SDSU Cyber-Security Expert With Tips On Safe Holiday Shopping
December 6, 2012 4:41 p.m.
Murray Jennex, Associate Professor at San Diego State University's College Of Business Administration. One of his specialties is Internet Systems Security.
CAVANAUGH: Online holiday shopping can take you many places on the Internet you've never been before. Some of those places are great, others can be risky. Because the holidays remain one of the busiest times of the year for people who want to steal your personal information, including your credit card numbers. So cyber security experts say some simple precautions can save you from a world of grief. Doctor Murray Jennex is an assistance professor at SDSU's school of business administration. Welcome back to KPBS Midday Edition.
JENNEX: Good afternoon.
CAVANAUGH: What are some of the most popular ways cyber crooks to access to people's personal information?
JENNEX: The most popular way is to get you to go to a website or to download a program that installs a key logger onto your machine. And the key logger records your key strokes. So as you make a purchase and type in your account information, your password, it captures the key strokes and will send them back to the attacker so they can harvest all these numbers and sell the accounts or use them themselves.
CAVANAUGH: What are some of the ways they actually get you to click on the thing that you shouldn't click on that's going to download this particular virus that's going to send them all that information?
JENNEX: Well, and that's why it's good to talk about it this time of year: The major way of getting you to do something is to send you something that you want to look at. Lots of people are sending online Christmas cards or videos about Christmas, and people see that and they want to participate. It's just a seasonal thing to do. So the first thing is be kind of a grinch and don't just open and download. Even if you know who the person is. Right now, this year, they've done a much better job of hacking other people's e-mail and using the e-mail directories in them to go and contact friends or associates. And it gives you a virus or something that could be worse.
CAVANAUGH: That recently happened here at the SDSU campus, right?
JENNEX: Here and in many companies. Ideally what you really want to hack is somebody in a position of authority, where people will just automatically do what the e-mail says. And here at the college, over Thanksgiving, they hacked into our dean's e-mail account and had his account send out an e-mail to all the faculty asking us to go to a site and do something on our e-mail. And the whole goal was to capture everybody else's e-mail information and download malware onto the faculty computers.
CAVANAUGH: If you get in your e-mail, an e-mail from somebody you think you know, and you open it up, just the fact of opening it doesn't do anything.
JENNEX: No. You can look at it. But to get the malware, they want you to either click on a link which will take you to a website, and when your computer goes to a website, are it downloads software from that website. Or it wants you to download something directly as a file.
CAVANAUGH: The buyers are airline tickets are being especially targeted this year it seems.
JENNEX: Right. This last year, when you go online to shop, you leave traces. And a lot of people Google legitimately and other people track where people go. So attackers are doing the same thing. And they're seeing that people who go to an airline website looking for tickets and shop, they're vulnerable to getting an e-mail that says here's your itinerary. And instead of having the itinerary in it, they want you to download it to print it. That's where they're getting you in an attack. And it used to be that these e-mails were pretty easy to figure out that they were fake. Well, are the ones I've seen have actually been almost exact copies of what you would get from the real airline. And I personally got one, and I almost looked at it, but I started thinking, well, I haven't bought a ticket! And to check that, I took the confirmation number that they had in the e-mail and ran it on the airline site and it wasn't legit.
CAVANAUGH: So they almost got you!
>> Iay, and they almost got my wife. She had a dangerous thought. She was with me, and we realized it wasn't legit for us, but then she thought, well, are maybe they just made a mistake on the e-mail address, and we should look at it to see who's supposed to get it. That's a bad thought because it wasn't a mistake.
CAVANAUGH: Tell us again, if you do get a correspondence like this, and you're not clicking on the link to download what could be a virus, what do you do instead to find out whether or not this is legitimate?
JENNEX: Well, unfortunately most of the time what you have to do is just ask yourself, am I actually supposed to get this e-mail? Have I bought a ticket from this place? Or do I know this person, and is this something that person would send me? If they've never sent me an e-card before, is that really what they're going to do? And that's probably the safest thing to do. If it's something they haven't done before, guess what? They haven't done it now either.
CAVANAUGH: Now, what if you are unlucky enough to actually make this kind of mistake? Isn't your spyware or malware protection supposed to alert you of that fact?
JENNEX: Well, are some of them do and some don't. Malware detection isn't perfect T. Relies on knowing what the attack signature is. Well, there's a window of opportunity that make us vulnerable until the companies like semantic or McAfee have captured that malware and put that into the definition database that you up load to your machine. So if you don't have your protection on automatic update, you're vulnerable. There a period of time where the virus checker will never find it.
CAVANAUGH: Now you say that virus makers are finding a way into people's personal information through different electronics that don't even have those security on them, like smart phones and tablets; is that right?
JENNEX: Right. We -- a lot of people are changing the smart phone. In fact, that's a great marketing attempt. As you walk around shopping, tracking your location and sending you coupons. So people are getting coupons while they're in a shopping center and such. Of that's also a perfect opportunity to send you malware. And unfortunately most of us didn't think when we bought our smart phone that we needed to put a firewall or a virus checker on our phone. Well, those products are available. About Apple in particular never tells you you should do so.
CAVANAUGH: There's an idea that you don't get viruses if you have an Apple product.
JENNEX: That's a myth that started five years ago when Microsoft was having a lot of the attacks. Everybody said, well, my Mac Never got hit. The problem was they didn't have a big enough market share to make it worthwhile. Now iPHONE is a very popular product, lots of people have it, and it's made it an excellent place to attack. And it turns out that the operating systems and such are as vulnerable as windows were. And over the last couple year, there have been more attacks against Apple devices than Microsoft devices.
CAVANAUGH: And do the viruses and malware act the same way as they would on the computer?
JENNEX: Absolutely. Your iPHONE is a computer. It's no different. It's the same type of chip, it's a different operating system but it is exactly the same type of digital instrument.
CAVANAUGH: What about if you're doing a lot of shopping online for the holidays? Sometimes that entails people going to websites, what is it they should watch out for?
JENNEX: When I shop online, if I get an e-mail advertising the product, I never click on the link to go directly to that website. Instead I'll go into my browser and put in the address myself and personally go to that website. And then I can take a look at it. Well, what's the difference? A lot of times an attacker, if they're trying to get you to go to a website will have you go through an intermediate website, and that intermediate website might just be a flash on your screen, it might be a little popup, but by going there, you've downloaded what you want, and then they'll still send you to that website. By you going and typing that address in yourself, you bypass that possibility.
CAVANAUGH: I see. And sometimes you can actually spend hours online.
JENNEX: Oh, yes. Oh, yes! Many people do.
CAVANAUGH: Yeah, and shopping online too, this holiday season, and as you get more and more caught up in it, and more and more websites, and more and more tired, what kind of problems might that present to some bleary-eyed shoppers?
JENNEX: Well, as you said, you get tired, and your defenses go down a little bit. And you may not notice a popup screen asking if you want to do something. And almost everybody I've talked to that's been hit by that, that's exactly what happened. They saw it, but hey, I needed to get this done, I wanted to go to bed so I ignored it. And bam, I got hit by a virus. That's the time to be most careful. And several years ago, I got hit the same way, so I understand this!
CAVANAUGH: So that's your own security system popping up and saying we don't know who this website is. Are you sure you want to go there?
JENNEX: Oh, absolutely, yeah. And once you say yes, you've told your firewall it's okay for them to send anything in. And that's where it gets dangerous.
CAVANAUGH: I remember speaking to you several years ago about the whole subject of Internet security, and you said anything that you put online is not private, is not secure. It's just out there, open. Is that still the basic rule of thumb?
JENNEX: Even more so. With social media and Facebook and stuff, we've gotten a lot more open. And I look at what our students post, and we talk about it in class, and we give attackers so much information about us, they know who our friends are. If we have a public Facebook, they know who we interact with. That makes it easier for them to actually craft something that we're more apt to accept and respond to. So I think it's even worse than it used to be.
CAVANAUGH: We heard now actually from you that you were once almost a victim of a virus and a cyber crime. How do you actually take precautions to avoid becoming victimized online?
JENNEX: Well, are the No. 1 thing I do, and not everybody can do it, but if you can you should. I use two different computers. I have one computer that's for my formal banking and everything else. And we keep that one clean, and we don't browse with it. My other one is what I browse with. While I may make persons with it, I don't ever go to my banking system on that one and type in a password or anything. So I'm separating my activities and keeping my secure activities on a secure machine and shopping on a different machine.
CAVANAUGH: How difficult is it if you do download a virus to get that removed from your computer?
JENNEX: It varies. Well, actually just this last summer, I got hit by a virus coming off of a restaurant website. That one I actually recovered from real easy by using the restore point. Starting the computer up in safe mode and then you can go in there and recover based on a previous restore point. That worked real easy. It was fine. Five or six years ago, I got hit by a virus where I was tired, trying to get a lecture prepared for the next day. And the only way to recover from that was to actually reformat my hard drive.
CAVANAUGH: Wow. Okay. So it can be an easy fix or a real difficult one.