If you watched NBC Nightly News this past Tuesday (Feb. 4), you may have seen a report from Moscow that "visitors to Russia can expect to be hacked." On YouTube, the clip is entitled "NBC: All Visitors to Sochi Olympics Immediately Hacked" and has more than 800,000 views.
Unfortunately, the clip is extremely misleading. Everything that NBC correspondent Richard Engel and "top American security expert" Kyle Wilhoit do in their visit to Moscow (not Sochi) is designed to make certain their Mac, PC and Android phone will be infected by malware.
Even worse, none of what happens to Engel's devices in the clip is specific to Russia. All of it could just as easily have taken place in Rochester or Riverside. And all of it is quite simple to avoid.
Just asking for trouble
As Wilhoit, a senior threat researcher at the anti-virus software firm Trend Micro, has explained on his Twitter account and on the Trend Micro blog, all three machines were fresh out of the box. That didn't mean they were clean — it meant they were vulnerable.
None had installed the requisite system patches or security updates that all brand-new machines download when they first connect to the Internet. (The PC was set up with Windows 7 and Microsoft Office 2007, both of which are two generations of software old.) None had any anti-virus software installed.
All three machines were in fact set up by Engels and Wilhoit to be "honeypots" — which, as Engels explains in a separate "behind the scenes" video clip posted online, are "attractive target[s] left out in the open for the hackers to come at."
To be absolutely sure that the machines would quickly be infected, Engel deliberately engaged in security "worst practices." Specifically, Engel did the following:
— He allowed his Android phone to download an unknown application file, and gave permission to install the application when asked.
— On his PC, Engel clicked an unknown link in an email message he'd received from an unknown person.
— On his Mac, he agreed to install an unknown application suggested to him by an unknown website, and may have overridden Gatekeeper, the Mac OS X feature that would have prevented its installation.
Under such circumstances, Engel's machines would have been infected by malware anywhere in the world — in Moscow, in the Sochi Olympic village, in the White House or in Engel's own living room.
That wasn't clear in the report that NBC News aired. Instead, Brian Williams introduced the report by tying it explicitly to the Winter Olympics: "As tourists and families of athletes arrive in Sochi, if they haven't been warned, and if they fire up their phones at baggage claim, it's probably too late to save the integrity of their electronics and everything inside them."
Engel's on-air response to Williams seemed to be out of a spy movie: "The State Department warns that travelers should have no expectation of privacy, even in their hotel rooms. As we found out, you are especially exposed as soon as you try to communicate with anything."
(In response to a blog posting yesterday (Feb. 6) by security researcher Robert David Graham that called the NBC News report "100 percent fraudulent," NBC told Business Insider the report was meant to show that "a user is more likely to be targeted by hackers while conducting search in Russia.")
How to not become Richard Engel
The truth is that any computer user, anywhere, is "especially exposed" when he or she tries to "communicate with anything" over the Internet. That's why network firewalls, application sandboxing, Wi-Fi passwords, anti-virus software, code signing, message encryption and installation permissions exist.
Thankfully, it's really quite easy to prevent what happened to Engel from happening to you. Here's what to do:
— Install anti-virus software on every Windows PC, Mac and Android phone you own, and set that software to automatically update if possible. (For iPhones and other iOS devices, you don't need anti-virus software, as long as the devices aren't jailbroken.)
— Download and install all system updates and security patches on all PCs, Macs and Android and iOS devices you own. Set the devices to install system updates automatically.
— Turn on firewalls, both on computers and on network devices.
— On Android devices, go into Settings and make sure the devices are not allowed to install software from "unknown sources."
— On Android devices, read through the permissions demanded by each new app before you install it. If the permissions allow far more than the app needs to function — for example, if a game demands access to SMS messages — don't install the app.
— On all smartphones and tablets, keep Wi-Fi and Bluetooth turned off until you need to use them.
— On PCs and Macs, create separate administrator accounts to be used only when installing and modifying software. Make sure all other accounts, including the one you normally use, are limited accounts that can't add or modify software.
— Before traveling anywhere, set up virtual private network software on all devices, so you can connect securely even on insecure Wi-Fi networks in hotels, cafes and airports.
— Don't click on Web links embedded in email messages, or in Twitter or Facebook postings, from people you don't know. Be careful even when clicking links sent by people you do know.
— Don't open email attachments sent by people you don't know. If someone you do know sends you an attachment you're not expecting, confirm that he or she meant to send it before you open it.
As Wilhoit explained to Engel in the unaired "behind the scenes" video, "Purchase the actual anti-virus software and install it before you leave the country. Also, disable Bluetooth, on your phones, on your digital devices ... And then third, realistically, update all of your software as often as possible. Don't click on links that you don't recognize. Don't accept emails from people that you don't recognize. All of those things can be really good in prevention of these types of issues."