Matt Lindsey’s mission is to ward off threats on the internet. As chief threat intelligence analyst, he leads a team of seven analysts who daily protect the computers at Oak Ridge National Laboratory from millions of cyberthreats. They form the lab’s first line of defense against sneaky attacks on its supercomputers from all over the world.
But the team lead of ORNL’s Security Operations Center also volunteers his time telling members of the public how to protect their personal desktop and laptop computers, smartphones and tablets, as well as their savings, from attacks by cyber thieves.
Lindsey calls “cyber education” important because “we’re all in this together and we all need to keep each other safe.”
His whimsical talk titles include “Don’t Let Phishing Catch You!” and, especially for fans of Netflix’s “Stranger Things,” there is also “Stranger Pings: What to Do When the Internet Goes Bad.”
The latter was the title of the slide presentation he gave recently to members and guests of Altrusa International of Oak Ridge. His goal was to provide attendees with “the tools and knowledge needed to stay safe online,” according to the Altrusa news release.
Don't panic at 'pop-ups'
He warned the audience that hackers trying to help them part with their personal information and money aim at causing panic, getting them to engage in hasty thinking and to make careless decisions. One example are “pop-ups” on the computer screen that, he said, use a “shock and awe” tactic. He showed a fake pop-up box with these words: “Microsoft Warning Alert. Windows detected potential threats on your computer. Call Microsoft.” The pop-up provided a fake phone number.
“I can tell you right now that Microsoft is never going to call you or take your call,” he said. “I work for a company that sends Microsoft millions of dollars a year, and I cannot get anyone on the phone. If I can’t get them, you can’t get them.”
He said the best defense against a pop-up is to close your browser (e.g., Google Chrome or Apple’s Safari), power down and restart the device and run an antivirus scan.
Beware of impersonators
The dishonest schemes that scammers use to get money, credit card numbers or other data from willing victims on the internet include “phishing.” Lindsey called this type of social engineering “an attempt by phone, text or email to send you a fake communication that’s meant to look like something that’s real. The scammer impersonates a representative of a business or service that huge numbers of people use or think they have used.” Examples include Microsoft and Amazon.
He noted that dishonest people use phone calls to impersonate an employee of a bank who alerts you that your checking account is overdrawn, of a church or nonprofit who seeks your donations, or of a technical support contractor for a well-known organization who is requesting remote access to your machine.
A scammer may inform you in a fake email message that your antivirus subscription has expired and that your credit card has already been charged, Lindsey said. The hacker may hope you panic enough to quickly click on a link or open an attachment, causing your machine or network to be infected with malicious software.
The hacker’s goal might be to get you to call a phone number to object to having your credit card charged, he added. Then an anonymous, kind voice may say, “I’m sorry, give me your credit card number and I’ll fix the problem,” in the hope of tricking a few easily deceived people into actually losing money from their credit card accounts. The solution is to avoid responding to the scammer and instead to call your credit card company to check on your account.
Lindsey’s advice to anyone using the internet or answering the phone is to “stop panicking, take a step back, think critically and re-evaluate the situation. Ask yourself questions like ‘Does this warning make sense?’ or ‘Does this person really know me?’ If you suspect that you might have a bank account problem, go to your bank or call the bank’s real phone number.”
He said that if a caller asks you to buy a gift card, “it’s a scam. Gift cards are a way of laundering money. They are easy to use and hard to track.”
He advised his audience to be aware of “powerful psychological tricks” used by telemarketers such as trying to win your trust by asserting that you and the scammer are part of the same community (e.g., graduates of the same school) or by giving you something (e.g., an emailed coupon or a stock tip) so you feel obliged to give the scammer what is desired, such as a password or credit card number.
“Sadly, the scammer leverages the way decent people interact with each other in a civilized society to your own detriment,” Lindsey said.
Protect your passwords
He then talked about password safety – ways to protect your passwords from being correctly guessed by hackers so they can steal your data. He said it is unrealistic for each of us to retain in our brains 120 different passwords at least eight characters long consisting of uppercase and lowercase letters, numbers and other characters for all our email and website accounts.
“Biometrics, such as fingerprint mapping, facial recognition and retina scans, as well as passcodes used with computers and smartphones, are coming to help, but slowly,” he said.
His advice is to create 25-character passwords that consist of a random collection of dictionary words, such as ReverseBatteryHorseStaple.
"If you have a password of over 20 characters, hackers will not try to guess it,” Lindsey said. “The fastest such a long password can be guessed, using a massive cracking array scenario, is 25.76 million trillion centuries!”
He also suggests using a password manager, one of the companies that will manage and protect your passwords for a small price. He mentioned three companies that appear in the list you will find if you Google “10 best password managers.” He added that limited password management is available for free through the Google Chrome and Apple Safari browsers.
He concluded his talk by discussing ransomware attacks, which have been in the news lately because large targets, as well as individuals, have been hit. Malicious software codes have infected computer networks of hospitals, city departments and even an oil pipeline company, encrypting computer hard drives, holding the targeted organizations’ data hostage and forcing a temporary shutdown of all computer-related operations.
“When you reboot your infected machine,” Lindsey said, “you get the message from the hackers that they have your data, and if you give them a certain amount of cryptocurrency, they will give your data back.” He added that sometimes hackers offer their victims “half off their extortion attempt if you respond in 48 hours!” If you pay enough bitcoins, you will receive the decryption key to unlock your computer’s data files so you can access them again.
He noted that in one weird situation in which a targeted individual had to receive technical support on how to buy and send cryptocurrency as a ransomware payment, that person then received a customer feedback form! Lindsey suggested mockingly that one question might have been, “Is there anything we could have done to make this extortion attempt a more pleasant experience?”
To keep your devices safe from ransomware attacks, Lindsey said, install available software updates as soon as possible to close security holes. Also, he advised everyone to constantly keep a backup of your most essential files – another piece of cybersecurity common sense.
This article originally appeared on Oakridger: Protecting your data: Tips from an ORNL expert