Interview with Roger Smith Amazon Number 1 Author on Digital Security
[Start of transcript]
Interviewer: Roger, why is it that people don’t take cyber security seriously? What is it that stops the individual from doing that?
Roger: I honestly think it’s a mindset. We’re surrounded by technology, and what happens is that technology is now produced for the sole purpose of convenience in usage. What happens is that we get a new app on our phone, or we get a new app on our laptop.
We can see that it does what we want it to do, but we don’t see what the underlying systems are doing behind it. And what we see of any computer system is 10% of what the system is capable of doing.
That other 90% is where the digital criminals are lurking and working on, because they can see an application might have coding that has been, I don’t know, removed but hasn’t been taken out of the system. So that functional capability in the software is no longer there, but the code for it still is and they will then target that type of situation.
Interviewer: So people are just naïve or lazy, or just incompetent, or aren’t thinking of these things, or what?
Roger: I think all of the above. I don’t think people really mean to do it, but I think it’s been something that we’ve been forced into in the last 10 years with the greater technology leaps and bounds that we’ve come up with. We don’t see how the underlying system is working.
Let’s just take Facebook for instance, alright? If you are using Facebook the way Facebook intends you to do, your security settings are practically nonexistent. You can—they can see exactly what you are doing and how you’re doing it, and why you’re doing it.
Whereas if you look at it and go “I need to increase my security to where people who are only people within my sphere of influence are going to be seeing my posts,” then that then takes you to a next level up in security.
The trouble is, with Facebook, is every time they do an update they always set everything back to defaults, and you’ve got to be very aware of that, because you have to be able to remember to check your security settings regularly. But it’s not something that is in the best interests of Facebook to do that. So they’re quite happy with you giving everybody’s information away to everybody else.
Interviewer: Wow. And that’s Facebook?
Roger: That’s Facebook. That’s just one. And that’s on applications. That’s on your PC. That’s on your phone. That’s on your tablet. Each one of them has a different component to it and also a different setting, a different security component as well.
Interviewer: How would the average individual know what you just said?
Roger: They won’t.
Roger: That’s the problem. It really is. I recently wrote a post for LinkedIn, and someone read it and accused me of being a fear monger. The trouble is, yes, technology has taken us from literally the stone age to where we are now. The trouble is, human mentality hasn’t kept up with it.
And some of the cyber criminals are in the realms of where we work. Very, very intelligent. They are very persistent. They are—they don’t care whether they steal your money or not.
There is, previously if you were walking down the street and got mugged, you knew that you’d been mugged. You knew you’d had things stolen. You had a break-in, the same thing. You knew something had been stolen.
The digital world, you can go 200-300 days without knowing you’ve been hacked. And that’s the difference between what’s going on at the moment. I’m not fear mongering. I really am scared of what is happening in the world.
Interviewer: Well, let me give you an example. The other night I was at dinner, and this lady was talking, a professional lady, highly qualified, well educated, sensible, smart person, was giving an example of where she had followed one of these links. And she was interrupted in what she was doing.
She came back and she thought, “Hang on. What am I doing this for?” And got out. So she was not—it wasn’t a Nigerian scam. It was something where she was giving things away to the wrong people. What could have happened in those circumstances if she had proceeded?
Roger: Most of the malware or the phishing email that we get is automatically generated by systems that are run by the cybercriminal gangs. Those emails are usually—we can usually pick them because they have bad spelling or they have bad grammar, or something is just wrong about the email itself.
Interviewer: They could be quite often just illogical.
Roger: Yes. Sometimes they get illogical, but the newest tactics that have come through in the last three months have got around the spelling mistakes. The grammar is accurate for an Australian. On top of that, if you’re sending an email from the ANZ Bank that’s got American in it, then that grammar component is going to make people pick up their ears and probably not click on the link.
But if you do click on the link, you will either be taken to a website that looks exactly the bank’s site, with exactly the same places like login details, popups, the whole bit. Or you will be asked to install an application onto your PC. Either one, they are after your information, and they are after your access to either money or access to your technology.
Interviewer: So if you did click on one of those links and then clicked off of it, is that too late?
Roger: It’s too late. It depends. If it’s an application, Windows and Apple have this process where you have to click on the link and then authorize the installation. Or if your PC’s been set up with a mediocre understanding of security, things like a link on an email will not actually activate because you don’t have the rights to install it, and you will have to put a username and password in to install it.
That is one of your safeguards to make sure that you’re going to have malware installed. But there are applications now that are available, that don’t do that anymore, and it is one of those—it’s an expensive exercise if you actually do get caught.
Interviewer: Well, change of subject. Let’s just change the subject. On the subject of passwords.
Interviewer: We all know we need passwords, but just what is wrong with “password” being a password or “123456” being a password?
Roger: Good question. Passwords are notoriously horrible for a human to understand. Now there’s—all passwords, no matter what site you’re going to, should be complex, unique and longer than eight characters, ten if you can work out a way of making them longer.
Now the reason why they have to be long is because the bad—the digital criminal, has systems on the internet that actually target all of directory—dictionary-known words. So in other words, if you’ve got “Helpme” for instance, as a password, then because that is two dictionary words joined together, they have a good chance of being able to crack that password. That’s one problem with the passwords.
The second on is if you have three sites. You have Facebook. You have news.com, and you have some insignificant little website you went to one day to download a PDF, for instance. Now you used the same email address and username and password on every—all three.
This one over here gets hacked and they have their database stolen. That information goes into the criminal network. That information then is tried against millions and millions of websites on the internet in that combination.
So if you just used a password that you use everywhere else, it now makes your news, msn.com, vulnerable. It makes your Facebook vulnerable. It makes your PayPal vulnerable, all of that, because you left a singular username and password that you use across the internet. That’s one of the reasons why you have to have a unique password for every website you go to.
Interviewer: How many people would do that?
Roger: Five percent.
Interviewer: And they’re people in the know?
Roger: Most of them are, yes. But we’ve come across people who have been working for the defense department who have the same password that they use across the board. And you know, because we keep our ear to the ground of what’s happening in the digital world and what the digital criminals are doing, a lot of information gets released onto the dark web.
The dark web is literally where 99.9% of the people will never go, because you need specific hardware and software to get there. But in those areas, they have marketplaces, I suppose, is the best way of doing it. And those marketplaces have—might have stolen 12,000 usernames and passwords. Their going price is $10,000, and they will sell them.
What people forget is the cybercriminal now is in a business, the business of cybercrime. And they are running their empires exactly like a business. So if I can buy 20,000 usernames and passwords for $100, I will go off and do that because I’ve got a very good chance of being able to increase this spending by cracking those 10,000 people. And that’s what the problem is. It’s scary, isn’t it?
Interviewer: It is scary, yeah. It really is, especially because we all just take it for granted.
Roger: Yes. I think this is the thing. This, as I said, this argument that I’m having on LinkedIn, it’s irrelevant the fact that we’ve had trillions of billions of transactions that haven’t had—that have been totally secure, worked all the time, have done all the right things.
But if I make a transaction and that transaction fails, or I make a transaction and I click on a link that takes me into somewhere that I’m not supposed to go, and I give away my credentials, my bank number and my username and password, all that.
Who is liable? Does it come down to me for not knowing that information, or should I be able to go to someone and say, “Well why didn’t you secure your website?” Or, “Why didn’t you stop that email coming in?” Those type of things. But they don’t—we don’t think of those lines at the moment. We don’t think that we should be protecting ourselves. And that’s hugely a huge problem for us.
Interviewer: So have you got any examples of where people with simple passwords, like “password” being the password, have you got any examples where they’ve fallen over and really been a disaster?
Roger: Yeah. Earlier this year, there was a company called Hacking Team, and Hacking Team was a high-level internet space company that actually created malware for law enforcement to use when they’re targeting criminals. So they could download it, or put it on USB drives, and put it into people’s PCs and send them links on phones, all that sort of stuff. So what they were doing was literally what the bad guys were doing. So law enforcement had a way in to get at the bad guys. Well, they got hacked. In the wash-up in finding out what happened, one of the administrators had a password of “password.” Now, these are people who are, I suppose, immersed in the whole digital security environment, and even they slip up.
Interviewer: It’s like walking out at home and not locking your front door as well.
Roger: Yeah. Not locking your door, but leaving it wide open and the fly screen door, and leaving the dog in the back yard. Because there’s nothing there to protect you. There really isn’t.
Interviewer: [Shrugs] That’s just terrible.
Roger: Yeah. As I said, it’s a case of people don’t, I suppose, don’t focus on—they focus on the convenience and they focus on the simplicity. They don’t see the underlying requirements to make all this work. And cybercriminals are not—they’re not super intelligent. Some of them are. But they are using automated systems.
There was a news article recently, like yesterday, about a 9-year-old, and Indian boy, who is a qualified hacker. A 9-year-old. He now runs his own company and started to receive money from hacking. What do you do about that?
Interviewer: Call people like you, I presume.
Roger: I hope so.
Interviewer: And if people do call you, you’d be able to assist them, right?
Roger: Yes. I always will.
Interviewer: And of course like any business person, you’d have a fee to do that?
Interviewer: Have you got any broad approaches to how you would approach—how you would help a person, an individual, that’s got a problem?
Roger: We’ve got a number of programs that we implement for helping small business. We’re more focused on small and medium business and not-for-profit organizations because they really do need the help that we offer.
We’re not going to sell them a framework, or a system, that is going to cost them an arm and a leg and 20% of their revenue. What we are going to do is build a system around what they do. To do that, yes, it costs money, but it’s not as exorbitant as what people thing.
Interviewer: So for a couple hundred dollars, the average individual will be able to have their systems assessed?
Roger: Yes. We are actually just about to launch a program that we’re calling “Buy Me a Cup of Coffee.” And what we do is literally have a sit-down, have a conversation about what you do, how you do it, what systems you’ve got in place and if you have the requirement to take it to another level.
We’re not going to tell you that you just spent $30,000 on all this new hardware, that you have to go and throw it all away and replace it, because that’s not how I roll. But what we are going to say is, “Yes, you’ve bought $30,000 worth of hardware, but have you upgraded your policies around that hardware?”
“Are you using the hardware to enforce your internet policies? Have you got a backup and disaster recovery, and business continuity system in place? And if you have, have you tested it? What do you do with it? Where’s the data being stored?” Al
l of that information is information that people really forget about until someone comes along and says, “Have you done this?” That’s our job, is to say, “Have you done this?”
Interviewer: So people can contact you via the website?
Roger: Yes. We’ve got a number of websites. If you go to rniconsulting.com.au, and all the other websites are on there. We’ve got a blog site that we use as well, usually articles, videos, audios, anything about cyber security.
Interviewer: So are you suggesting this is really a personal responsibility?
Roger: Yes, I believe it is. Even to a business level, if you—we have a, I suppose, an insight into what happens in the digital world. And what we’re finding that as a business, if you educate your staff, then that education actually starts protecting your business in a large number of different ways because they actually start, your staff members then become paranoid about what is happening.
Not paranoid bad, but paranoid good. They actually start questioning things. And that’s what you want. You want people to start questioning what is happening. If I click on this, what’s going to happen? If I click on that, why did I get that email? How did they get my email address?
That type of questioning is what we need people to do. We need to step back that 10 seconds and go, “Should I do that?” And that really does increase your security tenfold.
[End of transcript]
Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework. Rapid Restart Appliance Creator. He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world.