| |
 |
|
Deb Radcliff
|
At
TieCon 2005, I attended an interesting panel discussion on
the subject of security. This is where I met Deb Radcliff,
who made enlightening contributions to the discussion as a
member of that panel. Deb is a writer/columnist focused on
technical crimes and security, as evidenced by her
website and
blog. She has online courses on security at
The Security Awareness Company and is currently working
on a book about her experiences investigating online crime.
Today’s interview with Deb is full of interesting
information that's relevant to anyone who connects to the
Internet, and therefore to all the readers of Propel Your
Venture.
Anthony: Deb, what brought
about your involvement in computer security?
Deb: I was actually working in
Santa Rosa for the Press Democrat. It was a temporary
job and I knew I was going to end the position soon. An
email came out; someone needed help working on a story about
computers. I ended up spending a year of my life chasing
Kevin Mitnick around the country when he was on the run from
the FBI for what would turn out to be a best-selling book
that I'm not at liberty to name. When that project ended, I
knew I didn’t want to go back to newspapers anymore. So I
decided that I would start telling businesses and trade
magazines what was going to happen when the convergence of
Microsoft operating systems and the Internet got into their
offices.
This was back in early 1996. At that time, people were
just starting to move off of Unix and onto NT for their
business computers. Unix had already been beaten up from a
security perspective and had been hardened, whereas the
Microsoft operating system was nowhere near ready for
enterprise use. That’s what hackers were telling me at the
time. Yet Microsoft had this amazing marketing machine, as
we all know. And people started replacing their Unix systems
with NT. I’ve been busy with security and computer con
stories ever since.
Most of my stories are geared towards enterprise
security, but my heart has always been around protecting the
average Joe because that’s my background. I am not a
technologist. I came from a general assignment newspaper
reporting background and I’m still learning the technology
as I go. It was hard at the beginning but it’s easier now,
with ten years behind me. My view is that corporations and
people who are setting up those online businesses, along
with the Internet Service Providers themselves, are
responsible for the safety of the consumers they are trying
to draw into this online world. And that’s where I focus my
articles: towards the enterprise security managers.
Anthony: What is your
assessment of the current state of security on the Internet?
Deb: I think that we are still
in a stage where crime, hacks, and different technological
attacks are ramping up. And the security that we have
available right now, particularly to small offices and home
users, is way too complex for them to grasp. They don’t
understand anything about what they’re exposing themselves
to when they go on the Internet. I think we’ve got another
10 years of the ramping up stage with crime and attacks.
Anthony: How is this
affecting consumer adoption of online services?
Deb: Consumer adoption is
continuing to expand because users are not aware of the
threats. It’s like sheep to the slaughter. They think the
cool new things they can get on their cell phones, and the
extra bells and whistles and gadgets in entertainment and
music are all really great features to have. And they’re
figuring that if it’s offered, they shouldn’t be thinking
about security. If the features are there, they should just
be taking advantage of them. And technology will continue to
be adopted because it makes one’s life a lot easier. Numbers
for online banking are on their way up. There are some
statistics showing that it’s leveling off in some places,
and consumers who have been hit with a security event do
stop all their online activities involving their credit
information.
Anthony: How do you see some
of these security problems being mitigated?
Deb: I see different types of
authentication, such as the two-factor authentication, that
go beyond the traditional password. I saw the password
cracking programs coming out back in 1997. It’s really easy
to crack passwords. But more importantly, it’s easy to get
someone to give up their password to a phish site. So if you
have a token where the password changes, phishers can’t use
it. But the problem is that people don’t want to carry
around a keychain full of tokens for every company they do
business with. So some of the steps that are making more
sense to me are image authentication, where you log in to
your banking website and you’re looking for an image around
your login screen that’s unique only to you – a forest, a
beach scene, or a sunset scene, for example. If you don’t
see that, you know you’re looking at a fake login screen
provided by a phisher. Another good technique consists of
using those letter identifiers where you are given a unique
password when you go to login. You type that password to
prove that it’s not an automated program trying to login. A
number of free email sites use this approach as well as some
sites handling financial transactions.
There’s also some work being done in call-back
authentication. I tested a technology which will give you an
instant call - on a pre-designated telephone number based on
the location the card is used from - that asks you to type
in your password. So I think that if it’s something the user
doesn’t have to carry around, the chances of adoption are
much greater. Ultimately, we’re going to have to have some
kind of infrastructure where I am Deb Radcliff everywhere I
go and I can prove it. And through the same infrastructure,
I will have proof of authentication that my bank, or any
other site I give my credit card to, is legitimately who
they claim to be. Technologically, I don’t know if this is
possible to accomplish.
Anthony: Are security
vulnerabilities in the US different from those in other
countries?
Deb: They are and they aren’t.
Phishing, spyware, and all of the issues that the consumer
is dealing with right now – by the way, enterprises are
dealing with these issues too – are the same everywhere:
identity theft, the Nigerian mail scam, etc… People are
falling for them regardless of what country they’re in.
They’re falling for fraud, and they’re getting spyware
loaded on their machine when going to blogs and websites
that are not secure. But there is one thing that some
countries in Europe and Africa are doing a little better
than the United States. They’re stepping farther into the
multi-factor authentication realm. And the US is still
grappling with where to get started. Overseas, particularly
in Europe and South Africa, I’m also seeing more education,
as well as television and radio promotions, to announce a
stronger way to identify that our Bank is legitimate, that
you are the legitimate customer, and that we need to get you
in the multi-factor authentication program. I'm not seeing
that level of education for users here in America.
Here, I’m seeing Internet Service Providers taking a
bigger role in educating the public. AOL and Earthlink, for
example, are putting on television commercials about spam,
spyware, anti-virus, and all these different issues that the
consumer is so confused about. And they’re making them funny
and interesting. In that way, they’re acting more like the
gatekeeper that they’re supposed to act like. But we still
need to see a lot more strength in that area among all ISPs.
Anthony: Can you give us a
quick overview of the types of threats we are exposed to
when surfing the net, and what we can do to protect
ourselves against such threats?
Deb: Sure. I’m working on a
book about this right now. The first threat I came across
was the threat to children. Our children are being exposed
to things and being lured to chat rooms at a rate that, if
most parents knew what their kids were doing online, they
would take the computers out of the house. So first, we need
to worry about the kind of content that’s being delivered up
onto the browser to the children. There are many software
companies that are trying to tackle this problem.
Net Nanny
was one of the first. But again, I believe it should be done
at the Internet gateway, at the ISP level. Or at the very
least, at the gateway to the household network. There’s only
one product I know that’s doing the latter, and it’s called
Trust Eli.
It’s an all-in-one security box with anti-virus, anti-spyware,
content filtering, and anti-spam built-in, including
wireless networking security. So it’s a home router on
steroids from a security standpoint. That would be the first
thing. Take care of the kids and find a way to make sure
they cannot reach content or be in chat rooms that would be
damaging to them.
The other area is Spyware, which is huge, scary and
unstoppable. There are vendors out there who are able to
stop it, just like anti-virus, on a signature level. But
this is really frustrating because you have to know what the
spyware is doing in order to get your computer to block it.
They’re years behind the anti-virus in terms of automatic
updates. And people aren’t going to go every Saturday
morning and update their spyware protection. They just don’t
do it. That’s a big problem and it’s gotten worse. Even with
the detection technology we have today, there’s an old way
of hiding the code that’s gotten so stealth it can hide any
kind of malware you want so that anti-virus and anti-spyware
cannot catch it. It’s called the rootkit, which gives
the attacker kernel-level access to the computer, and
therefore complete control of the computer with the power
to, say, turn off the anti-virus or block the firewall from
detecting outbound messages from the keystroke logging
software. So you cloak Spyware with the rootkit and no
security software can find it.
Whenever there’s one kind of malicious technology, you’ll
see it start wrapping with other malicious technologies to
create these big packages of threats that come in through
one single mass email attack. In the case of rootkits,
they’re mostly getting on computers when the browser touches
a website that’s hostile. And it could be anything. It could
be somebody’s blog. There’s no way to prove that that blog
is secure before you go visit it. And we’re all blogging
right now.
There’s an anti-rootkit vendor I just wrote about called
BlackLight by F-Secure that has the right idea. They’re
going to put the anti-rootkit technology into their security
suite for home users by the end of this year. I recommend
them because they’re the only ones who are putting all these
security elements together with other desktop security
technologies. The more you can put everything in one place
for home users, the easier it’s going to be for them.
Another area we need to concentrate on is keeping our
computer vulnerabilities closed up. And that’s another thing
home computer users won’t do. Worms and viruses take
advantages of the same vulnerabilities over and over again.
So if you just close the vulnerability that the virus is
taking advantage of, you’ve got more comprehensive
protection on your home network. This is an area that might
fall to the ISPs at the gateway. There’s a product called
PreEmpt by
PIVX that does a good job of getting the vulnerabilities
closed for you when your computer is turned on.
Anthony: How can I tell when
my computer is being compromised, or used to relay spam,
phishing, or other illegal activities?
Deb: It depends on whether the
bad guys are using a good spyware program or not, or a good
rootkit with a spyware program. But generally, one of the
first things I look for is a slowdown in my computer
performance, beyond the usual slowdown due to the security
software. If it’s taking a really long time for your browser
to load, for example, that’s an indication of a potential
problem. Also, most of the malicious software is poorly
written, so you’ll see a reboot process going on with your
computer, or error messages that you haven’t seen before.
And in the case of a virus that’s spreading itself, you
might see a real slowdown when you’re trying to do something
with your email. Those are all symptoms. But most of the
time, people don’t know they’ve got anything on their
computer.
Anthony: What additional
actions do you feel businesses must take to provide a safer
online experience for their customers?
Deb: First, I think ISPs need
to be a more secure gateway for their users. The technology
is out there for them to scan a user computer before it logs
on to the Internet. Too much trouble, too much time, too
much investment. But I think that any ISP worth its salt
should be checking connections as they’re going out, and do
a reverse scan to see if spyware and anti-virus systems are
up to date, and to see if there’s a worm or virus on the
machine. And if they detect it, they need to immediately
close that connection and alert the user that they’ve got a
problem on their computer, and here is how you resolve the
problem.
Businesses working with electronic storefronts and
transactions involving personal information must have some
type of standardized security policy that can be implemented
on the fly, and updated and interrogated as needed.
Considerable work is being done in that space, especially in
companies with a huge IT security staff where all of these
security policies and processes are being implemented. But
what about small businesses that are trying to sell their
small inventories on their website? How are they going to
set up their website for a secure handling of financial
transactions? Outside service providers are an option, but
some of them are exposed to hacking too. So this is an area
that could be a real sweet spot for investors, if
technologically feasible.
User education is very important. We are seeing a lot of
that right now. Banking and phished brands are using their
websites to educate users about phishing, what it is, and
what it means to have their brand names stolen and used with
their customers. That’s very good. I think businesses have
to upgrade to authenticated email systems if they want to
keep email as a channel to their end users. Right now, if
say a bank has a valid alert that it needs to send via email
to its users, there is no way for those users to tell a
valid alert from a fake one. So they've pretty much lost
their email channel as a legitimate communications channel
to their customers. They need to restore that with better
authentication.
Ultimately, I think we need to come up with one easy
security solution where the users don’t even know security
is going on. We’re probably 20 years from doing that.
Anthony: What sort of
business opportunities do you foresee for emerging companies
in the area of internet security?
Deb: The first and foremost is
for software and hardware vendors to put their heads
together and create an easier security experience for the
end user. Any business that can help consumers have a safer
online experience will do well. We’re going to see a real
shakeout of ISPs with providers that will guide consumers
through cyberspace so they can’t get into too much trouble.
So there’s a market opportunity that will continue to play
itself out.
Cell phone security is another big one. We haven’t seen
the tip of the iceberg on this one yet. But there are some
good vendor plays trying to put security on the cell phone.
I think a big mistake is to try to put encryption on the
cell phone because it's not practical. We’ll need more
authentication on cell phones, and more ways to protect
against eavesdropping and hijacking of the user’s personal
information from the device. People are already banking from
their cell phones. So the same types of security issues we
have for our PCs are now moving to smaller devices, which
cannot handle as much security as we’re loading onto our
PCs. I think there are business opportunities in that space,
too. Again, much of the security can be covered at the
gateway monitoring where the phone is going to, and where it
is coming from.
RFID (radio frequency identification) is the next big
area, and it scares me. I wrote a blog about this three
months ago. RFID doesn’t have encryption. Anyone with a
little reader in their pocket can pick-up anything on an
RFID tag. No big deal, we’re just talking merchandise,
right? No, there are cases now where people are putting RFID
chips underneath their skin, with their personal information
on those chips. This is done primarily to store medical
history background. But there is also a little experiment
going on somewhere in the Netherlands where people want to
be able to walk into their favorite bar and have the
bartender automatically alerted to make their favorite
drink. We seem to be falling into the same pattern of
letting the horse out of the barn, and then saying: “Oh
dear, we need to secure it.” But the horse is already long
gone. Any time you can see a problem before it becomes a
problem, start building security solutions around that
problem, and have that solution ready for market when the
problem hits, you’re going to be a lot better off. From a
business standpoint, I understand why this isn't happening.
There’s certainly a risk associated with creating a product
before the market need is established. But there is always a
year lag between the time when the problem arises and when
there is a viable, helpful security solution for that
problem. So you need to see ahead, detect trends, pay
attention to what people are using their devices for, and
start wrapping your head around that to figure out a way to
make a security solution. Better yet, partner with the
makers of those devices and those technologies from the
get-go. And you’ve got a market already.
Anthony: What advice would
you give start-up entrepreneurs who are setting up their
companies and systems?
Deb: This is good question.
Anybody starting a business is setting up computer networks
that can be vulnerable to corporate espionage and other
types of spying and malware from the onset. Or if they’re
setting up transactional systems, they could be putting
their customers at risk. So look to consultants who
specialize in setting up networks for start-up companies.
Ask them questions about security. Ask for references and
call them to ensure the firm's reputation. If you’re hiring
a consultancy firm to get you started, you need to make sure
they can start you securely. Ask them about the management
of the security, and how you’re going to do that after the
team leaves, or do they do that for you?
Counterpane is an example of a provider that offers this
type of managed security service. And there are many others
like it.
Some of the big Telcos can also help you build a secure
network. They can actually keep your security on all the way
through the cloud if you’re using their services. So there
are ways to do this. Some of them are more expensive than
others. But you cannot just willy nilly set up any kind of
computer network that you’re doing business over without
taking a solid look at what your risks are, what you want to
manage from a security perspective, and how you’re going to
manage it. If you don’t have the technological expertise to
do that, you should go to organizations that do.
Bio
Deb Radcliff, Writer/columnist, Technical crimes and
security
While investigating the life of computer hacker Kevin
Mitnick for a best-selling book, Radcliff's phones were "phreaked"
by Mitnick's friends, her lines were tapped by the Feds, and
her e-mail read by all of them. Those experiences in 1994
and 1995 taught her a valuable lesson in digital risk that
remains with her to this day as she writes about high tech
crime and security for businesses and consumers.
Radcliff's 1996 article for Byte Magazine titled
"Barbarians at the Firewall" was used to train the FBI's new
computer crime agents. She's since covered computer security
and online crime for Upside, InformationWeek,
Computerworld, Infoworld, Network World, IndustryWeek,
SecurityFocus and most recently for consumer magazines
including Better Homes and Gardens. Her work has been
picked up regularly by CNN, The Register, Department of
Defense publications and thousands of other online sites. An
annual speaker at West Point Military Academy, she's also
spoken on business radio news hours in Los Angeles and
Vancouver, presented at the University of North Texas' cyber
crime prevention outreach, and spoken at H.O.P.E. (Hackers
on Planet Earth) conference in New York.
She's won four prestigious awards for her work, including
two Jesse H. Neal Awards by the American Business Press: one
for best individual feature for her cover story, "Hackers,
Terrorists and Spies" (Software Magazine, 1998) and a
second for group reporting, best news story,
Computerworld, "Wireless LANs: Trouble in the Air,"
2003. The Software Magazine story also won best
regional and national feature by the American Society of
Business Press Editors.
Before working on the Mitnick book, Radcliff wrote for
the San Jose Mercury News, the Santa Rosa Press
Democrat (a New York Times paper), and other
newspapers and business journals. She holds a bachelor's
degree in journalism from San Jose State University where
she graduated with honors. She is currently writing a book
about her experiences investigating online crime.
|
