have to put that...

KANG

11:43:35
You do have to -- exactly.

REHM

11:43:35
...security code up there as well, so...

KANG

11:43:38
As well. So that sort of defeats the idea...

REHM

11:43:41
Oh, boy.

KANG

11:43:41
...is that the idea of double authentication or even multiple authentication is that you have multiple ways of saying this is really you. I'm carrying my phone on me, so only I will see that text message with that security code that I enter in to re-log onto my Gmail for example.

REHM

11:43:59
Good. All right. Here is a caller in Bradenton, Fla. Good morning, Chris.

CHRIS

11:44:05
Good morning, Diane. Good to speak to you.

REHM

11:44:07
Thank you.

CHRIS

11:44:09
I feel in a way this has almost been answered, but, you know, we hear a lot about encryption technology which even the U.S. government can't always decipher. And I wondered whether a password was created with letters, numbers, symbols or was biometric, whether it couldn't in some way be encrypted so that, you know, it would be very difficult to break it.

REHM

11:44:32
Simon.

DAVIES

11:44:33
Well, I'll defer to Kevin on this one because he knows the cutting edge on the encrypted passwords, but as he will probably say, it's not quite the solution that it's made out to be.

REHM

11:44:43
All right. Kevin.

MITNICK

11:44:44
Well, actually in Windows your password is, you know, what we call hashed and which is, you know, a form of encryption, let's say. And there's tools out there to basically do dictionary attacks and to run it through what we call rainbow tables, which are already pre-computed passwords. So that idea really won't work. I want to digress, Diane, when we're talking about -- well, when Simon was talking about his authentication at his financial institution.

MITNICK

11:45:15
I recently called Bank of America because I had an issue with my credit card. And they go, hi, you know, what's your name? I go, you know, Kevin Mitnick. And they go, okay, sir, what's your password? I go, okay, I'm thinking, because I'm trying to remember what password I set up for this account. They said, oh, no problem, sir, we'll help you out. It's a place you'd like to vacation and it begins with an H. And then I wanted to ask the lady, I said, can I -- I wanted to say, could I buy a vowel? I wanted to buy a vowel. You know, and this is -- this is customer service today where, you know, it's all about convenience and customer service and security is, you know, the lowest on the totem pole here, so...

REHM

11:45:50
Yeah.

MITNICK

11:45:51
...I just wanted to tell you that funny story.

REHM

11:45:53
Okay. Let's go to Middletown, Md. Good morning, Stan.

STAN

11:45:58
Good morning. I just want to talk about the password issue. So I read a security report that said that passwords should be longer than -- should at least be 14 letters. And so the way I solve it is I have two address books that I keep the sites that I go to written down. And I bought a Rubik's Cube. And on the Rubik's Cube I assigned numbers, letters, uppercase, lowercase, and symbols randomly. And all I have to do to generate a 16 code password is to just twist the cube a few times.

MITNICK

11:46:31
That's awesome.

REHM

11:46:31
How do you like that? How do you like that, Kevin?

MITNICK

11:46:35
That's awesome. I'd use a password manager, you know, instead of...

STAN

11:46:38
I don't keep anything -- I don't even keep passwords...

MITNICK

11:46:39
...going through that trouble.

STAN

11:46:40
Yeah, (unintelligible) can still be hacked, so I don't keep anything related to passwords on the computer anywhere.

MITNICK

11:46:47
And, you know, another problem, Diane, is when I'm doing security testing at companies, and I get into their file servers, the first thing I do is do a full directory looking for any files that are password, passwords.doc, .xls, .csv.

REHM

11:47:02
Sure, sure.

MITNICK

11:47:04
And in 100 percent of the cases I find that my client's users are actually storing plain text passwords in Excel documents, in text documents and basically is the keys to the kingdom.

REHM

11:47:20
I'm breathless. I really am. My producer, Susan Nabors, says she's going to move to the woods. I think -- go ahead, Simon.

DAVIES

11:47:31
I was going to say, though, we look at the internet and we imagine it as a technology network. It's actually not. It's -- increasingly it's a social network. And it conforms to social norms and moirés. And no social system has ever been perfect. There's always been security threats, whether it's, you know, chasing animals for food or, you know, security within a town. And maybe we don't 100 percent security because God knows what cost that would apply in terms of our freedoms.

DAVIES

11:48:01
So I like this tension. I love the fact that here we are 2012 having this debate with people engaged and we're so generally optimistic and we're aware of the threats. I mean, that wasn't the case ten years ago. You know, so things are moving forward. And like any social system, we will adapt and approve as I said before.

REHM

11:48:18
I hope you're right. Let's go now to Burlington, Ky. Good morning, Andy.

ANDY

11:48:25
Thank you so much for taking my call.

REHM

11:48:27
Sure.

ANDY

11:48:27
I appreciate it. I'm a contractor for AT&T. And talking about the issue of biometrics for use and security earlier, I was reading on AT&T's website about a technology that they're developing that they're calling bioacoustical data transfer that, from what I can understand, sends a small little pulse through the user's skeletal frame from a device such as a watch or a smart phone. And everybody's skeletal frame has, like, a unique (unintelligible) and then they can use that to establish identity. So I just wanted to know if any of your panel is familiar with that or might be able to shed some light on it, because I'm feeling that's kind of Star Trek-ish a little bit.

REHM

11:49:08
Yeah, it sounds that way. What about that, Kevin?

MITNICK

11:49:11
Yeah.

REHM

11:49:12
Bioacoustical data.

MITNICK

11:49:15
Yeah, I haven't heard of such a thing, but it did give me a chuckle.

REHM

11:49:19
So what do you think, Simon?

DAVIES

11:49:22
Well, in biometrics obviously because there's so much money going into research at the moment, and the European Union I noticed they were pumping some money into body odor biometrics. So, you know, it would basically take -- so it's a pheromone or whatever that was unique.

REHM

11:49:38
How about my perfume?

DAVIES

11:49:39
Well, you've got pheromones in your perfume.

REHM

11:49:42
Exactly. Exactly.

DAVIES

11:49:45
See, it would pick that up, but I'm guessing that what they're looking for is a unique -- that unique combination.

REHM

11:49:50
Yeah, sure.

DAVIES

11:49:52
And so nothing surprises me in the biometric arena anymore.

REHM

11:49:55
Wow. All right. Let's go to Kyle in Wixom, Mich. Good morning, you're on the air.

KYLE

11:50:03
Good morning. Thank you for taking my call.

REHM

11:50:05
Sure.

KYLE

11:50:06
Hello, Kevin, a big fan. So...

MITNICK

11:50:09
Thank you.

KYLE

11:50:09
…I'd just like to say that I'm a developer for CRM systems and I administer over them. And one of the biggest security compromises that I've seen is actually the email system itself. The email system is kind of the keys to the castle. If you can get the password to the email, you can go to other services and click on the reset my password button and it will just be emailed to you or a quick way to get into the system. So through one link (unintelligible)

MITNICK

11:50:35
Well, hopefully it does a password reset and doesn't send you the plain text password. That's kind of scary. Most sites hopefully will send you the reset, so the victim will eventually figure out they can't get into their account and realize that there's a problem.

KYLE

11:50:48
Right. But -- yeah, I mean, it's not the best way to get in, but it certainly does happen and people can get in pretty easily actually. You can -- there are services in China and whatnot that will send you a corporate email account for about $100. So I just wanted to give my comments. And I'll take anything else off the air. Thank you.

REHM

11:51:13
All right. Thanks for calling. Anything else?

MITNICK

11:51:16
Oh, by the way -- by the way what he did say about breaking into a corporate email account for $100, there's a service that you could send $100 to these guys, and what they would do is they would guarantee they would break in to a person's Yahoo account, Hotmail, Gmail, it didn't even matter. And they would charge you $100 that you'd have to send. So I actually wanted to figure out what they were doing. So I set up -- I set up a fake email account for me and I sent the $100, and I said, hey, go ahead and crack this person's account. It's my girlfriend's account, when it was just an account I set up.

MITNICK

11:51:48
And so what it ended up being at the end of the day is they send a phishing email. And a phishing email is basically an email that contained a hyperlink that once you click it, it looked like you were logging back on to your email service. So it was a very simple type of attack, yet effective because these guys were making money.

REHM

11:52:09
Yeah, and that's a question I have, Cecilia, who is it that's hacking into our accounts? Who wants them?

KANG

11:52:17
So their -- it's interesting. On the one hand you have organized crime organizations outside of the U.S. that want information that's very valuable. They can get into your bank accounts, actually take money, for example, in the U.S. as well. Then you often have in this Wired article and you've heard this anecdotally as well, just bored people who do this sort of for fun. They wanted the challenge of seeing if they can hack into something.

KANG

11:52:43
So -- and then you also have groups that are sort of semi anarchic, you know, groups like Anonymous who do this with a purpose. You know, if they feel like, for example, the FBI made a decision on something, they'll take down the FBI site. So there's lots of -- there's lots of different groups that try to hack for different motivations, but there's money, they're sometimes bored, and there's sometimes also the thrill and the challenge.

REHM

11:53:05
And you're listening to "The Diane Rehm Show." Kevin, give us a sense of some of the new techniques that people are working on to try to protect passwords.

MITNICK

11:53:23
Well, they're moving to more forms of authentication, not just relying on a single factor, such as a password, going to multiple factor authentication. And then using technologies where you could authenticate to, for example, maybe a business website by -- through your Facebook account or basically by if you, you know, log into your Facebook account, it uses this process to authenticate you to a third party company. So this is becoming more popular. And there's companies out there that are developing new technologies and trying to come up with better ways to authenticate the end user because it is a such a big hole in the system, and to help companies and businesses and people protect themselves in a better way.

REHM

11:54:10
All right. Final caller in Cleveland, Ohio. Shogie, you're on the air.

SHOGIE

11:54:16
Thank you for having me. I'm a big fan.

REHM

11:54:17
Sure.

SHOGIE

11:54:18
I wanted to know if there's a difference whether consumers -- your experts could comment on Windows versus Apple machines. A lot of people buy Apple products. I've been a big fan for the last few years after working in PCs for a while. And if the security and password management on their browsers is any different.

REHM

11:54:36
Simon.

DAVIES

11:54:38
I'm not familiar with -- well, I'm an Apple user. I'm becoming a little bit distressed frankly at some of the changes in their design, I'm going to say. So I again defer to Cecilia and Kevin on this one. I've got to say that the Microsoft from what I can see is shifting security and privacy significantly in the right direction. The problem Apple generally as I see is what you might call a magnetic ports problem. It's little things, design problems with Microsoft -- with Apple are starting to become obvious. And I'm wondering whether Apple's kind of losing its grip on a lot of design elements, whereas Microsoft as a kind of operating system seems to be getting its head wrapped around the security and privacy.

REHM

11:55:28
All right.

DAVIES

11:55:28
I don't know. You two may have a different view on this.

REHM

11:55:30
Kevin.

MITNICK

11:55:31
Well, you know, people ask me that question all the time, what's more secure, having Apple or -- Apple or Windows. And I think actually Windows is a more secure operating system if you actually, you know, had it configured and hardened properly. But what the problem is, is you have a lot of virus or what we call malware writers out there and they develop malicious code to attack the populous. And Microsoft still has the greater market share. So if you have the Russian business network that wants to compromise, you know, as many people as they can, they're going to write a piece of malware for the Windows operating system and deploy that into the wild.

MITNICK

11:56:11
And so that's why we don't see a lot of problems with people that are using, you know, the Mac platforms is because they're not being as attacked as much as people using the Windows platform. But I think that is going to change. I think now we're seeing -- we're seeing people shift to attacking Mac platforms as well.

REHM

11:56:29
Cecilia.

KANG

11:56:30
You know, I have a question actually for Kevin. Does that also apply...

REHM

11:56:33
Very quickly.

KANG

11:56:34
...to smart phones? Because I feel like smart phones, everything's connected. Your contact lists and everything are so connected with different third parties.

REHM

11:56:40
Sure. Kevin, very quickly.

MITNICK

11:56:41
Well, the Android platform, for example, is -- you know, there's been lots of exploits for that. If people jail break their iPhone, it kind of opens them up to exploitation. So these -- you know, the iPhone runs pretty much an -- it's running -- these devices run an operating system and they could be attacked just like a computer can. And you're right...

REHM

11:57:11
All right.

MITNICK

11:57:11
...it's a very target rich environment.

REHM

11:57:13
We'll have to leave it there. Kevin Mitnick, Cecilia Kang, Simon Davies, you've given us all tons to think about. Thank you very much. And thanks for listening all. I'm Diane Rehm.
Transcripts of WAMU programs are available for personal use. Transcripts are provided "As Is" without warranties of any kind, either express or implied. WAMU does not warrant that the transcript is error-free. For all WAMU programs, the broadcast audio should be considered the authoritative version. Transcripts are owned by WAMU 88.5 FM American University Radio and are protected by laws in both the United States and international law. You may not sell or modify transcripts or reproduce, display, distribute, or otherwise use the transcript, in whole or in part, in any way for any public or commercial purpose without the express written permission of WAMU. All requests for uses beyond personal and noncommercial use should be referred to (202) 885-1200.

Our address has changed!

The Diane Rehm Show is produced by member-supported WAMU 88.5 in Washington DC.