Interview with Eddie Willems (G Data Software AG): Smart Security and the “Internet of Troubles”

This time, Luis Corrons, Technical Director of the PandaLabs Antivirus Laboratory, spoke with Eddie Willems, a security evangelist for G Data Software AG. It was about security in the era of the Internet of Things.

Luis Corrons (LK) : In more than two decades of your work in the field of computer security, you have achieved such results as co-founder of EICAR, working with law enforcement agencies and major security agencies, writing an article about viruses in Encarta Encyclopedia, publishing a book and much another. What dreams you still have unfulfilled?
')
Eddie Willems (EV) : From the very beginning, my main goal was to help the (digital) world become safer and better. This job is not over. To try to reach a wide audience, from beginners to more experienced Internet users, I wrote the book Cybergevaar (translated from Dutch as Cybersecurity), originally released in my own language. After that, it was translated into German. But in order to get the maximum effect, I really want it to come out in the most widely spoken languages ​​of the world: English, Spanish, and even Chinese. And this is exactly the dream that has not yet come true. It would be great if we could make our world a little safer, and at the same time make our life a little harder for cyber criminals with the help of this book.

Another ambition that fits into my dream of creating a safer world is to get rid of bad tests and improve the quality of security solutions tests. Correct tests are very important for users, but they are also important for manufacturers of security products. Correct tests will eventually lead to the emergence of improved and better-quality security products, and in the end to a safer world. It is for this reason that I also participate in the AMTSO (Anti Malware Testing Standards Organization) . And there is still much to be done in this area.

L.K. : Since the beginning of 2010, you have been working as a Security Evangelist at G Data Software AG. How would you define your position and what are you responsible for?

E.V. : In my position as a security evangelist at G DATA, I form a link between technical complexity and the average user. I am responsible for clear communication with the security community, the media, law enforcement, distributors, resellers and end users. This means, among other things, that I am responsible for organizing training on security and malware, speaking at conferences, advising associations and companies. Another huge part of my job is giving interviews to the media. The audience I communicate with as part of my work is very diverse: its age ranges from 12 to 92 years, from the most novice computer users to people who create laws for IT security.

L.K. : The data that has been collected in recent years has led us to conclude that 18% of companies are faced with malicious infections from social networks . What measures need to be taken to avoid this? Are social networks one of the main entry points of malware in a company?


Eddie Willems

E.V. : Social networks are only one vector of many mechanisms of infections that we observe today. Of course, we cannot deny that social networks are still responsible for some recent infections: at the end of November, the Locky Ransomware option was widely distributed through Facebook Messenger. Still, Facebook, Google, LinkedIn and others have some good protection mechanisms that already allow you to stop a huge amount of malware. Web surfing and spam phishing or malicious emails are still the main entry points of malware in the company. Delay in updating programs and operating systems and applying patches, as well as abuse of administrative rights on ordinary users' computers within the company, is the key to most security problems.

L.K. : What do you think is the biggest security issue facing businesses on the Internet? Viruses, data theft, spam ...?

E.V. : The biggest security risk for companies is phishing emails targeted at certain company employees. A professional, well-written, phishing email in the user's native language, prompting the user to open a letter and attachment or click on a specific link, in many cases with APT was seen as the main point of penetration into the entire company. Nowadays, even a security expert can be misled, and he can open such a letter.

Another major problem is data leakage. Most of them are unintentional mistakes of employees. Lack of knowledge and understanding of technology, as well as the corresponding risks, underlie this.

Both of these risks boil down to one thing: a weak link is always an unknowing and insufficiently trained employee. The human factor, as I like to call it.

L.K. : Criminals are always eager to attack the largest number of victims, possibly creating new malware for Android terminals or through older versions that may be more vulnerable. Cyber ​​criminals infect old devices as well as new ones? What is more profitable?

E.V. : For Android malware among operating systems, it became number 2 after MS Windows. Our latest report, G DATA, in 2016 showed a significant increase in malware for Android. G DATA saw every 9 seconds a new malware sample for Android. This clearly shows the interest in this platform. Current analyzes of G DATA experts show that hackers are now actively infecting smartphones and tablets with Android. Security holes in the Android operating system therefore pose an even more serious threat. Long periods of time for Android updates to reach users ’devices, in particular, may exacerbate the problem. One of the biggest problems is that a huge number of old Android devices will no longer receive any updates, with the result that the security of such devices will drop to the same level (lack) of security as on machines with Windows XP. In the future, cyber criminals will look at old and new Android devices differently. Malicious programs for older versions of Android will be more for the masses, and malware for new versions of Android should be created more skillfully, but they will be more profitable if they are used to target attacks against companies or government bodies.

L.K. : In the era of the technological revolution that we are experiencing, there are often new services, the authors of which may not think that they can be used for malicious purposes, and therefore remain without proper protection. Has the Internet of Things a major challenge for cyber security? Does the use of this technology contradict user privacy?

E.V. : I already wrote about the Internet of Things (IoT) a couple of years ago on G DATA’s blog , where I predicted that this platform could be one of the main challenges for cyber security. In my opinion, IoT remains rather the “Internet of trouble . ” Security is extremely necessary, but in most cases we, unfortunately, have seen the opposite so far.

IoT seriously affects our privacy, unfortunately. The amount of data that is collected by IoT devices is striking, and this data can be analyzed and somehow used in the future (or misused). You, no doubt, at some point agreed to the terms of service, but in fact you ever read to the end of the whole document or EULA? For example, an insurance company may collect information about your driving habits from you using an Internet-connected car to calculate the insurance premium. Exactly the same can be with a health insurance company that will do this with the help of fitness trackers. Sometimes the manufacturer in the EULA claims that it is not responsible for data leakage. And then the question arises, does it not contradict the new GDPR (General Data Protection Regulation).

I am convinced that the Internet of Things will bring a lot of good. I can hardly live without him. It makes our life easier. But IoT is much more than we think. It is also built into our cities and infrastructure. Now we have the opportunity to bring the fundamental safety functions to the infrastructure for new technologies while they are still at the development stage. And we must seize this opportunity. This is the "smart" in my understanding. In addition to smart networks and smart plants, smart cities, smart machines, and smart all-else-else, we also need smart security. I only hope that there are enough security engineers in the world who will help and create smart security.

L.K. : New trends such as fingerprints and other biometric techniques that are used for security purposes are being actively introduced (especially in the corporate environment). What do you think about using these methods? What do you think a perfect password should look like?

E.V. : A simple, perfect password is a password that I can forget. In an ideal world, I do not need to identify myself with any other tools except for parts of my body. It is incredible how long it takes to implement it properly. The theory has existed for ages, and now we have the technology, but it is not yet so perfect that it makes the process of its implementation on all devices quite expensive. But besides this, there are still issues of confidentiality, which, perhaps, again postpone its implementation.

We also need to think about the shortcomings of biometric techniques. If someone can copy my fingerprints or iris, then I will not be able to reset or change them. It turns out that we will always have to use a combination of authentication factors.

L.K. : Your Cybergevaar book presents itself as a kind of IT security guide for the general public, offering various tips and advice. What were the biggest difficulties in creating a book aimed at each type of Internet users? What advice is most important to you?

E.V. A: One of the biggest difficulties in writing a book was not to go into most technical details, but leave the book at such a level that every reader, including experts and non-technical people, would want to read it. I tried to keep a good level by including a lot of examples, personal jokes, expert opinions and fictional stories. Regular updates of all our programs and operating systems, as well as the use of common sense regarding everything you do when using your computer and the Internet, is the best advice you can give to every person! In most cases, the real problem is, as I said above, the human factor.

L.K. : There is talk of a “new reality” when the ubiquitous Internet is present in every aspect of our life. From your point of view, is this phenomenon really necessary?

E.V. : IoT is just the beginning. I think that we are close to this “new reality”, even if we don’t like it. Our society will enter it automatically: think about Industry 4.0 and smart cities. In the future, you will be allowed to buy a car only with these specific smart functions in it, or you will not be allowed to drive in such cities. A smart griddle that automatically tracks calories and records your tasty recipes in real time when you cook will only work with your new smart hob connected to the Internet. The omnipresent Internet may not be needed, but you will still be pushed into it! The only way to avoid this will probably be a holiday on an island specially created for this.

L.K. : What was the worst security breach in the cyber security world for you? What are your predictions for the near future?

E.V. : The Elk Cloner virus and the Brain virus appeared back in the eighties ... everything else is just their evolution. Perhaps we would not have had this interview if nothing had happened 30 years ago or ... maybe this is just a matter of time? Stuxnet was created to undermine Iran’s nuclear program. Regin has demonstrated even greater power of a multipurpose data collection tool. Both were created by government agencies, showing that malware is much more than just a shovel with which attackers can collect money. And, of course, Snowden's revelations, which showed us all the problems of mass espionage now and in the future, and how this all affects our personal life, the confidentiality of which is gradually dying away.

Malicious programs will always be as long as computers exist, no matter what form they will be (clocks, refrigerators or tablets), and I think they will remain for a long time. Cyber ​​crime and “ordinary” crime will become increasingly intertwined (for example, modern bank robberies).

Malicious threats will have much more influence on our behavior (for example, shopping, voting, etc.) and ideas that will lead to loss of money or intelligence. Smart devices will be massively misused (again) during DDoS attacks or attacks using encryption tools (for example, SmartTv). And these are just thoughts about the nearest perspective.

The only way forward for the security industry, operating system and application vendors, and IoT developers is to work even closer together in order to be able to fight all new types of attacks, as well as malware and security incidents. We already do it to some extent, but we have to invest much more in it.