Webchat with Graham Cluley, computer security expert, Wednesday 2 September at 1pm

[BojanaMumsnet]

Hello,

After the events on Mumsnet over the last couple of weeks, lots of you have been asking questions and sharing advice on how to stay safe online.

So we’re pleased to announce a webchat with Graham Cluley, an award-winning computer security blogger, researcher and public speaker, to tackle your cyber-security-related questions.

Graham has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

He was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Visit his website here.

Please do join us tomorrow Wednesday 2 September at 1pm or post a question for Graham here in advance if you can’t. As ever, please do remember our webchat guidelines.

Thanks
MNHQ

Good afternoon Mr Cluley

What would you say was the desirable balance between personal responsibility for IT security and what the average user should be able to expect of the systems they use?

ISTR something in the news about Samsung televisions using the internet to spy on people?

tharsheblows - "If I have access to your house, I can hack your account's password within a few days." That's frightening. Internet just looks like a thousand different ways to be at risk, and I can't always tell which ones apply to me, or what I have to do to be safe.

leedy - I wouldn't call those hours wasted, Humbug was a brilliant game.

Hi

The swatting attacks really shocked me. I mean, why?! Is there a history behind this?

Also wondering what else I don't know about hackers' tactics beyond keyboards and screens. Or has real life harrassment always been a part of hacking?

Thanks for coming to do this webchat.

Testing testing, uno dos tres...

What would your best advice on usernames and passwords be for a user like me - can't retain information for more than a day or so and I would have no hope of remembering passwords if they were not written down! Thank you.

Hi everyone, thanks for sending in messages or joining the chat.

Thanks to the folks at Mumsnet for organising this - I would have loved to have made it to Mumsnet Towers to check out their collection of biscuits, but today I'm sitting in my home office in leafy Oxford, having spent half an hour limbering up my typing fingers in readiness...

There's plenty of stuff to talk about - from how to keep our children safe online, how to keep our personal information out of the hands of hackers, scams on social media sites like Facebook, and the never-ending headlines about companies having their databases stolen.

Ready? Let's do it!

@DoctorTwo

I run a Linux Distro (Fedora 20), which means (if I understand correctly) that Redhat will soon be discontinuing support because they're 3 or 4 versions ahead.

My question is in 2 parts: 1/ Do I continue to run Fedora 20 but protect it with a Linux specific av system or do I bite the bullet and wipe my hard drive and install the latest edition of whichever Linux distro is best for me?

My pc was running XP until MS stopped support and it doesn't have sufficient disk space/enough RAM/fast enough processor to run Win7 which is why I went down the Linux route.

Woah! Straight in with the nerdy questions.. :)

Hi DoctorTwo! (Not sure if that is a fan reference to Patrick Troughton or David Tennant, but it works for me).

Whatever operating system you choose, it's essential to keep it up-to-date with security fixes. Yes, running an anti-virus program - even on Linux - is a good idea as you don't want to be spreading malware, but it's no replacement for keeping your operating system patched.

The sad truth is that anti-virus software isn't a magic crystal which wards off any digital nastiness coming your way. Anti-virus is an important element of a layered defence for your computer, but it cannot be relied upon as the sole defence.

Windows XP, as you're aware, is now no longer supported and is most definitely not safe to use on internet-enabled PCs. To be fair to Microsoft, they did give several years' warning of this, but that doesn't help those people who might need a newer computer to handle switching to - say - Windows 10.

What do you think happened to Mumsnet when it was hacked? How bad was it?

@leedy

Can I tell him about how I wasted hours of my life playing his text-only adventure games?

Hi leedy.

Don't feel bad about it. I wasted years of my life writing them. :) In fact, the computer games I wrote at college were the reason I ended up in the computer security industry. It's a long and involved story, involving a packet of cheesy biscuits.

Hi, can I second the question about how safe it is to use Facebook to log on to another site? Personally I am incredibly uncomfortable about making the link between my real life identity (and a plethora of personal information, both mine and my friends) and something like MN which is largely anonymous.

Not Pom bears? Is that really you Jeffery?

@JeffreysMumisCross

I wanted to ask about password managers - in the aftermath of hackergate, a few people on here mentioned that they use these. But, how safe are they? Can they not be hacked? Wouldn't you be putting a lot of faith in the company whose software you'd be using?

Hi JefferysMummyisCross, or to use your encrypted name 0A2982BCAE91C79AA868BAF0F5D6933F.

I'm a big fan of password managers. They're the software that remembers all your passwords for you, generates complex passwords for every new website you join and - crucially - stores them securely.

The truth is that if you left passwords up to your own brain most of us would either choose really dumb passwords (123456, password1, letmein, Orland0Bloom), re-use the same passwords on multiple sites, or fail to remember them.

None of those are good options.

So, yes, it's technically possible for a password manager could be hacked, or the master password you chose to secure it cracked. But I believe it's a much smaller risk than a site you are a member of being attacked, or the very real human risk that you will have accidentally slipped into poor password practices.

Also, if you have a password manager on your smartphone that syncs with your desktop or laptop computer, it's a heck lot easier to enter your password than pecking away with your finger.

I recommend to all of my friends and family that they use a password manager - and they now couldn't live without them!

Do it. You won't regret it. Just make sure you choose a strong password to secure your password manager.

@JeffreysMumisCross

Another question, more out of idle curiosity than anything: how often do hackers actually get caught and successfully prosecuted?

Hi JeffreysMummyisCross again,

Unfortunately, a lot of hackers do manage to successfully escape prosecution. In some cases they may have sufficiently covered their tracks, and used anonymising techniques to disguise their location (it's easy for anyone, for instance, to launch an attack from Belgium but to make it appear as it if it originated in Brazil).

Also investigating cybercrime is complicated and expensive. When a case goes international - as it often does - then the authorities have to work with police forces in other countries, in different time zones, and different languages. Inevitably this leads to greater expense, and depending on the scale of the crime there may be an unwillingness to see it through to its conclusion.

It's also worth bearing in mind that it can take years for a case to reach its conclusion.

In some cases, hackers have been identified but there is an unwillingness to prosecute locally, or they get off with a light sentence compared to what they might receive in, say, the United States or UK.

All that said, computer crime authorities are getting better than ever at investigating online crime, and there have been some tremendous successes in the fight against the bad guys.

We shouldn't give up.

It seems like the questions divide into two types, first when bad guys deliberately target us through security weaknesses, and second the dangers of things like facebook and personal information online, just the dangers in how it all works, of which one can be largely ignorant.

@ItsAllGoingToBeFine

How secure is a password manager like LastPass as opposed to eg Chromes built in password manager in terms of being hacked externally as opposed to someone having physical access to your device?

Hi ItsAllGoingToBeFine

A subtle question - thanks! You've correctly identified that there are two threats here - the external evil hacker threat, and the threat of someone with physical access to your device.

If I had to choose between LastPass and Chrome's built-in password manager I would choose LastPass. That's because LastPass offers additional levels of security such as two-factor authentication to defend your crown jewels - your passwords!

Of course, LastPass is a potential target for hackers, as they are securing passwords for so many people. But I know that they also take security seriously, and when there have been security scares they have responded rapidly and transparently.

But then, there are probably even more people who use Chrome to remember their passwords - making it a bigger target still.

If someone is utterly determined to get your passwords it's hard to stop them - they'll perhaps use a zero-day vulnerability to install spyware on your computer, and intercept your passwords regardless of how they are stored.

If it was my computer and I had to choose, I wouldn't get Google Chrome to remember my passwords for me.

@OnlyHereToday

What is the best way to restrict the gazillions of devices my DC have connected to the internet at home please? I use safe search on Google and YouTube (doesn't work for YouTube on an iPad btw, which is terrible of iOS) and the mobicip browser but blimey there is some unsavoury crap that they stumble across.

Hi OnlyHereToday

Modern operating systems have parental controls built in, which can help you choose which websites your children can access and which should be blocked. In addition, there is paid-for parental control software out there which may offer your greater granularity and take some of the headache out of policing this.

I don't know about your particular router, but some come with parental controls built in which allow you to put additional safeguards in place which are device-independent, restricting access, hours of use, and even phishing websites.

Without getting too nerdy, it's also possible to filter content at the DNS (Domain Name System) level using services like OpenDNS.

The beauty of doing it at the router or DNS level is that it will work not just for your desktops and smartphones, but also for your game consoles, TVs and anything else net-connected.

And by the way, I agree that there are some terrible things on YouTube. Even some of the ads shown between videos about car toys are unsuitable in my opinion. Google should be ashamed for making it so easy for kids to see it.

Thanks Graham

[quote MrsRabbitsTwin][quote]

I agree with Leedy. Humbug is better than Jacaranda Jim.

@ItsAllGoingToBeFine

Thanks Graham

Other password managers are available. 1Password, KeePass, Dashlane, etc etc. Anyway, good for you. Any decent password manager is better than no password manager.

Can I please ask a question here on behalf of some women who have horrible partners?

If a person suspects their partner knows a little too much about their lives, including stuff they've not been told, making them think they are accessing their accounts, what could they do? Assume they have a phone and a laptop/tablet.

Hi Graham,

Totally non nerdy question.... Given we only have an hour, can you recommend the best places on the web (or elsewhere) for a complete novice to better educate themselves about online security. General info, advice and the best software to use?

There's so much info out there, but it strikes me that you only know if what you're reading is reliable/any good, if you already know?

Many thanks

@LibrariesGaveUsP0wer

Do you think we have been taught to fear the wrong things on passwords.

For example , we all know that you must not write them down. But actually, aside from family members risk, a 30 digit really random password hidden in a welly boot and different for each site is surely more secure than the compromise people often make - which is simpler or shared passwords across sites. (Talking about online shopping, forums etc rather than your bank account! )

Howdy LibrariesGaveUsP0wer

Great username and great point! Yes, most people have got the wrong idea about password security.

The biggest danger is that you re-use the same password on multiple websites.

Picture this - if imaginary online store XYZ Inc gets hacked and their customer database of passwords is stolen, the first thing that the hackers will do is see if those same passwords will unlock victims' Amazon accounts, eBay, Gmail, etc etc.

You MUST have different passwords for different websites. And because, if you've chosen strong passwords, you have as much chance of remembering the passwords as I do of catching smoke in a butterfly net, you need a password manager to do the remembering for you.

Then the only thing you need to do is choose a really strong password for your password manager - and remember THAT!

I've read a bit about Windows 10, where Microsoft seem to be stepping up their "surveillance"

How real is the risk from companies like Microsoft (and anyone who hacks into their ream of data on users) or is it scaremongering by tin-hat wearers?

And a follow up question, is it safe to be on Mumsnet's Insight panel - where you have to provide your real name and address?

@Girlwhowearsglasses

Don't you think it's time that banks and simon give US security when they ring us. It cuts both ways and I don't like answering security questions from someone who 'says' they're XYZ bank. I tell them I will call the bank back on the number I have for them when they call, and they often sound confused when I say I'm not telling them my address, password characters etc.

Hi Girlwhowearsglasses

Good for you! Yes, there are too many scammers out there who ring up pretending to be, say, your bank or Microsoft or whoever, in order to trick you into handing over your personal information.

If they really are who they say they are, they won't mind you being skeptical and demanding proof of their identity. Just be sure not to ring the phone number they give you ("Just call our head office on 01234 567890") because that may be run by the scammers too. Instead, I would recommend checking out the company's website to find a contact number to call... and then you can take it from there.

@ANewDayANewName

Is in safe to login another site (eg mumsnet) using either your Facebook or Twitter credentials? What's the implications of using FB or twitter to log into another site?

Hi ANewDayANewName

When you log into third-party sites using Facebook, Google or Twitter, that's known as OAuth. The good thing about it is that it means you don't have to trust the third-party site with the responsibility of storing your password. If they don't have your password, they can't lose it. :)

Furthermore, if the likes of Twitter or Facebook decide that the third-party site or app is up to no good they could - if they liked - turn off access at any time. Always be careful about what rights you might allow the site or app to access information or post updates to your social network.

Whether you want the social network to know about the sites you use and log into is, of course, an entirely different matter...