coffeeshop

The next time you’re in a coffee shop sipping a Chai latte, availing yourself of the free Wi-Fi, remember this: The private messages you are sending, the websites you are visiting, and bank accounts you are accessing could be intercepted by a nefarious individual sitting two tables away. It doesn’t need to stop with snooping either; they could inject code into your Web browser to steal your passwords or install software to give them access to your laptop whenever they want.

I don’t mean to scare you. I work for the other side as a white hat hacker who works with some of the largest companies on the planet to help them protect private and sensitive information — and keep it out of the hands of the wrongdoers. Information Security is a large industry (and growing), but it isn’t fool-proof. There’s also a lot of FUD (fear, uncertainty, and doubt) floating around out there. Unfortunately a lot of it is based on reality; in some cases people downplay its seriousness.

On a Sunday morning last year, I received a phone call from the CEO and CFO of a major restaurant chain. Also on the phone were their bank and General Council. They explained that someone had stolen credit card data from every customer who ate at their restaurants over the past 18 months. No one knew how this data breach had happened, but I had my suspicions since I’ve seen it happen hundreds of times.

The hackers found a hole in the security at one of the restaurants. They used that hole to jump onto a satellite link and navigate their way into the corporate network. It was here where all the credit cards used at any of the restaurants were processed. They then planted a custom written piece of software on credit processing systems that went completely undetected for a year and a half. During that time the software made a copy of each credit card number and sent it back out of the network to the hacker’s computer located in Eastern Europe. In the end the hacker was able to make off with millions of numbers and likely converted that information into tens of millions of dollars by selling it on the black market.

A few months ago a friend received an email from a book publisher. My friend has been written about in magazines, been on television, and had published a book a few years ago, so receiving this type of email didn’t seem out of the ordinary. The email appeared normal and the sender prompted him to read his proposal, which was attached. He clicked on the PDF attachment and the reader opened for a split second before crashing. When he tried to open it again the same thing happened. So he replied to the email and it bounced. Then he tried the phone number listed in the email, and it was for a bakery in New York City. That’s when he gave me a call.

I looked at the attachment and saw that he had been tricked into opening malware, which was now deposited in his system. This malware was designed to scour his computer for every Word, Excel, and PowerPoint document. Once it found these files it automatically transfered them to a hacker’s computer. Lucky for my friend, he was using a small netbook on which he never kept anything confidential or sensitive.

These types of attacks can cause a mess for individuals, but for governments and large businesses they can be devastating. It has been well known that countries like China, Iran, Israel, and even the United States have executed cyber operations against various targets of interest hacking trade secrets and military plans. Often these attacks use flaws in software for which there isn’t yet a patch or fix. If you think protecting your personal information is challenging, try being a world super power.

Nevertheless, the last thing any of us want is to fall victim to phishers, hackers, and other computer criminals inhabiting the seamy side of cyberspace. But there are three simple steps you can take to protect yourself:

  1. Keep your software up to date. When prompted to install an update for software or operating system you use, do so. Nearly every software update published by companies like Apple and Microsoft contains some degree of security fixes. Not installing them is like never changing the oil on your car; eventually something is going to go wrong.
  2. Choose a passphrase, not a password. If you choose a simple password for accounts that contains your sensitive information, it isn’t the service provider’s fault that your account was hacked into. Instead of a 6 to 8-character password, choose passphrase that is easy to remember by impossible to guess. Think of a sentence or a phrase and toss in a few numbers and symbols.
  3. Don’t click on stuff. We are tempted every single day to click on links and attachments we receive via email or see in our social networking account. Be very aware that many of these will be malicious and cause your mobile device or computer to be taken over by a hacker. Once they do so, they’ll be sure to replicate the attack towards all of your contacts and friends.

Yes, these are basic tips, but surprisingly few people (and even sometimes fewer businesses) apply even the most basic of security controls to their digital world. They’d all be a lot safer if they did.

Today, the only place we can assume absolute security and privacy is in our minds. You can have an idea or opinion and no one could access our mind to expose it. You can think the most pleasant thoughts or the most damning ideas and no one will know except you – unless you choose to share it with other through some form of communication. Only true private information exists in your mind. No one can steal that. Yet.

One day, though, as I stated in a TEDx event talk, devices in the future may be able to read our thoughts. Imagine a dictator knowing you are out to get him, or reading your friends’ and co-workers’ minds.

Fortunately, we are many years out from this, but knowing how to deal with conventional threats today could prepare you for this mind-intrusive future.

[Image Credit: 1FlatWorld on Flickr]