Todd Simpson, AVG’s Chief Strategy Officer was at the Web Summit last month, and he met up with us to discuss BYOD, hackers and how secure OS’s really are.
I’m here with Todd from AVG and We’re just talking about, what you had talked earlier about one of the effects in cyber security, how things have changed, and people talking about it’s not all about money, it’s now the control of being able to do the impossible, hack into Apple or iOS 9.0 or something else, what’s your views on that?
I saw that we have a combination, right? We still have people who do it for the thrill or the challenge of hacking and hopefully most of those people end up as white-hat hackers. They break in and they tell the world before — or they tell the people that impact it before they tell the world. Some great examples of that, again, I’ve mentioned the Jeep hack on the panel. Obviously, Jeep was told, Chrysler was told, and the network provider was told, before they told the world.
So, again, people who are hacking in to prove they can do it, hopefully end up on the white-hat side. On the black-hat side, I think we see more and more people doing it for financial gain and actually creating businesses out of hacking.
I know that last year when BadUSB came out last year, it was shown at Defcon in Vegas. It was shown and they were doing that — a month later, some guys did it and then put the code up on GitHub. It’s my view, I thought irresponsible.
I agree to a certain extent but I think if you’ve got an exploit out there for an entire month and people don’t react and close that exploit, then there’s some responsibility to be shared around. So, I think Defcon, again, we talked about it a little bit on the panel, I really think the industry has to engage with hacker’s market. Listen to what they’re doing or react to what they’ve done and you’ll have a much faster cycle.
Well, I know Elon Musk , they said today, he went t0 Defcon, and said, Thank you for finding errors in our software and bugs in our software, and what he also said was , Yeah, I agree there’s bugs here, but you’re helping me fix this, thanks very much, whereas most guys are stuck in the past. They are smug with bugs until it’s too late.
That’s right, yeah. So, I think the modern companies like that are going to do much better. I think you have to engage with the hackers, you have to do those bug bounty programs, you have to engage the white-hats, because everybody’s got thousands of bugs.
I think the best guy you’ve got with your security is an ex-hacker. You get him involved if you want to protect your bank. You will hire an ex-thief, somebody you would know, and they know everything that’s going on. And, also, if that’s going down, he would actually know who’s the one who attacked.
Right, I think a lot of ex-hackers do work on security or at least work as white-hat.
And, also, they can tell — technically, they can know who are these hacker because of the signature.
Like in the movie, Swordfish, you had the Finnish guy coming in, they actually knew it was him because of his own signature. If you knew who it is, you can protect against him.
So, hackers choose certain tools that they get very comfortable with and they reuse those tools, like everybody else, they don’t have to learn something new if their current tools .
And, sometimes they are using tools that are so old, so legacy that people don’t prepare for that.
Yeah, I agree.
I was talking to a girl last week who has a company who do medical software. And a lot of the companies that aer her clients, well, still use DOS. And, I said, That’s basically, right away a security risk..
It’s a security risk but so is Linux, so is TinyOS. All of them have the risk, so there’s some balance between using a known system and understanding most of the risks and then protecting against it, and adopting new technology.
Yeah, but the problem is, when you go DOS, DOS is so old.
Yeah, I agree, DOS is too old. But there’s always this trade-off, because you don’t necessarily want to be on leading edge of the OS, because all the vulnerabilities — there’s many vulnerabilities are known so you have to find that right balance.
Yeah, which OS you find that is the most superior, the best?
Well, I think one of the OS’s that’s used in most, a lot of security applications is QNX which obviously is Blackberry. QNX used them on card settings but it was more designed for that environment and it’s well over 20 years old. So, it’s been time tested and it’s designed for that.
It still works?
Oh, it still works.
I know Blackberry’s now starting to go with Android.
Yeah For the entertainment buyer, I think you’d go Android. I think, for the security buyer, use QNX. I think QNX is one of the most valuable assets that Blackberry has.
As long as it works and it’s proven to work, why change?
When it comes to desktop and enterprise level. Which OS is more secure: Linux, Windows, or Apple?
So, I wouldn’t choose one of them over the other because I think people have attacked all of them. Apple makes people feel like their OS’s are more secure. There’s that library that was found a couple weeks ago coming out of China, pulling people’s private data out from iOS. So, the truth is, there are security issues on all of them. Obviously, of those, Linux and, of course, Android, has probably seen the most widespread use. But, they’re all vulnerable.
For me, I find if you get an OS and you think are extremely secure. Obviously, it’s secure but then you’ have the human factor. You can get a secure device and the best device in the world, For example with Apple, they allow you to install enterprise apps. If you put one on your machine, you must know who developed it. You got it into the system. And, that’s the thing, you got to control everything and trust the software, the hardware, the developer and everything else in between. If you got no trust.
And, the hardest one is the user. Because, the password reset is one of the largest attack factors still.
I know that last year when Sony got hacked, I was told that on the mainframe of Sony, there was a folder called passwords. Everyone’s passwords on that damn thing. Why the hell couldn’t they have it set up so that a certain guy only accessed certain things. If you’re in HR, you only get HR data, you don’t get anything else. But, it seems to me, everyone’s got access to all the data in the company.
I think this is one of the biggest threats we have is everybody’s aggregating data because they think big data and algorithms can make more and more value, so they have aggregated data. And, when they put that data together, they don’t properly secure it. A much better system is to keep those data separated with different encryption schemes. Pull it together for processing, but don’t store them in there.
I hate, as well, when you get someone who says, Our data is secure, it’s stored off-site, and I don’t know where it is. If I’ve got a host, they should still, technically, tell you where it is, because it’s private. Surely, you should know where everything’s stored.)
Yeah, so that’s for physical safety, I guess, right? Where they would say that physical safety is not.
But, you’re also worried about it, if you stored it in a country, like for example, Thailand where there’s a high chance of getting, sort of feeling someway, a regime change. Suddenly, that regime decided, We’re going to give everything, every data throughout to certain governments, and surely, what you went and stored is private.
Right, I agree. And, obviously, encryption can help that, right? A lot of countries don’t want their data taken outside the country. But if it’s actually properly encrypted doing back-up storage inside your own country, you’ll be fine.
Yeah, and also, when it comes to that encryption, how far you think we should encrypt? How much do we do about? Because, another guy is saying, “If we encrypt too much, we give the terrorists and paedophiles an opportunity of abusing the system,”
I think that’s true but I think bad guys are smart, right? You’re going to catch the dumb bad guys in many other ways. Smart bad guys are going to be using encryption. So, why should the rest of populous not have the same protections? So, my personal opinion is, you encrypt more as opposed to less. As I was saying on the panel, there’s a cost for governments, or people with legitimate access to actually break encryption because it’s breakable, but they should be able to forego that cost for a small segment of the population that is in interest but not for everybody.
I know, last year, when iOS started being encryption. People are saying, It’s going to be used for nefarious means. My view is, why? Because you can’t get data, and the thing is, data is now the new oil. And, everyone wants to use it and get control of it and if you can’t control the data, then you want to control it. Something you haven’t got. I’m worried that somebody says, We have to control the encryption because we’re worried in case it’s used for bad guys, as you said, bad guys will find a way to get around that.
Yeah, I mean the encrypted tools are out there. I mean, that our — what governments do, they can’t stop people loading software onto devices to encrypt.
If you go on Dark Web, there’s so much stuff down there that you can utilize and it’s crazy what’s available there. That tells me, whatever you’re doing now, if you give me encryption, the bad guys have got worse encryption, more stronger than what I’m using,I’m using fairly basic stuff, these guys got stuff that no matter what it is.
Yeah, it is possible. Or at least, lock things down at the hardware level, which is also possible.
I’ve kind of been looking at that right now. Data’s become so small that you’ve got smaller than a memory card or anything else and it’s easy to transport it around the world. Scary as that is, you don’t know where data is going to go to next.
Right, yeah. I’m more worried about it once it’s online, but you’re right, the physical access is also an issue.
When you go into a company now, and they haven’t got a BYOD. I haven’t got a BYOD policy, I’m going, Well, why not? When something’s come into the device that you haven’t checked, the next thing you know that device could be taking the data that’s only meant to be kept on site for your own use, but suddenly, it’s not. And, how do you make sure that happens — do you tell your employees, you’re only allowed to use certain machines and OS’s and certain mobile devices or tablets? Because you want to make sure, if anything bad happens.
I think the BYOD movement is too strong now. People feel that these are personal devices and they want to bring their own in. So, I think it’s now up to companies and software providers like us to build the right layers of protection in, so that a known bad device can access the data you want it to and nothing else.
Well, I was thinking when a BYOD start picking up my mobile, or stuff going to work, whatever. I make sure that that phone is only work-wise for email, it’s not in use at all because I don’t think it should be and in this very issue, they decide to use their personal device as a business license at the same time which, mind you, is wrong.
I think you’re right. I think it can be a software configuration versus a different physical device. So, I think having two modes on your same device — so, if you’re comfortable with your device and you go into work mode, and the enterprise, then, has a lot more control and encrypts that data. It can delete that data. And, your personal mode.
Me: Yeah, that’s true. But, that’s if you’re willing to do that. I know some guys who aren’t willing to totally comply with.
Right and early settings are going to impact the enterprise moment. But, at some point, if someone wants to work for a company, they have to submit to a certain amount of control.
Yeah, like if you go into work, and you’re said to come into work every day wearing flip flops, and shorts, and t-shirts, you can’t keep doing that. You go to meeting with that, I’m not going to recommend it and when you come to a company, you got to go by certain rules. And, then when you come to use the BYOD devices, you got to abide by the rules, most guys don’t know that. They’re too afraid to change
Right, I agree wholeheartedly. There’s some level that you want to impose, like you said, it’s like clothing.