Cyber Security DE:CODED – Cloud security

Transcription

(Generated automatically)

Simon Edwards 0:01
Welcome to DE:CODED providing in depth insight into cybersecurity. Is using the cloud possible to do securely? Is anyone actually testing cloud security? Or are we relying just on empty marketing claims? And how do you trade and handle cryptocurrency safely and avoid the hackers and scams? We answer all of these questions and more, with special guests, Eugene Kaspersky from Kaspersky, Luis Corrons from Avast and Chad Skipper from VMware. Show notes, including any links mentioned in the show are available at decodedcyber.com.

The cloud is an integral part of our lives today, whether we just use a basic smartphone to send text messages, or store all of our files using a service like Dropbox, iCloud, or Google Drive, or email bank accounts, social media virtual lives, pretty much everything we see on a screen is on the internet, and therefore, in the cloud. When we talk about the cloud, we usually think of files being stored somewhere. Bank accounts have always been outside of our direct control. That’s their point, it’s somewhere safer than our homes that we can use to store our money. But access to our accounts has changed. When once you had to enter a building and sign pieces of paper. Now you can manage your money from any location on the planet potentially so Could somebody else but files, your email and other messages, your photos and important documents, they’re most likely to be stored online these days. It’s really hard to avoid it. If you use a smartphone, and PCs and Macs, well they push users to use things like OneDrive and iCloud. If you have a Gmail account, you also have large amounts of free Google Drive storage. Smartphones often upload your photos automatically. So you can access them using other devices and you won’t lose them along with your phone should the unthinkable happen. The cloud is only going to become more important helping or intruding into our lives. Depending on your perspective. Smart devices will become evermore present, learning from us and trying to streamline our lives. Eugene Kaspersky, founder of security company, Kaspersky can see a time where the cloud is even going to get you up in the morning and into the office, possibly with a coffee in your hand. But can we trust the cloud to be secure enough to run our lives.

Eugene Kaspersky 2:34
So in the future, we’ll have those and some of the smart devices, it will have a smart coffee machine fridge vacuum cleaner, which are connected to the internet. And technically speaking, they will be about repeal that then on the traditional operating systems, they will be vulnerable. And there is a risk that one day your smart house is badly hacked. So well. Of course, we can develop Antivirus for fridge for vacuum cleaner. But who is going to install and manage all that that’s a problem

Simon Edwards 3:12
You need a firewall on your Dyson.

Eugene Kaspersky 3:15
So this is a problem. So I don’t see there, the future world which is hyper connected, which dozens of smart devices around us, and it will happen so they will navigate our life, they will help us. So the coffee machine and fridge, they will report the cloud when you’re waking up in the clouds. Knowing you typical behavior will send you the autonomous car without you request because the cloud knows that typically, half an hour after waking up, you go to the office. And actually they are smart to navigate or in the clouds will balance the traffic in the city. So it will be much less traffic jam, and cetera and cetera, et cetera. So the world will be high, not just hyper connected, right? Like now, but even more will be in completely in a cyber world. In it’s true about individual life. It’s true about the office life. And that will be true about industrial systems and infrastructure. And everything is vulnerable if it’s built on a traditional operating system. So every piece of the future world will need cybersecurity. And this is impossible. It’s impossible to manage. It’s impossible to update upgrade. And it’s too complicated. So the only way I believe that the only strategy, the true strategy is to design the systems on the immune architecture to make them secure by design.

Simon Edwards 4:50
Yeah, you know, I mean, it sounds quite science fiction, but it isn’t. And it makes me think even just 1015 years ago, if you were to hack in Network. Networked printers are basically Linux servers. And bad guys can hack into printers and they can hide their tools there. So it’s just one step from there to doing the same with a fridge or a vacuum cleaner.

Eugene Kaspersky 5:13
Alright, well actually, it’s not science fiction. The first vulnerable fridge, as far as I remember, was found in 2007. I remember I had in my presentation that that time in my presentation ahead, the slides was a fridge, which is vulnerable, which coffee machine connected to the internet and vulnerable, but there was kind of exception that it was just a very new devices. And, well, well, but now it’s getting much more much more cyber. And I believe that in the future, you will not be able to find and buy a coffee machine, which is not connected to the internet. It will be standard.

Simon Edwards 5:55
When we talk about Internet of Things and funny devices like fridges or or toasters, too many people who don’t understand how computers work, it sounds far fetched. It sounds funny and kind of silly. But generally, all of these devices are Linux based computers, aren’t they?

Eugene Kaspersky 6:15
Yes, that’s right. So the embedded systems, they are mostly Linux based,

Simon Edwards 6:20
right? And we’ve been knowing how to hack Linux systems for decades. So there really isn’t any big difference for a hacker to hack a fridge than a web server.

Eugene Kaspersky 6:33
I guess it’s almost no difference on maybe even is much less complicated to crack, simply because they’re Microsoft Windows and Mac operating systems. They were hacked many times. So these vendors they have their experience with a hacker spotlight. But what about the fridge vendors?

Simon Edwards 6:53
The fridge vendors are probably using default passwords in many cases,

Eugene Kaspersky 6:57
exactly. Like they’ve already happened with CCTV cameras. You of course, you’re aware about the Mirai botnet,

Simon Edwards 7:06
would you like to explain a bit about that that would be that could be useful for people to hear.

Eugene Kaspersky 7:12
So there, I think that the world’s biggest cyber attack with unknown number of infected devices, and which still alive for three or four years after it was found is CCTV based. Malware rubbish, in fact, that the video cameras, the security cameras, so the malware was developed in a very smart way, and use different ways come to, in fact, have to find in effect, other devices. It’s used the default passwords, which some of lenders use and known vulnerabilities in the court of different cameras. Unfortunately, it was very, very successful malware. And once again, it’s not computers, it’s not Microsoft Windows or Mac. It’s not a smartphones, that’s the Internet of Things. That’s a CCTV cameras. And well actually, that was a huge, that was huge problem with DDoS attack, which was run by this botnet botnet infected by Mirai.

Simon Edwards 8:29
So a DDoS, a distributed denial of service. So all of these systems that are on the internet under the control of bad guys are doing their normal job on a daily basis. But when they’re needed, they send lots of rubbish information across the Internet to take down other websites or other systems.

Eugene Kaspersky 8:47
Yeah, exactly.

Simon Edwards 8:48
It feels a bit bleak, doesn’t it? We have all of these internet services out there hoping to integrate with our lives. But they’re vulnerable to attack and quite possibly may just crash due to bugs and other issues. Securing the cloud is important. Whether you’re a home user, or run a large organization. Can it be done when you don’t have complete control over the services that you want to use? What about testing? If you want to know how secure Microsoft Office 365 is, or Apple iCloud? Are there any serious reviews that you can read? At SE Labs we test cloud services, as well as software and hardware products that you can actually see in touch. But Cloud security has significant challenges, one of which is quite surprising.

Brian Monkman from security testing standards organization. NetSecOPEN joins us. Brian, what challenges to test his face with cloud security firewalls and other similar products?

Brian Monkman 9:46
A lot of them. Almost all of the major cloud providers out there have use usage agreements that in any way that tend to embargo this kind of testing,

Simon Edwards 9:59
so they just don’t want It’ll be tested.

Brian Monkman 10:01
Well, they, they, it’s it’s it, that, but they also want to have a significant amount of control over what they’re what the network is required to handle, you know, because they they’re subjected to many service level agreements. And they want, they don’t want to open themselves up to financial risk by allowing testing. So that’s a significant issue,

Simon Edwards 10:26
right. So if we’re testing a firewall box on our own network, we’re not going to bring down anything that Cisco or Palo Alto is running correctly dealing directly with us cloud service provider, we are touching their servers directly and using up their bandwidth.

Brian Monkman 10:41
Right, right. So controls have to be put in place to ensure that that thing cannot happen. Another another thing to take into consideration, performance metrics, such such as, you know, connections per second, or throughput can very easily been be dealt with in a cloud environment just by throwing more instances of, of the firewall at the issue. So you know, something like latency, which isn’t as much of an issue in, in a traditional networking environment becomes a significant issue in the cloud environment. But other things like throughput and connections per second become less of an issue.

Simon Edwards 11:27
I can also imagine that some testers will have better internet connectivity and others. And so it might not be fair for a small lab in rural England to him to do a cloud based test to one versus one that’s connected in, I don’t know, Silicon Valley, like next door to one of the major data centers

Brian Monkman 11:46
true that, but at the same time, that’s a relatively simple issue to, to overcome in this day of colocation, you know, and, and so it’s a little bit more technically complex. But you know, you somebody is in using our example, in rural England doesn’t necessarily need to be on premises, to be able to execute testing from a lab

Simon Edwards 12:13
know, they could set up a co located server in rural China and probably get some of the best broadband available.

Brian Monkman 12:20
Well put.

Simon Edwards 12:23
Trusting the cloud to be secure isn’t something that sits well with many of us, there isn’t much in the way of third party oversight, and mistakes can happen. It’s not as if the platforms like Google and Apple have flawless systems. There have been cases in recent years, where Google has accidentally shared private files, and even closed accounts because they’ve incorrectly identified illegal content. Apple has collected audio recordings from users without permission. And these are the recent cases that we know about. You can go back quite some time to a story that stuck in my head over the years. In 2012, journalist Matt Honan watched as his Google account was deleted. his Twitter account was taken over and used to send offensive and illegal messages. And his Apple devices his laptop, phone and iPad, were they slowly started to raise themselves in front of his eyes. It’s a horrendous cautionary tale that will turn you on to two factor authentication and backups, if nothing else has until now, we’ve linked to Matt’s article on wired in the show notes. And it’s very much worth reading, if only to see what a catastrophic personal hack looks like through a survivor’s eyes. And this hack was partially the fault of Apple. They hadn’t managed their customer service system properly, and hackers were able to use social engineering to do part of the attack. Matt lost photos of his child from her first days, unique documents also disappeared forever. But as far as we know, no money was lost. Many people invest in cryptocurrency and lose money because of the random nature of how cryptocurrency is valued. But others can lose it when they’re hacked.

Given the issues with cloud security, and even just endpoint security, the security that we put onto our laptops, is it possible to safeguard cryptocurrency assets? Luis Corrons, from security firm of Avast, joins us.

When we think about banking, we often think about physical banking, walking into a branch, maybe with a checkbook or a banking book. And over the last 1015 20 years, things have really changed dramatically. And banking is essentially a cloud service. And so now our money’s in the cloud as well as our emails. Obviously, there are various threats that we face today that we didn’t used to. And cryptocurrency is a particularly interesting one, because not only is it in the cloud, it’s on internet service that you don’t control but it’s not even necessarily recognized by some people as real money. It’s not regulated in the same way that banks are regulated. And so there’s not the same protection. How would someone go about investing and trading and and using cryptocurrency safely in today’s world?

Luis Corrons 15:19
Yeah, yeah. Especially when everything is digital. We used to say that there is nothing 100% safe, right? So how do you handle if you have like your life savings in cryptocurrency? How do you keep that safe? And that’s on the cloud? Yeah, how can you secure that? Is there even a way to do that? And as you were saying, like traditional banking, there is no kind of thing to keep you safe. Like, if someone goes to your bank account nowadays, and they take your money out of your account. You can go to the police you can go to the bank and you will probably get your money back with cryptocurrency this doesn’t happen, right? I mean, if you lose your bitcoins, Ethereum, wherever you use it, you lose them for good, you won’t get them back. So what can we work? What are the different options we have here? So there are many ways to work with cryptocurrency I’m, I guess that for the normal regular users, the first thing you have to think about is okay, where do I keep my wallet? What’s

Simon Edwards 16:35
what’s a cryptocurrency wallet? Is it a physical thing? Is it a file?

Luis Corrons 16:40
Well, it’s where you keep your your private key. So one thing we many people may be confused is when you’re talking about a wallet, it’s like, okay, well, what is a wallet is where I put my money, right? So that means that if I buy Bitcoins, and I put them in this wallet, then it can take my wallet with me and I the crypto currencies with me in a bit kind of this case, but that’s not the case, right? I mean, the Bitcoins are kept in the cloud.

Simon Edwards 17:13
So this, the wallet is a way for you to claim your Bitcoin or whatever, at some point in the future.

Luis Corrons 17:19
Yeah, I mean, to do wherever you want to do with them to out to unit this private key, right? So where do you save it, you need to have it like somewhere safe, and you only have to use it when you are going to do some kind of transaction, right? So there are different options to do that there already been services in the cloud that allow you to manage lists, which is something you can do, but you are not in control of your Okay, so that’s something that I would never do, right? There. Okay, you can have a digital wallet. That can be a software wallet that you can have in your computer or in your phone.

Simon Edwards 17:59
Just on your Windows PC, you can have this text file or whatever it is, yeah,

Luis Corrons 18:03
I know. Or you can have it in your phone or wherever you want, right? Or even up in an advantageous or there is another option, which is a hardware wallet, right? Which is like a separate device. Imagine that USB stick, right? Where you put your your key there. And that will be like the most secure option, probably nowadays. What’s the problem with digital wallet? Well, it’s in your computer, your phone and wherever your device you have, which means that it’s most of the time online. If you get hacked, your computer or your phone gets compromised, there is a chance that someone can get to your digital wallet and take information out of it. Right? With a hardware wallet. One of the first protections you have is that didn’t, you know have it online. You only use it when you plug it into your device. In that moment, that’s when it is all in line. And it will be susceptible, let’s say to hacking. But even then it has like several other layers of protection. Even if I don’t know, let’s say that you have it with you and you lose it right? And someone gets to it. Okay, then they could try to get access to your private key. But most of these hardware wallets, they have some protections like for example, you need to set a PIN code and you can enter that code and you cannot actually do a brute force attack in against it because if you type it wrong a number of times, then it will delete the information so the private your private key will be deleted.

Simon Edwards 19:47
So you can you can have backup hardware keys, can you you could maybe hide one somewhere else. So if someone steals your main one, and they they delete it by getting your pin wrong a number of times you haven’t just lost So you’re 14? Yeah, no,

Luis Corrons 20:01
you’re not. But you don’t need to have more than one. I mean, like, because when you’re setting up your wallets, there is one option that you get there is setting your seed phrase, with this seed phrase chikoo eventually will cover your private key,

Simon Edwards 20:20
where’s the where’s the private keys stored then.

Luis Corrons 20:23
So not the private key storing the hardware wallet. But then you can have a seed phrase, which is, so keep really safe. It’s a set of words between 12 and 24 words, right? So you can put this like in your house in somewhere really safe or even at the bank. If you’re like having like a lot of money, and you want to keep it safe, you can have having it in a deposit box or something in your bank. If something terrible happens, if there is like some kind of, I don’t know, you lose, your key doesn’t work anymore. Wherever you simply save phrase you get, you get access back to your to your private key, and you can you get access to all your assets.

Simon Edwards 21:08
So where do you use the seed phrase? Is it Is this all part of the Bitcoin Blockchain? Or how does it work?

Luis Corrons 21:15
Yeah, this is an option that you are given. When you create your wallet for the first time, right, like you are creating a new wallet, you’re given this lease option with with hardware wallets, some of them even though they have software included that helped you to go through this process, which is kind of easy. I mean, it’s like it’s just worse, usually meaningless. But even if your language is not English, some there are some software solutions that give you worse in another language. It’s an easier way to manage your private key, let’s say.

Simon Edwards 21:52
And I guess very worst case scenario, if people are don’t see the risk, and they don’t want to spend the money, they could put their secret key just on a USB flash drive and hide it somewhere. Very secret.

Luis Corrons 22:05
Yeah, yeah. In any case, what I mean, if you’re good, if you have like really good amount of money, in particular ratio, what I would do, I will have like this hardware wallet, store, and that with a synth phrase, also hidden somewhere else. And then you can have a digital wallet, you know, you have you can, you can have there. So pocket tanks. If you want to play with Kryptos, or buy stuff or whatever you want to do with that. You don’t need to have all your money in the same wallet, right? So you can have a digital wallet that sometimes may be more convenient than having one to keep your prototypes and the real, your real savings can be in safe using this hardware wallet.

Simon Edwards 22:52
The seed phrase idea that could be quite exciting. You could do something a bit Dan Brown a bit thriller-y and sort of find your favorite book and underline each of the words in turn in that book to remember what your seed phrases.

Luis Corrons 23:06
Yeah, but you’re not picking your seed phrase.

Simon Edwards 23:10
Oh, sure. We just have to go through the book and find the words in sequence.

Luis Corrons 23:14
No, yeah. Oh, yeah. I know what you mean. No, I thought. Yeah. I mean, like, the seed phrase is given to you, right? Yes, yes. Yeah. Okay, so yeah, you could do some like Da Vinci Code kind of thing.

Simon Edwards 23:28
To protect your 50 pounds worth of cryptocurrency,

Luis Corrons 23:32
yeah. Then you better remind how, how to solve the puzzle, right?

Simon Edwards 23:41
Would it be at all reasonable to get, I don’t know, a very cheap laptop, a Chromebook, something like that. And use that just for doing your cryptocurrency transactions?

Luis Corrons 23:54
It’s possible, it’s doable. It’s a bit more expensive than a hardware wallet. And I would still be using a hardware wallet anyway. So I don’t know. I mean, unless I don’t know, you have a truly massive amount of money. Right in cryptocurrencies and you have like reasons, your normal to protect your privacy. You want to get it to the extreme right. Or maybe you are tax evading or something? I don’t know. But you really want to get your privacy there. That yeah, it’s it’s a bit of an overkill for the normal user. But yeah, definitely. I mean, like getting a cheap laptop, even with a SIM card. So you only use that device for that purpose. Yeah, that’s perfectly fine.

Simon Edwards 24:45
But you think that’s, that’s a bit too over the top for your average cryptocurrency user?

Luis Corrons 24:50
Yeah, yeah, I never do it, for example, and I most users won’t even bother because it’s not that you’re adding so much Protecting on top. And it’s you’re adding more layers of complexity for the normal user.

Simon Edwards 25:06
Is there. If you’re using a hardware wallet, is there still a threat from malware? So if you plug this thing into your Windows laptop, and there’s already, hackers already got access to it, can they somehow get into your hardware Wallet?

Luis Corrons 25:21
So far, they are pretty safe, but it’s just a matter of time. The good thing is that there is not like any standard right on hardware wallets. So it’s not like writing a malware. I mean, it’s, it’s, you need to write a malware, finding a user who is using crypto currency in a specific type of hardware wallet, and then try to figure out a way to combine the security features that these hardware wallets have that they, it’s a number of them. So it’s not just steal, mm. Nothing is unhackable. Right?

Simon Edwards 26:01
Sure. I’m just thinking about hacking team when they were hacked some years ago. And I looked through the WikiLeaks data. And you could see that the guy that had been hacked on his laptop or desktop PC, we don’t know which he’d been using TrueCrypt, I think it was, it was some kind of hard disk encryption anyway. And because he was logged in, when the hacker had control of his system, he could just wait for this guy to unlock his TrueCrypt volumes, and then find all of those text files with his passwords. Yeah,

Luis Corrons 26:32
well, I mean, at the end of the day, if your computer is compromised, and someone has access to the computer, he could eventually do wherever you are doing in your computer. So as soon as you put your hardware wallet in your computer, and you start doing things, he could be doing the same. Right? Yes. So he could eventually get that information out there.

Simon Edwards 26:53
But I think that’s a really important point is that the hardware wallet itself? It’s once it’s plugged into a computer, some of its protection has kind of gone, hasn’t it?

Luis Corrons 27:03
Yeah, well, as long as anything is Alliance. Yeah, even if you have the protection, yeah. It’s open for extra years to try to break that

Simon Edwards 27:17
protection. Yeah. And I think that’s one of the reasons I quite like the idea of a Chromebook is because malware doesn’t really work on Chromebooks or iPads, I guess, as well. So that’s one way that you could mitigate the threat is to use a mobile style product. Because as you know, anti malware works quite differently on mobile, doesn’t it?

Luis Corrons 27:38
Yeah, not just that. I mean, even if you go through that, through that road, like, Yeah, I mean, even if you have like, as we were saying earlier, not just the device, like an iPad or something, but even the connection you’re using, if it can be like completely different to the world, because you can say, okay, and you see me wherever a Chromebook or iPad, and then I’m connecting through a network, well, if that network is compromised. So that doesn’t mean that okay, my network is compromised, so someone is gonna be able to speed whatever, no. Yes, at the end of the day, I mean, if your router is compromised, everything you do on the network can be compromised.

Simon Edwards 28:28
And now just before we finish it, security life hack time. At the end of each episode, we give a special security tip that works for real people in the real world, for work and in personal lives. Chad Skipper has worked in many major security companies over the years from Symantec, Cisco, Cylance and now VMware. And here he is with his security life hack.

Chad Skipper 28:53
Hey, this is Chad Skipper with your security life hack. You know, you’ve heard us antivirus and everybody should use antivirus. But it’s not just any antivirus. Some are great. Some are not. Even when you go Google for anti-virus, you need to actually look for the reviews from respected testers. And any triple A rated by SE Labs is a good bet, and a good starter point. Just remember that the price doesn’t always indicate quality.

Simon Edwards 29:23
Please subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues, it would really help us out. And we also have a free email newsletter. Sign up on our website, where you’ll also find this episode’s show notes, and bonus episodes featuring full length interviews with our guests. Just visit decodedcyber.com.

And that’s it. Thank you for listening, and we hope to see you again soon.

Feedback

Please send your comments, questions and concerns to [email protected].