Graham Cluley on Privacy, IoT Risks, and Ransomware

April 9, 2018 • Amanda McKeon

Graham Cluley is well known in the cybersecurity industry as a popular speaker, writer, independent security analyst, and cohost of the Smashing Security podcast. He’s had senior roles at Sophos and McAfee, and is a member of the Infosecurity Europe Hall of Fame.

He joins us this week for a wide-ranging conversation, including his humble beginnings writing software to protect against malware before that was really even a thing, his thoughts on the latest trends and techniques the bad guys are using, and how we as a community should protect ourselves against them. And, of course, we get his take on threat intelligence, and why he thinks it’s playing an ever-increasing role as organizations stand up their cyber defense strategies.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 51 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Graham Cluley is well known in the cybersecurity industry as a popular speaker, writer, and cohost of the Smashing Security podcast. He joins us this week for a wide-ranging conversation, including his humble beginnings writing software to protect against malware before that was really even a thing, his thoughts on the latest trends and techniques the bad guys are using, and how we as a community should protect ourselves against them. And, of course, we’ll get his take on threat intelligence and why he thinks it’s playing an ever-increasing role as organizations stand up their cyber defense strategies. Stay with us.

Graham Cluley:

It’s been a long and twisty journey, to be honest. It all started around 1991, 1992, when I was a poor, impoverished computer programmer at a college, looking for a job. One day, someone saw one of the computer games I had been writing, and the person who saw that game was Doctor Alan Solomon who was the UK’s leading antivirus expert at the time. He was sort of the British version of John McAfee, although not quite — well, actually, quite a big character, but …

Dave Bittner:

It’s hard to beat John McAfee, right?

Graham Cluley:

It is, yes, yes. He is a particularly interesting case, and Alan said, “Love the games. If you want a job, let me know.” So I contacted him, and I was the first-ever programmer of Doctor Solomon’s AntiVirus Toolkit for Windows, and that was one of the very first antivirus programs for Windows.

Dave Bittner:

What was the state of security in those days? Writing an antivirus for Windows — how bad was it?

Graham Cluley:

Well, for Windows, there was no Windows-specific malware. The threat, really, was largely floppy disks. Many computers still weren’t on networks, even. Certainly, people weren’t on the internet.

Dave Bittner:

Right.

Graham Cluley:

But the most common type of malware, which was spread by floppy disk viruses like Form and Stoned … Really, there wasn’t a huge need for an antivirus program for Windows at the time, but I think it was mostly being written for marketing purposes, because actually, I remember at my interview, I said, “Look, Alan, I’ve never written a Windows program before,” and he said, “It doesn’t matter.” He said, “We’re not going to sell any of it. We’re going to sell the OS/2 version because any business which is serious about computing is investing in OS/2, not Windows.”

Dave Bittner:

How did that work out in the long run?

Graham Cluley:

I think we know how that ended up, don’t we?

Dave Bittner:

Right, interesting.

Graham Cluley:

Much to IBM’s chagrin. But it turns out that sometimes, the best technology doesn’t always win. Arguably, OS/2 was a much more grown-up operating system and was probably a better solution for companies than Windows. But Windows won, and over time, we began to see Windows malware, DDoS malware, and the floppy disk malware began to disappear, and before long, we began to see email malware worms, people were connecting the computers to the internet, and the problem exploded. When I started in the computer security industry, there was something like 200 computer viruses every month, and I remember journalists speaking to us and saying, “How are you going to cope when there are 10,000 viruses in total? How are you going to be able to get all those definitions onto the floppy disk which you put in the post each month?” What we had to do was, we had to go to a three and a half inch floppy disk — more capacity, as you do.

Today, what is it — something like 400,000 unique samples of malware are spotted by labs every day. It’s more than two every second. So the problem has grown to totally science fiction proportions, which we never imagined, and that is one of the central problems we face today and why security companies have changed. Way back then, we took apart all the viruses by hand. We could write up detailed descriptions of every single quirk of the virus because we had the luxury of time. Today, we’re using computers and technology to do a lot of the analysis for us, and frankly, many times you’re not that bothered about exactly what it does. It’s more about, can you stop it? Can you prevent it from entering your organization? I used to do this party trick at shows — I’d be standing at the tradeshow booth and I’d shout out to people, “Name any virus and I’ll tell you what it does.” I used to be able to do that, and I think it was, probably … What are we in now, 2018? It was probably about 15 years ago or so, and I thought, “I can’t do this anymore.” Because the problem has gotten so big, and there’s no guarantee that I’ll be able to actually tell them exactly what it does. But back then, you could.

Dave Bittner:

Obviously, the velocity has increased all around. The computers have gotten faster, the rate at which these types of malware are being released has gotten faster. I want to just go through some of the threats that we’re facing today and get your take on them, because in the past couple of decades, to your point, there are things going on that I think, for those of us who have been around for a while, we couldn’t really imagine. We lacked the imagination to imagine the sorts of things that we’re dealing with today. The idea that we’d be dealing with these crypto-mining situations was unimaginable. What’s your take on that?

Graham Cluley:

Well, it’s bonkers, isn’t it? I’m calling it “crypto-mino-mania” at the moment because everyone is jumping on the crypto-mining bandwagon, whether it’s legitimate websites looking for a way to generate income because they found too many people running ad blockers or they aren’t making enough revenue, or it’s the bad guys planting Android malware into the Google Play Store, or criminals hacking into websites or poisoning plugins. It’s fascinating and it’s very different. What we’re seeing, actually, maybe is a slight trend away from ransomware, because ransomware is suddenly, I think — it was one of the big stories of the last few years.

Dave Bittner:

Isn’t that interesting? Yeah.

Graham Cluley:

It is, and it’s sort of a change. I think we’re seeing a change. They are very different things. Although there’s this Bitcoin or Monero element which is common between them, you pay the ransomware author through some cryptocurrency. Ransomware is very visual — it’s announcing its presence. Even the people in the accounts department are going to know something’s gone funny with Microsoft Excel when the big red screen comes up with the skull and a countdown telling you that you have to pay up, otherwise, your files are going to be deleted. Crypto-mining on the other hand — it’s in its interest to keep as quiet as possible.

Dave Bittner:

Right.

Graham Cluley:

It wants to be present for as long as possible in order to make money. One of the big giveaways, of course, is that your fan is going. It’s running so hard and hot.

Dave Bittner:

And that’s the part I don’t get. If the notion is to stay under the radar, then why not limit the … It just seems like crooks can’t help but be greedy. Why not limit the amount of processor time that you’re using to not have that fan spin up. To me, the perfect crypto miner would be one that runs on a security camera that’s 20 feet up on a wall looking at a parking lot — it’s still doing its job, and nobody even knows that in its spare processing cycles, it’s mining away at Bitcoin or Monero, or whatever.

Graham Cluley:

And you know what, I’m sure that will come. I’m sure, just as we have seen IoT devices, IP cameras, and those sort of devices compromised and hijacked by criminals to launch botnets, I am sure that we will begin to see more incidents where they’re actually being used for crypto money, because who’s going to notice that something like that has happened? The other thing, of course, is if you are infecting computers, you could be a little bit sneaky and say, “Well look, people leave their computers on overnight, maybe we should only do this between the hours of 3:00 AM and 6:00 AM. Let’s go full throttle then, or maybe we should tie it in with the screensaver or something. If we identify that someone hasn’t used their computer for while, then we’ll assume that they’ve walked away.” All kinds of tricks which could be done, but I think the whole irony of so many people jumping on this crypto-money band wagon is, look at the evidence as to how much these guys are actually making. The indication so far is that it may not be as profitable as people imagine.

When we saw these government websites recently hijacked by the poisoned plugin, the reports indicated that the bad guys only made 24 dollars. Four thousand websites were compromised. Now, literally only for about four or six hours, but 24 — it’s not really worth it, is it?

Dave Bittner:

Well, I can’t help wondering, is this truly a case of ransomware folks switching over to something else, or is this them seeing a potential new opportunity, dipping their toes in the pond of a new opportunity to see, well, the cost of going into this business is low, so let’s give it a shot?

Graham Cluley:

I think … I’m absolutely sure that is happening. I think, historically, we’ve seen a lot of that. People attempt something, saying, “Does this work? Doesn’t it work?” And when they discover the things which do work, they say, “Okay, we’ll forget the ones which didn’t. We’ll just concentrate on this.” That’s why you continue to see so much CEO fraud and business email compromise, right? Where you can get a huge return just by exploiting a worker who makes a bad decision and is tricked into thinking you’re the CEO or CFO, and they move money into a bank account. The rewards are considerable, but it works. That’s why you continue to see phishing attacks which aren’t very sophisticated, but boy oh boy, they work, and that’s why we continue to see letters from Nigeria, even, still working. Although, you and I, when we get those things, we sort of laugh and go, “This is so obvious.”

It’s so easy and cheap to send it to a million people, and it only requires a tiny percentage of vulnerable recipients to fall for it, and it’s been worth their while. I’m sure the tried and trusted is going to carry on being a problem for years and years to come.

Dave Bittner:

Let’s speak to that. With the phishing and that whole notion of insider threats. I think, top of mind — for me anyway, when I think insider threats — is the malicious person inside the company who’s maybe … An outsider is paying them on the side to sneak data out. But it seems to me that just as common — if not even more so — is the person who’s just going about their business at work and inadvertently causing security issues.

Graham Cluley:

Oh, absolutely. I’m sure that happens more often than not. You’re going to be pretty unlucky if someone is coming to your organization specifically with the thought of somehow stealing data from you. I’m sure it does happen when people are leaving the company under a cloud or going to a new job. They think it may help them to take some data with them and there have been cases, or for instance, security guards at banks who’ve planted key login malware in order to help criminal gangs steal large amounts of money. But I think, normally, what we’re dealing with here is accidental. It’s people who would be horrified to realize that they’ve put their company and their customers’ data at risk because of simple mistakes they’ve made. Sometimes, the problems I think for IT teams … There is this real challenge for IT teams, that they’re often viewed as the department which says, “No.”

So if you work in marketing, or something like that, and you say, “Oh, we’ve got a new product to launch. We want to give this new service to our customer,” and you go to the IT team and you say, “Can you help us set up a website which does this?” And the IT team says, “Have you seen what we’ve got to do? No, you can’t do that.” Or, “You have to wait your turn, and it’s going to be 18 months until we can do that project because we’re doing all of this essential stuff.” And then, someone in the marketing department says, “Well, I’m a bit handy with websites.” Or, “My nephew Brian, he can help us as well.” So you get these little shadow IT departments building systems which represent the company, which haven’t gone past the vetting eye of the IT team, and I’m sure that’s why sometimes, we hear these stories about companies who have left data completely accessible on the internet, customer data which hasn’t been encrypted, maybe in an Amazon S3 bucket that has been misconfigured, so it’s public. Anyone can go and scoop it up, and companies keep on being embarrassed by this.

Sometimes it’s been done with good intentions, but they haven’t considered all of the security issues, or they’ve made an honest mistake, or they chose a dumb password, or they left their private keys laying around in a GitHub repository, or whatever it was, and it’s poor you and me and the members of the public who end up being exposed because our credentials are there for anyone to just rifle through.

Dave Bittner:

I had a friend who worked at a company where they weren’t allowed to use Dropbox for security reasons, but everybody in the company knew that if someone sent you something on Dropbox, the way to get it was to log on to the WiFi from the Starbucks that was downstairs in the corner of the building, log in to that WiFi, and then, Bob’s your uncle, you can get your Dropbox files.

Graham Cluley:

Yeah.

Dave Bittner:

What a representative tale of what we’re up against here.

Graham Cluley:

That is so common. It is exactly that … it’s that you don’t — as the IT department — want to be the part of the company which says, “No.” You want to be able to say, “Well, tell you what, could you do it this way? Let’s give you an alternative method of doing whatever it is that you want to do. Maybe it’s sharing big files online or something which has been approved by us which will be our preferred system for doing it. That’s what we would like you to use.” So make it as fluent and flexible as possible for people to do their job because they’re experts at doing the marketing, they’re experts in the accounts department, but they may not be experts at IT. You’re the expert at IT. Give them a good system which works and works safely, in which you have visibility over. You can make sure that it’s being used securely with proper passwords, and maybe two-factor authentication as well, because otherwise, people will find a way. It’s like water — it always finds some route through.

I’m sitting here in a rather damp house at the moment, as I’m in the UK, so I know that only too well.

Dave Bittner:

I do want to focus on threat intelligence for a few minutes. From your point of view, does it seem as though this is something that’s getting more attention? Are more companies finding themselves making good use of threat intelligence?

Graham Cluley:

I think, more and more, they are. I think, actually, one of the things which is driving it and suddenly helping it come into companies is that, finally, the board is understanding the threat, or at least, they’re understanding the repercussions of being hacked. They’ve seen the stories of other big companies who have suffered — some companies who have lost hundreds of millions because of a hack, or because of a data breach, or because of a malware infection. So they’re more likely to rubber stamp the IT department saying, “You know what, we need greater visibility as to what is actually going on out there, and we need some method to sort the signal from the noise.” This comes back to what we mentioned earlier about the vast increase in the amount of malware. It’s not just malware, of course — it’s vulnerabilities, it’s the communications of criminals online, as well. There’s so much information out there, and although it’s possible to scoop up some of that data, to really make use of it, you’ve got to turn that threat data, You’ve got to give it some context.

Dave Bittner:

It also strikes me that there’s value in having an outsider help with that. To get out of your own way, your own predispositions, you’re own biases.

Graham Cluley:

Oh, absolutely, because it is just human nature to carry on doing things the way you’ve always done them. If you’ve come from another company, and this is how we did computer security, that’s what you’re comfortable with, and that, frankly, is a big enough job for many people rather than trying to sort out the huge amount of data out there. So if you can find companies who are experts at both collecting the data, but then actually doing the analysis, giving it some context, then you can begin to think, “What’s the likelihood of this particular threat being a danger to my company? What have we, as a company, got to lose?” That’s the other thing — looking at your own company, really understanding yourself as a company and the data you have, what your crown jewels are, and understanding what the real risks are. Then, you can match that up with, what are the threats that actually concern us? What are the things which are growing, what are the things which are trending, which potentially could pose a threat to us? Hopefully, with a good threat intelligence solution, that’s something that you can then find a way to communicate with the board as well, because they certainly should be interested in this.

Dave Bittner:

As you’re looking ahead, sort of looking toward the horizon, what do you sense is coming next? Do you feel as though, in the industry, we sort of joke about how artificial intelligence and machine learning have been the buzz words, certainly for the last year? Do you feel that that’s dying down some, and what might be the next thing to replace it?

Graham Cluley:

Well, I have every confidence that marketing departments will come up with a new buzz word. Once everyone is saying, “Machine learning and artificial intelligence,” there’s going to have to be something else, isn’t there, which people are going to start mentioning as well. I think, in terms of the threat, we are going to see more of the same, because that’s working very nicely. We’re going to see more attacks which are happening, stealing vast amounts of data. I don’t have a lot of confidence that many companies have still properly secured themselves and have gotten on top of these problems. Some of the old threats are going to continue as well. I think a big problem around the future is the appalling security of Internet of Things devices. With the lack of updating infrastructure, and as more and more businesses bring those kinds of devices into their organization, there’s potential damage which can be done to them as well.

Even little things like, for instance … Many of these IoT devices will be using open source code within them, and as we’ve seen over the last year or so, sometimes, a piece of open source code which is used hugely and widely across the world and has been around for 20 years is found to have some serious bug in it, and it’s like, “Well, that code is used in thousands of different devices. How are we going get all of those devices to update and fix themselves?” That’s one of those fears which comes to me. I also heard, the other day, that one in 10 households in the UK — and I think a similar figure in the United States now — have these home assistant dinguses — I’m not allowed to mention brand names.

Dave Bittner:

Talking cylinders, yeah.

Graham Cluley:

Yeah, exactly. If I mention their name they’ll wake up and do what I command.

Dave Bittner:

And then people will send us the bill for the doll house that they buy, right?

Graham Cluley:

Yes, exactly. As far as we know — let’s touch wood — there’s no known, serious security vulnerabilities in those, and I imagine the major leaders have got some decent updating infrastructure, but if a serious vulnerability was found in those, that’s potentially a big threat and a threat to our privacy as well, and that’s something which worries me. It’s interesting — we were talking about what the threats were 25 years ago. History repeats itself. In the last year or so, we’ve seen this return of destructive malware, disk wiping. The damage, which can be done to an organization when something, maybe sent in by a state-sponsored actor, is zapping your drives, losing your data, and just causing immense amounts of destruction, whether through ransomware and encryption, or just simply wiping. That continues to be a real threat, and so you need, as an organization, to think about, how are we going to recover in a prompt and safe manner? How are we going to deal with those sorts of disasters happening to us?

Dave Bittner:

How much of an impact do you think GDPR is going to have?

Graham Cluley:

Well, it’s already had a huge impact in terms of the hours being spent by companies making sure that they’re going to be GDPR compliant — a huge amount. Some companies — fascinating to me — are even deleting their email database and saying, “You know what, we don’t need a newsletter. We’re not going to do one of those anymore because it’s just too much of a hassle confirming whether these people really wanted to receive it or not.” I think there’s an additional challenge for some companies outside of Europe who maybe have been a bit slow to wake up the, “Yes, this does concern you as well.” Whether you are in Europe or not, this is going to have an impact on you. What remains to be seen, of course, is we know that there’s the potential here for massive fines, but whether those will actually come through or not, I don’t know. But if we do begin to see those, I think it’s going to really wake up a lot of people on the board, that this is a problem which needs to be dealt with, and unfortunately, if you haven’t started thinking about it yet, frankly, it’s kind of too late, isn’t it?

Dave Bittner:

Yeah.

Graham Cluley:

Start working on it, sure — but you are behind the curve by some way because other companies have been working on this now for some years, getting ready for this.

Dave Bittner:

It’s fascinating to me, when you sort of overlay the differences that different cultures have with their attitude toward privacy. We joke, here in the U.S., that Americans are always willing to trade their privacy for convenience, and Europeans, not so much. So the fact that GDPR is going to cause global companies to adopt, perhaps, a more European stance when it comes to privacy, I think is fascinating. I’ve actually heard some lawyers here in the U.S. who are not happy that political influence is possible, that they get to exert their will over us through enacting something like this.

Graham Cluley:

Yes, well, we’ve sometimes felt it the other way around, of course.

Dave Bittner:

Touché.

Graham Cluley:

The boot, for once, is on the other foot, but I like to think that this is a positive step. If I put myself in the position of the users, then greater privacy, greater care being taken over your data has to be a super thing, and of course, if we see this as being a success — GDPR being a success — chances are that other countries and territories will decide we’re going to put in place something similar, and we’ll follow that model. I think it’s important, of course, not to view GDPR as a finishing line. It’s part of the journey, isn’t it? This is the minimum level that I would love to begin to see in 2018 — more companies actually promoting themselves on the basis of, “We’re the company that actually cares about your privacy and security, and that’s going to be one of our bullet points as to why you should use us.”

Human nature being what it is, I think most people are more influenced by bells and whistles and whether your dingus can talk to you in different voices or whether it comes in space gray or not. But, I would love to see that privacy and security thing become more of an issue because actually, people are fed up with having their identity stolen. People find it a complete nuisance. There is some fatigue setting in, but people are losing confidence with companies, and maybe there’s an opportunity for more businesses here to say, “No, you know what? This is going to be in the DNA of our company. We’re not just going to pay lip service to this. We really mean it, and in everything we do, we are going to consider the privacy and security implications of it.”

Dave Bittner:

Our thanks to Graham Cluley for joining us. His website is grahamcluley.com, and he is cohost of the Smashing Security podcast.

If you enjoy this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where everyday you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.