TECH
12/20/2012 03:32 pm ET

How Hackers Protect Themselves From Getting Hacked

When Adrian Lamo goes online, he leaves nothing to chance.

To log in to personal accounts, he uses a digital password generator -- a plastic key chain-like device that displays a new string of digits every 60 seconds. He adds an extra layer of security to some accounts by entering a special code that he receives via text message. And he uses browser extensions to avoid downloading malware by accidentally visiting dangerous Web sites.

Some techniques “may seem like a ‘Mission Impossible’ level of security to the average user," Lamo said. But the average user could learn a thing or two from hackers like Lamo, who are not only skilled at breaking into others' PCs, but have devised sophisticated -- in some cases, extreme -- methods for protecting their own.

It has become increasingly easy to fall victim to hackers, from downloading malicious email attachments to logging in to fake banking sites. An estimated 71 million people in the United States were victims of cybercrime last year, costing them about $21 billion in damages, according to a report this year by Symantec.

Cybercriminals are finding new ways to bypass traditional security methods like passwords and antivirus software. Hackers are now using free software that tests millions of commonly-used passwords in seconds. One tech writer who was hacked this year proclaimed that passwords are now obsolete. And many security pros say they don’t use anti-virus software because cybercriminals are testing their methods first against popular antivirus software.

So, if traditional cybersecurity methods are no longer enough, how does the average computer user defend himself?

Jeffrey Moss, a well-known hacker who goes by the online nickname "Dark Tangent," recommends disabling Javascript -- a popular programming language -- in Adobe Reader, because hackers often insert malware into PDF documents.

Moss also installs an extension for the Firefox browser called NoScript, which only allows trusted websites to run JavaScript. And he uses two Web browsers, reserving one solely for sensitive activities like online banking in case the other browser becomes infected.

"The trick is to never have a dangerous web page and a banking web page open at the same time," said Moss, the creator of the DefCon and Black Hat hacker conferences.

Two summers ago, I attended DefCon, which Moss hosts every August in a Las Vegas hotel. At the conference, where the world's best code crackers discuss the latest hacking techniques, a teenager in a purple mohawk warned me to carry a wallet with copper mesh lining because hackers could bump against my pocket with a card reader and steal my credit card information.

He also reminded me to only visit websites that start with "https" instead of "http" so hackers couldn’t eavesdrop on my Internet traffic on the hotel’s wireless network. Last fall, a free program called Firesheep was released, making it even easier for hackers to snoop on users via public Wi-Fi networks.

Lamo and other security pros protect themselves by using HTTPS Everywhere, a browser extension that encrypts online communications so hackers can't listen in.

Andrew Auernheimer, a hacker known online as “Weev,” also uses “off-the-record messaging” services, which ensure that no one eavesdrops on his online chats, enable him to identify the other participant in the conversation and leave no trace that the conversation took place.

“It’s a way for people to chat securely in real time,” Auernheimer said. “Pretty much everybody I know uses it. It’s about protecting your privacy.”

Auernheimer was recently convicted of illegally accessing AT&T's servers and stealing more than 120,000 email addresses of iPad users. Lamo is known for his 2004 conviction for breaking into the internal computer network of The New York Times, and for turning in Army Pvt. Bradley Manning for leaking classified military and State Department files.

Companies frequently issue “patches” to fix security flaws before hackers can exploit them. But that can takes several days or even weeks. Auernheimer says he can't remain vulnerable to attackers for that long. So he asks a security researcher to issue him a “hot patch” -- or a temporary band-aid that closes the security flaw until the software company fixes it.

For the average computer user, all of these measures might seem extreme. And Lamo said even his methods can't ensure total online protection. The best security method, he said, is a healthy dose of skepticism.

“Personal online security is less about fancy countermeasures and more about paying attention and not being gullible,” Lamo said. “All the technology in the world is not going to help someone who can't be bothered to double-check whether they are in fact on their bank's actual website before entering their login credentials.”

CONVERSATIONS