“Everything you’re doing in email is eventually going to see the light of day — either purposefully or not.”
- Vincent Steckler, CEO of digital security giant Avast, on the email hacking scandals, where leaks will come from next, and security — or lack of it — in the age of closed platforms.
- “The weakest link in any device is not the OS or an app — it’s the user. Most of the hacking that really causes harm is social engineering.”
- Does the fact that your iPhone has no security software make you feel “safer”? And is that actually how we’ll be tricked into being “hacked”?
Anyone who bought a laptop in the 90s and noughties knows the routine: the first thing you did was install security software, and periodically, you’d hit a button to sweep the hard drive, and pray that it finds nothing nasty.
These days, we take security for granted on our locked-down devices. When was the last time you even thought about trojan horses, keyloggers, rootkits, spyware, adware, and all the other stuff we used to worry about?
And yet data breaches, computer hacking and email leaks have driven international news agenda for the last year or so. So are we safer now or not?
TOA.life spoke exclusively to Vincent Steckler, CEO of security company Avast, and he explained that, in fact, we need to be more aware of online security than ever before: it’s just that the rules of the game have changed.
It’s an enlightening, future-gazing and eye-opening conversation. Vincent will be one of the fascinating speakers at TOA Berlin 2017 — tickets are selling fast.
TOA.life: We’ve really quickly stepped into a new era of cybersecurity driving the news, whether it’s Hillary’s emails, Trump’s leaks, or Wikipedia’s revelations. Is this glut of revelations the “new normal” — will we hear a constant stream of email leaks now?
Vincent Steckler: “It’s absolutely the new normal — it’s a more efficient way of digging up information and distributing it. Trying to find negative information or even planting false stories — that’s not new. But the ease of which it can be done or the scale — that’s new.
“It’s not that the presidential campaigns themselves are doing any kind of the Nixon-era “dirty tricks” and trying to illegally dig up that dirt first-hand… but I think they are more than willing to take advantage of what might get out there by parties that may be friendly to their cause.
“Email hacking makes it a lot easier. People are very unguarded in what they say in their email. They’re very sloppy on the retention — you can get email histories going back years and years. It’s a very ripe target. There’s so much information there which makes it so valuable to hack into.
“Almost everyone gets sloppy. And It’s not necessarily that a politician is trying to get around records retention on their other government email — but sometimes it’s easier to use personal email. And so you’re going to get a lot of cross-pollination.”
“Everything you’re doing in email is eventually going to see the light of day, either purposefully or not.”
What is your advice to people for when they use email? How paranoid should we be?
VS: “Well maybe they should follow [the example of] Trump: he says he never uses email!
“But seriously, I think that if you’re in government service or in financial services — any place where email has to be retained — it is especially important to recognise that email is not the informal communication that you may think that is.
“I mean, you should be constantly deleting emails — but in many organisations, you’re not allowed to because of records retentions policy.
“So you should not be saying things in email that you wouldn’t have written in old-fashioned paper communications. And more informal discussions should be limited to in-person or by telephone.
“Everything you’re doing in email is eventually going to see the light of day, either purposefully or not.”
And that, presumably, will include emails that are out there which could bring down a government.
VS: “Well — email and records brought down the Icelandic government. But you also don’t want to advocate that corporate officers, government employees, or leaders should stop using email so they can hide what they do, and circumvent the fact that these industries and governments need to be above board.”
People have been talking about the Death of Email for a long time, and it’s not dead yet. But communication practices are changing — just look at the recent proliferation of messaging apps like WhatsApp and Facebook Messenger. What does the future hold?
VS: “Just like email replaced typewritten communication, one would expect that other communication channels are going to replace email over the next 20 years. And when I talk to younger folks, I’m surprised how many of them don’t even have an email account.
“That’s the next thing that’s going to be moving. Right now, everyone’s going to pay a lot of attention to locking down email. But that next generation of leaders aren’t indoctrinated in the use of email, so we’ll probably have an explosion — five or ten years from now — of leaks from social media channels, just like we have now from email.”
In that case, do you foresee security problems, on a technical level, from chat-based communication? Will you be able to protect them or are these platforms harder to deal with?
VS: “Avast is not really in the business of protecting the central repository: we don’t protect the Google infrastructure — they do it themselves. We protect the individual user from things like phishing attacks.”
“But because so much of — for example — Facebook messaging happens on mobile, through an app that is entirely controlled by Facebook, frankly there is virtually no way of providing security on it for the end user.
“For example, John Podesta got attacked through a spear-phishing attack. That’s a very common and successful attack. It can be protected against on the end-point — but Apple doesn’t want security products to be in the iOS infrastructure.”
One way of giving the perception that things are very secure is to not have security products!
But are devices not more secure today than ever before? It certainly feels that way when using them.
VS: “When you go to your banking website, you’d be hard pressed to find any information about what security steps you should take before using it. They don’t want to scare people away from doing banking electronically, because the alternative is to support those customers through brick-and-mortar banks, and that’s much more expensive.
“Everyone wants to give the perception that things are very secure. And one way of giving the perception that things are very secure is to not have security products! Phishing attacks can be detected through heuristic means and we can do a very good job of protecting against those. But if you’re using an iOS device — we can’t do it because it’s not allowed.
So what is behind this shift to not allowing security on devices — and what does it mean?
VS: “iOS was a game-changer in that it was a totally controlled operating system where Apple has to give permission for every application that you run on iOS — as opposed to Windows and MacOS where anyone who can write an application can distribute it on that platform.
“Apple has a totally closed iOS ecosystem, Google is trying to emulate Apple with a closed Android ecosystem, and now you see Microsoft trying to do a similar thing to Windows. The problem with all of that is that just making it a closed ecosystem doesn’t get rid of a lot of the security threats: it just makes it insanely difficult for security products to work in that closed ecosystem.
Internet of Things have no security and they’re on your network. So they’re now the weakest link, and they’re insanely easy to break into.
Then what is the solution? Hackers are getting smarter, damaging information can be spread instantly, and our devices are locked down. What gives?
VS: “What you can start doing is to move the security out of the endpoint, and move it into the gateway or into the cloud — and in those things you can now protect against email phishing and everything else.
“We released our first product just before Christmas: a secure router, where we build the security into the router and in the cloud, so that you can protect all your various devices — without needing to worry about getting anyone’s security products onto each of them.
“This will be so important with the Internet of Things: you can’t run security on a baby-cam, a coffee machine, or a hot water pot. They have no security and they’re on your network. So they’re now the weakest link in your network, and they’re insanely easy to break into.
“And these devices are going to start getting smarter. Internet-connected refrigerators are also being connected to Amazon — and will have your credit card information.”
Why have we been sold all these products without these security concerns addressed right from the start?
VS: “Well, because the maker of a coffee machine cares that it makes good coffee! Users right now don’t realise the security issues — maybe we need to see something like a seal of approval on of these connected devices to let us know which ones are secure enough to be used in our infrastructure.
“When we look around right now, we don’t really see any that are. Most of those devices are not designed to be used over the Internet — an Internet-connected coffee machine means that you can turn on the machine from your phone while you’re still in bed.
“But they’re connected to the whole network — and the network has an external connection, which gives the opportunity for someone to break in.”
With all of this in mind, as a society, what will our perception of security be in the next few years, as technology changes?
VS: “It’s hard to run a piece of malware on the iPhone. And Android and iOS are sexier than previous operating systems, but they fundamentally are not much more powerful than the initial version of Windows. These are not multi-processing operating systems: users can only do one thing at a time.
“So these are very primitive operating systems right now, and they’re also fairly secure; because malware has to be running in parallel with other apps and get data from them for it to cause harm.
“The big explosion of malware on Windows really happened as the Windows ecosystem got complex, and the operating system got much more powerful. Users wanted that power.
“So for how long are users going to accept a big tablet that can only do one thing at a time? I see the mobile operating system over time getting a lot more complicated, and that’s going to bring a lot more security risks.
“And the weakest link in any device is not the OS or an app — it’s the user. Most of the hacking that really causes harm is social engineering. Ransomware is social engineering, theft of passwords, theft of email accounts — it’s all social engineering.”
This conversation has been edited for clarity and length.
If you enjoyed this article, please consider hitting the ♥︎ button below to help share it to other people who’d be interested.
I want it all, I want it now: David Saenz, COO of Stuart, explains how in the future, everything we want will be delivered straight to us — instantly.
Get more than high: smoking cannabis to find your higher calling: Jazmin Hupp, Founder of Women Grow, found direction and happiness — thanks to cannabis.
