Sample Interview

Posted 07/27/2007 by Wes Turner

Filed under In The News

Tags: Internet, Security, Marketing, Safety, Identity, theft

Blaine Burnham talks as a member of a NUCIA faculty panel, discussing spyware, identity theft and the safety of the common computer user.

Introduction

Blaine Burnham has two computers at his home. One is hooked to the Internet. The other is not. Never is one linked to the other. To move material between them he uses a floppy disc, a tool that is almost old-fashioned these days. The computer that has never been tainted by an Internet connection is used to keep Burnham's personal finances and other information he'd rather not let slip into the hands of marketing spies who routinely collect information from Internet-linked computers in U.S. homes. That one is also used for take-home work from his job. A floppy is used to carry the work from office to home and back.

Burnham's caution is born of years of researching and teaching computer security. He's the director of the Nebraska University Consortium on Information Assurance, an arm of the University of Nebraska's Peter Kiewit Institute of Information Science, Technology and Engineering. Burnham and five other consortium employees talked recently about what home users face in trying to keep their personal computers from becoming public property. Answering questions were Burnham; assistant director Alex Nicoll; and researchers Matt Myers, Steve Nugen, Matt Payne and Tim Vidas.

Dangers of the Internet

Q. Do many people go to the lengths Blaine does, keeping two computers and isolating one of them from the Internet?

Nicoll: By and large, no. Most people don't even do the simplest things to protect themselves, to say nothing of running two computers.


Q. What are the dangers of the Internet?

Nicoll: There are two classifications I use: things people do to themselves and things bad guys do to them. The things people do to themselves tend to be opening e-mail attachments from people they don't know and downloading software that they don't know who created or where it came from or what it might be infected with. The classic example is peer-to-peer filesharing systems. Anything downloaded from them is suspect and could be a source of spyware, trojan horses and backdoors into computers.


Q. What's the difference between spyware and the others?

Nicoll: Spyware takes a look at your machine and reports on what you have and what you do. Trojan horses and backdoors give the bad guys access to your system to do pretty much anything they want. They can create zombies -- computers that are used to attack other systems at the bad guys' whim. With that kind of access, the bad guys can search the computer for whatever is there, credit card numbers, tax information, personal information. There's essentially nothing they can't do once you're infected.

Other Dangers

Q. What about the things done to people?

Nicoll: Attackers utilize flaws in the operating system and programs to try to take over your computer. It doesn't require any action on your part. They can intercept communications to get information, like credit card numbers. What's known as the man-in-the-middle attack can trick two computers into carrying on a conversation with the bad guy's computer as the man in the middle. That computer can see all the traffic going both ways. It can participate or record it for later use.


Q. How do you spot such an attack?

Nicoll: It's harder to spot than most. For the average user, I'm not sure there's a lot they can look for on their own.


Q. Which is the greater danger -- the things done to people or the things they do to themselves?

Nicoll: It's the things they do to themselves. I've seen people install more spyware, backdoors and viruses because they download this neat thing on the Internet than I've seen people having their machines hacked into from outside.

Burnham: Getting into home machines is relatively easy. It's a rare case -- very rare -- when this intrusion is visible. And expunging spyware is no minor thing. Some spyware-remover actually installs spyware while removing competitors' spyware.


Q. Besides stealing credit-card numbers to use, what else does spyware do?

Myers: Spyware is any software that collects information about what's happening on your computer and sends it back to a central database so that it can be mined and sold for marketing and advertising and other purposes -- people even use spyware to catch cheating spouses.


Q. What's key-stroke logging?

Myers: That's not in most spyware. It's usually in something intentionally done to you. It logs all of the keystrokes. Every time you hit a key it's recorded in a file that is sent back to somebody's main computer. It's like a wiretap.

Security for Personal Marketing Information

Q. What makes this information that is secretly collected so valuable for marketing?

Nugen: Personal marketing uses information about how you behave. A list of people who are financially able to take a cruise is valuable to a cruise agency. A list of people who have been visiting cruise Web sites is even more valuable. Spyware companies that monitor your online behavior can provide that list. When I choose to visit Dell's Web site, I have to accept the likelihood that Dell will record my behavior at their site. But spyware goes further by sending records of my online behavior to companies I didn't choose to visit. An aggressive program monitoring my Web-surfing activity might even redirect my Web browser to one of Dell's competitors.

Burnham: All kinds of stuff is available. You just have to put it together. There's the list of people who take cruises for two. Think of how far this can go and the deeper motives. Suppose the schedule that showed your wife working a given week was compared with the list that has you signed up for a cruise for two the same week. Or if you were in a car accident and the lawyers for the other party involved could buy information that you had been visiting Web sites having to do with some medical condition that, if you had it, could have contributed to the accident.


Q. Is banking online and using other financial services dangerous?

Burnham: Identity theft creeps across all of this. It's not just getting your credit card information. You can lose information on yourself the bad guys can use to create a new ID. Never, never, never respond to an email asking for confirmation of account information. It may take you to a phony bank Web site.

Nugen: Never follow a link to your bank. Type in the Web site address.

Public Safety

Q. Are you safe then?

Nugen: No.

Burnham: But safer.


Q. Why just safer? Why not safe?

Vidas: The real answer behind that is you will never find a security professional who will say you're completely safe. Personal computers don't work that way. You plug your computer into the Internet and you're at risk. You try to mitigate that. It's all risk management. You just want to reduce that risk to a tolerable level. Make yourself one of the harder targets. Type in the address. You're much more likely to go to the real Web site. But if you've already got malicious code running on your machine, it's possible for programs to detect what you're typing and redirect you to a phony site. So, safer.

Nugen: Home computers are designed for convenience. You can make them more secure if you're willing to give up some convenience. It's always about tradeoffs.


Q. So you haven't made your computer burglar-proof and it's loaded with software that's not only spying on you but probably slowing your computer. What can a person do?

Burnham: Short of pulling the plug?

Q. Yes.

Burnham: Buy new hardware and start over. All software you download becomes part of your operating system. It's called freeware. There's no cost or just nominal cost. There is a forest of the stuff. You never know what's in it.

Payne: It goes back to knowing what you put on your system.

Burnham: Start with somebody you know -- this is not a place for an amateur. Install the operating system yourself or have it installed by a pro.

Nugen: Install a firewall. You want to be sure you get a firewall that keeps things from going out as well as coming in.

Burnham: You want it to ask, 'Is it OK for all Excel files to go to the Internet?' That would mean the ones that hold your financial records, your investments, your personal information. Some things, it's OK to let go out. But is it OK every time? You want the firewall to ask every time.

Nugen: Say your daughter is learning to read on a software program that teaches and entertains her but also automatically and silently reports her progress back to the software company. A properly configured firewall can prevent that reporting, giving you a choice even if the reading program doesn't.

Payne: In theory, it would be easy for that reading software to pick up all the spreadsheets on your machine and ship them off somewhere.

Vidas: Home users should invest in reputable anti-virus software and probably free spyware prevention and removal software. There are online user groups, forums and magazines that rank software.