Graham: It's something I get asked about a lot and I have been over the years a lot. It's like, "Oh, predict the future. What's it gonna look like in the year 2000?" I remember when people sent to us, "Well, what will happen when there are a grand total of 10,000 pieces of malware? How will antivirus software curb that?" And today, we see hundreds of thousands of new pieces of malware every single day, every 24 hours. There's more than two every second which are created.
You know, the problem has just escalated so far, and we would never have predicted that. And we would never have predicted that nation states would be hacking into organizations or writing malware or stealing from banks in order to fund their nuclear weapons program, which I read about this week with North Korea. You know, it's absolute science fiction what's happening now. So, to predict what's gonna happen next feels utterly bonkers. All I can say is more of the same.
Caroline: From Cobalt at home and on a farm, this is "Humans of InfoSec," a show about real people, their work, and its impact on the information security industry. My guest today, joining me from a sheep farm, although it is not his sheep farm, is Graham Cluley, who is well-known in our industry as an award-winning security blogger, speaker, researcher, and podcaster. Super fun to have a podcaster on the show. Graham's worked in senior roles at Sophos and McAfee. He's helped law enforcement agencies investigate hacking groups. He's also in the Infosecurity Europe Hall of Fame.
Graham, welcome. Thank you so much for joining me today.
Graham: Hello. Thank you very much for having me. It's a real pleasure to be here.
Caroline: So, Graham, what is it like to be a podcaster on someone else's podcast?
Graham: It's fantastic. And you know why it's fantastic? Because I don't have to do any of the editing. I don't have to clean up...
Caroline: Thank you, Mary. We appreciate you.
Graham: Oh, what? You don't edit it yourself?
Caroline: I don't edit it myself. I used to, and I actually will say it is an activity that I enjoy very, very much.
Graham: I have to be honest with you. I actually love editing as well. I probably love editing the podcast more than anything else. The only problem with editing is just how long it takes. The number of nights I've been up till 3:00 in the morning trying to make something sound right.
Caroline: It is fun though. It's fun. It's the art, I think that there is more room for art and creativity in our field, and podcast editing gives us a little bit of that.
Graham: Yeah. Well, I don't know if the podcast I put out is a masterpiece. What we try to do in "Smashing Security" is we try to make it accessible to anyone, you know, including the non-nerds. So, we're trying to make it interesting. We're trying to make it fun, and we have fantastic guests on. And sometimes they'll be telling us a story, and they get a little bit confused or muddled or they use the wrong word. And we think, oh, that would've been so much. If they'd just said that sentence 30 seconds earlier, it all would've flowed so much better. And then I'll let you into a little secret, we sort of move the occasional bit around.
Caroline: Ooh, Graham.
Graham: I know. I know. Fake news. Fake news.
Caroline: My goodness. My goodness.
Graham: You've got an exclusive here now.
Caroline: Tampering with the witness is what I'm hearing about. No seriously though, Graham, I think that what you and "Smashing Security" do is provide a really important service to the world because if security is something that only nerds can talk about, we are never gonna solve this.
Graham: We're doomed. Yeah. We're doomed. Because everyone has a computer in their pocket, right? Everyone's doing online shopping. Everyone's capable of being phished. And, you know, it's regular individuals who are in the workplace or working from home who are making decisions about what link to click on or whether to enter their password here or what their password should be. So, we are all really...we all have to be security savvy, whether we like it or not.
Caroline: That's absolutely right. My father-in-law called me the other day, and he said to me, "Caroline, my computer's not working. And I'm on the phone right now with someone who's insisting that I pay him money." And I was like, oh my gosh, you know, this is just...so this was in 2021. And I thought this is so 2021. You know, despite the fact that actually the first ransomware attack happened in 1989. Graham, this podcast is supposed to be about you. Tell me about you. How long have you been working in cybersecurity?
Graham: Oh my goodness, can you believe? I've just celebrated my 30th year in cybersecurity.
Caroline: I love it. That's badass. That is...
Graham: No. Is it?
Caroline: Yes. Yes, it is.
Graham: I just think I haven't found something better to do.
Caroline: Is there anything better to do than work in cybersecurity? I don't know.
Graham: Yes. Yes.
Caroline: How has that sheep farm thing been going? Have you been looking over at the shearing and thinking maybe I should do that instead?
Graham: I'm not quite manly enough to shear a sheep, sadly. I don't think I'd be... They're pretty tough these sheep. No, the sheep don't belong to me. The farmer lets me live on his farm, which is very kind of him. But, yeah, I mean, I just think, you know, it's a long time to do anything really. I mean, when I look back over my career, I think, "Well, what have I really done?" All I've really done is tell people turn on two-factor authentication and choose a sensible password.
I mean, does it really come down to anything more than that? There may have been a little bit more besides that, but it's a strange thing to base a career upon, I think.
Caroline: I think our careers and our lives, they are all so meaningful and then also trivial. I read a book last year called "Four Thousand Weeks." And this year, I will actually pass the 2,000-week mark, and I get to think to myself, "What will I do with my remaining 2,000 weeks?"
Graham, tell me if the past 30 years has been, "People, please use two-factor authentication. Let me teach you about what a strong password is and then also password manager, because I understand you have 100-plus accounts," what will the next 30 years look like for this industry?
Graham: Oh, you know, it's something I get asked about a lot and I have been over the years a lot. It's like, "Oh, predict the future. What's it gonna look like in the year 2000?" I remember when people sent to us, "Well, what will happen when there are a grand total of 10,000 pieces of malware? How will antivirus software curb that?" And today, we see hundreds of thousands of new pieces of malware every single day, every 24 hours. There's more than two every second, which are created.
You know, the problem has just escalated so far, and we would never have predicted that. And we would never have predicted that nation states would be hacking into organizations or writing malware or stealing from banks in order to fund their nuclear weapons program, which I read about this week with North Korea. You know, it's absolute science fiction what's happening now. So, to predict what's gonna happen next feels utterly bonkers. All I can say is more of the same.
You know, the fundamental problems, I think, will carry on existing. The fundamental problems of how hackers break into systems, how they trick people, the social engineering tricks, things like social engineering, that's not gonna change because humans aren't gonna change, and it's not a technological problem. It's a human problem.
And so those sort of attacks, they may be dressed up in other ways. And they may sometimes involve new types of technology, some of which, you know, we may not have even imagined yet. But, fundamentally, they remain the same. That's for the rest of it. Lord knows. You know, things have changed so much. And this whole cybersecurity...
When I started in...I started off by writing antivirus software. And back in those days, there were 200 new viruses every month. And it was a bit of a cottage industry. And most of the people I spoke to didn't really believe that viruses or malware existed. They were still peddling the old, you know, conspiracy theory, "Oh, you guys must write the viruses. You know, you must do this to drum up sales and all that." You know, they sort of said cheekily, but they sort of half believed it as well.
And now no one feels like that because everyone knows that malware exists, and they know there's so much of it. There's no way the cybersecurity vendors could be churning it out. It has to be criminals who are doing it instead.
Caroline: Now, Graham, I've got a question for you about antivirus software. Today, there are vendors, and they call themselves next-gen. And what do you think about this next-gen?
Graham: Well, it depends what they really... I mean, sometimes they say next generation, and it isn't really, it's just the marketing people putting a fun spin on it. I mean, it's amazing how sophisticated some of the old antivirus programs used to be. It's just that their marketing was rather primitive and weren't always extolling its virtues properly.
I mean, the truth is that anti-malware protection has continued to evolve year after year after year. And most of the antivirus products out there are pretty darn good these days. Although there's no such thing as a perfect antivirus, there's nothing which is going to stop absolutely everything and never make a mistake, they're generally doing a really good job, especially if they're being kept up to date.
And antivirus software as well these days, modern antivirus software, does a reasonably good job at stopping brand-new unknown stuff as well by looking at things like behavior, for instance. As we've seen new threats like ransomware emerge, they can look for that sort of suspicious behavior of a program accessing lots of files and trying to encrypt them. And it can say, "Oh, hang on a moment. That seems a little bit fishy. Maybe we want to pop up a warning to prevent that from happening anymore."
Caroline: Yes. You know, it seems as though there have been years and years now of refinement and evolution and continuing sophistication. And, to me, that might be thought of as an easier problem to solve than making something like this for the first time. You worked on the first-ever version of Dr Solomon's Antivirus Toolkit for Windows. What was it like then? What was it like when people, some people, didn't even believe that the problem you were trying to solve was a real one? How do you go from zero to one in a technology like that?
Graham: It wasn't always easy. I mean, on a practical level, right in the first version of Dr Solomon's Antivirus Toolkit for Windows was a real challenge because I was having to write it on Windows 3.0. And if you're old enough to remember that, you'll remember the general protection faults and the blue screens of death, and, you know, the operating system would continually crash as you were trying to write things. So, that was a challenge.
And many people were skeptical of the idea of running an antivirus on Windows anyway because the thought at the time was, well, if you're scanning for viruses, you should boot up from a floppy disk, which is write protected, boot up into DOS and scan that way. That way, you know nothing else is running beforehand. But, you know, these days computers don't have a floppy disk drive. In fact, they probably haven't had them for 20-odd years. So, that's not an option.
One of the funny things was back then writing for Windows, the reason why I got that job writing the Windows antivirus. I went for my interview with Alan Solomon at Dr Solomon's, which was the company I was working with, and Alan Solomon said, "I'm gonna make you the Windows program." And I said, "Look," I said, "that's very kind of you." I said, "But I've never written a Windows program in my life." And he said, "It doesn't matter." He said, "No one's gonna buy the Windows version of Dr Solomon's." He said, "We are just doing it for marketing." He said, "I'm gonna write the OS/2 version." All the businesses are gonna want the OS/2 version because Windows was considered a joker's operating system.
It was like a little fluffy thing you might have, oh, how cute they've done a Windows version. But it was thought at the time that businesses and serious businesses like banks would be running OS/2 instead. And as we know, OS/2 died and Windows succeeded, which meant, oh, crikey, people really are going to be running my software. I better make sure that it's actually doing a good job at finding the viruses as well.
So, you know, it was a bit of a wild west back then. I have to say it was huge fun, probably more fun than it is now because it was more of a battle of wits, I think, then between the virus writers and the antivirus guys way back then. Interestingly, the virus writers, they took a lot more care regarding their work. There's a lot more pride. They would spend months and months writing a piece of code which they thought would be undetectable by an antivirus program, whereas now most of the malware writing is just sort of conveyor belt. It's just churned out huge numbers every day just trying to infect a small number of people. And then they write another one, and then they write another one, or they have programs which do it for them. Whereas there used to be more of an art to it than there is today.
And I kind of miss that in a way. I think it was a more sophisticated time in some ways not to say, of course, that there aren't sometimes extremely sophisticated pieces of malware being written today, sometimes even as we've discussed by countries who might be involved in state-sponsored hacking.
Caroline: Yeah. It's interesting actually to ponder that. You know, I think, at this stage, we can think of the viruses of old times almost as being romantic in a way. I think there's a way in which, you know, we can think of those folks today who might be considered cyber criminals, you know, to be very clever. I think there's always been this really interesting thing from my perspective about the good folks and the bad folks.
You know, and I think there's an assumption that folks like you and I, Graham, are the good ones, but what is that all about? You know, I'm getting a little too philosophical. I actually wanna talk about more kind of current events if you will. Of course, at this point in time, the most popular malware it seems, the most successful is ransomware. And what are your thoughts on ransomware?
Graham: Well, It is a huge danger to companies because what the bad guys have found is a way to properly monetize malware. And that's why there's so much ransomware out there, is because other gangs, other criminals realized, crikey, we can make a huge amount of money here with relatively little chance of being caught. And it's worked extremely well for them.
In the past, there were ways of monetizing malware. One of the ways might, for instance, be to convert your computer into a bot, and then they would take over your computer, and then they will rent out your computer maybe as part of a denial of service botnet or maybe as a spam botnet. And they'd be able to make some money that way. You know, that's one of the common things we used to see malware doing, and that would just make, you know, a small amount of money for each PC that's infected.
But with ransomware, they can make literally tens of millions, hundreds of millions from ransomware. Huge, huge amounts of money is being made. And as a consequence, we see traditional crime gangs realizing, "Well, hang on a moment, we don't need to go and rob banks anymore. We don't need to kidnap people, which is all rather dangerous, and, you know, there's a physical risk to us. Why don't we get into this cybercrime thing instead?"
So, I think what we've seen is a huge rush of criminals getting involved in ransomware, and this ecosystem has grown up over time where it's not just the people who are engaged in ransomware, but also people who are offering ransomware as a service. So, even if you are just, you know, a tin pot little criminal who don't have the...maybe you don't even have the resources to code a piece of malware, but you can go on the internet, you can find these gangs, and you say, "Well, could I rent part of your ransomware from you because there's a company I'd like to extort, and I'll give you 15% of the money, and I'll keep the rest of it myself?"
And so there's all this infrastructure now involved in making ransomware as a tool, as something to hit companies with available to really anybody at all. So, if you did have a criminal bent, you know, it's understandable people getting involved in it.
Caroline: Yeah. It's really quite brilliant. You know, I'm thinking to myself, I could use a little cash on the side, you know, maybe I should be looking into it myself, you know, but, of course, there's someone who is a traditional criminal. There is someone who maybe is curious and wants to experience firsthand the economics of running ransomware. And then we have these state-sponsored cybercriminals. Graham, what do we need to know about the state-sponsored ones? It sounds so scary.
Graham: It sounds scary. Doesn't it? And I think, for some large organizations, it is possibly something that they're worried about. My advice generally is you shouldn't lose too much sleep about a country attacking you or using its state-sponsored hackers to attack you because if they really are determined to get in, they are going to get in. And I think you should probably spend more effort trying to deflect the attacks from the regular criminal gangs rather than, for instance, a group who are supported by the Chinese People's Liberation Army or the North Koreans.
Because if they really want to hack into your company and gain access to your data or gain access to your customers, they are going to perhaps have a zero-day up their sleeve, which they can try and exploit to infect you. They may also do reconnaissance on your business and find out what you are relying upon and try and find the weak points, but they can go further than that. They would have no qualms, and they certainly have the budget to plant a person inside your company if they really want to or to offer someone inside your company a huge amount of money. And we've seen cases where this is happening.
There's a well-known U.S. car manufacturer, and one of their employees was approached by a Russian criminal and offered X million dollars to plant a piece of ransomware on their production line because they... You know, and, thankfully, that employee was an honest chap and went to his bosses and said this has just happened and they were able to catch the person who was trying to tempt him. But, you know, those sort of attacks are possible.
And, frankly, what can you do? Because if they're an employee or if they've bribed one of your employees, they're people you've already given your passwords to. They're already people who you are comfortable using your network or coming into the office and logging in. And there's not a huge amount you can do if those people are really determined to cause trouble.
My general opinion is that, for most people, maybe not governments and maybe not some other bodies, but for most people, don't worry too much about them, instead worry about the regular criminal attacks, phishing attacks, worry about regular ransomware, worry about business email compromise, those sort of things. I think it's more important to try and get those dealt with and be hardened against those attacks rather than zero-day vulnerabilities and APTs and that sort of stuff.
Caroline: Yes. I like that advice very much. I do think that consumers and individuals have an opportunity to really focus on the basics, and all of the fancier more sophisticated stuff is really so much more outside of your control. But there is a lot that you can control, you know, and there is an opportunity to focus on, well, what is it exactly that you can control?
Now, you brought up this concept of insider threat. And I think this is very, very interesting, you know, particularly in never-ending pandemic time, which we currently live in, which also involves a lot more of us working remotely. So, Graham, how does this happen? Is it do you think more often the bribe type of scenario that you described, you know, an employee gets called up by the bad folks and offered a lot of money to install some malware, steal some information, whatever, or do you think it's more often that the bad folks are posing as legitimate employees?
Graham: Yeah, I think it's not so common the bribe scenario is my feeling. I think for as long as criminals are able to exploit human weakness and the social engineering challenges, for instance, the ability to dupe people, I think they're much more inclined to go that way than saying, "Here's a million dollars. Will you do something for us?"
So, I think the normal ways in which the criminals get in is it might be, for instance, something is poorly configured on your network. You may have a web bucket of information, for instance, which is exposed to the outside world where you don't have sufficient security controls in, and so they're able to access it and steal that data and then offer it for auction up online.
It may be that your users have chosen passwords, which are easy to crack, or the biggest problem is actually reused passwords, where you're using the same password for multiple things. And so, as a consequence, if your employee gets hacked in one place, if there's a data breach in one place, then the hackers will try and reuse that password to see what else it might open up and gain access to.
So, it's really about strengthening the security of your users in terms of, "Okay, let's make sure there's a proper password policy in place. Let's make sure they're not using the same password everywhere and that the password isn't a dictionary word, isn't easy to guess."
I mean, I use a password manager. I did count the other day. I have over 1,200 different passwords, and they're all gobbledygook. And you could take a crowbar to me, and I wouldn't be able to tell you what my email password is or what my Twitter password is because I simply don't know it. All I know is the master password for my password manager, which I've memorized, but the rest of them are just gibberish to me.
So, you need different passwords to different things, and you need to train up your employees to be more suspicious, I'm afraid. It's sad that we have to be more skeptical in this world, but I think that's the kind of world we live in now where we're exposed to so many people from...rather than those people we work with directly inside the office, you know, you are exposed to the entire internet, and anyone might drop you an email, or phone you up, or even show up in front of your desk claiming to work for the IT team and asking, "Can you verify your password?" or, "Can you give me this information?"
And before you know it, the hackers have gained access to some internal resource. And there's all kinds of ways in which they do this, but that's the most common kind of technique which is being used, I think, is just simple mistakes are being made. Security updates aren't being rolled out. Patches aren't necessarily being put in place, and staff, you're not applying the patch to people's brain, which means that they don't click on the dodgy links. They open the dodgy attachments, or they're choosing poor passwords. And so the hackers are able to gain access and then pretend to be that employee or gain access to everything that employee can access.
Caroline: Yes. Yeah. We have not figured out authentication. I don't know if we will ever figure out authentication. Graham, I have another thing that I wanna ask you about, which is IoT. I, for one, am not interested in having a smart refrigerator or a smart toaster or even smart lighting or anything like that in my home. You know, we are now living in the age of drones and sort of like smart everything. What are your thoughts on these?
Graham: Well, I gave you a hint as to how old I was earlier by the fact that I've been working in this industry for 30 years. So, you can probably imagine I'm quite a curmudgeon. And I similarly think, well, why do you need that? Why do you need an internet-connected toothbrush? Why do you need a web-enabled fridge, or why do you need devices in your living room which are constantly listening to you? Well, you know, I do not see the need.
I just think some people either have a surplus of money or they have an absence of frugality and common sense. I just think, "Well, are you really gonna use it?" So I think sometimes people who work in this industry, in particular, kind of love technology and they love the things it can do, but really does it improve your life that much, you know, to pay a subscription or to put all your data up in the cloud or to webcam your house? I'm rather more skeptical about it.
So, I'm already a curmudgeon about it, and then you bring in the fact that all these devices are manufactured cheaply by vendors you've never heard of for whom the last thing they sometimes care about is security and privacy. In fact, in the case of some devices, part of the monetization is actually, well, what can we do with this data? So, you don't know where these devices come from sometimes.
So, it's crazy. You know, it's just bells and whistles. Isn't it? But then, you know, I'm in my 50s. You know, maybe if I was in my 20s, I would be thinking, "Oh, yeah, this is so cool." But it's not for me. And I do worry about the poor security of many of these devices, which do then get exploited either for spying on people or launching DDoS attacks and other crimes as well.
Caroline: Yeah. Yeah. I'll be 39 this year. I also don't have an interest in it. I think the closest thing that I can have to understanding why people are interested is just consumerism. You know, just believing that if I buy something, I'll be happy. Graham, we are coming to an end for the time that we've got today. And I've got a very interesting question for you, which is, tell us, please, about what you consider to be your greatest accomplishment.
Graham: Oh, for goodness sake. Accomplishment.
Caroline: I know. It's so fun, right?
Graham: My greatest accomplishment will be getting out of this industry and finding something more sensible and grown-up to do with my life. I don't think it's happened yet. Oh my goodness. I mean, seriously, I suppose it's an accomplishment to still be in this industry after so long. I do have fun. Actually, I think that's an accomplishment. I have a job which I find fun, and I've always engineered it to be fun. I've never wanted to climb up the career ladder.
And, indeed, when I've been given people to manage in the past because I used to work for big companies, now I work for myself, but when I've been given people to manage, I've always been able to sort of engineer it so that the people I manage actually end up my managers, and so I don't have any of that responsibility, and I can just do the stuff I enjoy instead. So, I think I've done quite well from that regard.
And I'm now in a position where I can choose if I need to go to a meeting or not, or I can turn down work and say, "Actually, it sounds a little bit boring, so I won't do that. I'll go and do something more interesting instead." That I think is probably an achievement. And I should probably reflect on that more often and think, "Yeah, that's good, isn't it?"
Caroline: That is quite good. I too have been able to find moments of joy, and I'm in this really fortunate position where, similarly, I get to say yes to things I wanna do and I get to say no to things that I don't wanna do. So, I really think that's quite a perfect note to end on, you know, for our listeners to say do more of what you like and less of what you don't. Graham, thank you so, so much for joining me today. I appreciate your time very much. I've enjoyed this tremendously.
Graham: It's been a real pleasure. Thanks very much, Caroline
Caroline: "Humans of InfoSec" is brought to you by Cobalt, a pentest as a service company. You can find us on Twitter @humansofinfosec.
