Graham Cluley He began his career in the field of computer security almost thirty years ago. First, as a programmer, he co-created some of the first programs to protect against computer viruses, and in 2013, he played a number of different lead roles in Sophos and McAfee's computer security companies.
Six years ago he decided to go it alone and has since worked as a speaker, independent computer security analyst and blogger. He describes his mission to raise awareness of computer and hacker security. He regularly posts columns and articles on a variety of international technology media, such as Mashable, TechCrunch, IT Week and Computer Weekly, as well as media outlets such as BBC, Sky, Fox, CNN and The Telegraph.
The list of events and conferences around the world in which he has taught is very long, and this year's Insurance Days in Slovenia, which he brought to the Slovenian coast in the early days of June, are also on this list. It was organized by the Slovenian Insurance Association for 26 years.
In recent years, you have worked primarily as a speaker and author. Are you still hunting for non-computer regulators?
Much less than when I worked in computer security companies. Otherwise, something happens that can be interesting and useful to the authorities, because it's so much more enjoyable than communicating directly with police and law enforcement agencies. When that happens, I will immediately send that information and knowledge to you.
Which, according to your experience, is the best way to quickly earn large sums of money?
One of the most effective and, indeed, very unprepossessing ways to do such acts is a scam with commercial emails. Most of the time, you can steal your email from a target company to one of your employees to get an idea of who the company is doing. Then create a fake company with a fake bank account and start issuing invoices for actual work done or for delivered goods. If accounting does not discover the tricks, the money will be settled in the bank account in a non-monetary way.
What kind of damage is caused by such attacks?
Even advanced technology companies, such as Google and Facebook, have suffered about $ 100 million ($ 90 million) in damages from these attacks. The magic of such attacks is that the attacker does not need much computing or software skills. It is true that someone has to steal a password, but this is unfortunately very simple today. In the rest of the work, however, such tricks are not fundamentally different from the various Nigerian letters promising greasy commissions on the alleged transfer of inheritance or other large sums of money. Just convincing should be.
How do the attackers do this?
You would not believe how many companies, including big and famous, are the victims of such attacks. Sometimes they do not even call the phone and under the pretext that they are heads of a department and that their computer does not work or that they are an important business that they should not mention in writing, they ask for a job over the phone. People are very susceptible to such fraud. It sounds kind of sloppy, but the fact is people can often be a bottleneck. People upgrade our computers, but we do not upgrade our brains.
How can anyone get to that?
A small simple mistake is enough, which can happen to anyone, especially in the case of overemployment. We receive hundreds of emails daily, but if, precisely when we read, someone comes to us and disturbs us with our question, we can accidentally press the wrong key, open an unwanted connection. You can work in a company where you simply can not object or say no to the boss so you will not dare to see if anything seems to come from your superior.
Would you like to say that the non-governor is betting on the element of surprise?
Even that, but it's much more – a social nonsense. The people in the background want to help each other and we are embarrassed when someone needs help. I once worked in a company where we all had to carry identification cards all the time and everyone who did not have to ask for identity and report it. In practice, however, everyone kept the door open for all passers-by, even if he did not carry his card and did not know him. Unbelievers can make great use of human kindness.
How far is the ingenuity of non-government in the design of the attacks?
In the sky. In the UK we once had a major attack on schools and colleges, which did not even begin with an electronic message but a phone call. The aggressors called several educational institutions and, under the pretext of calling the Ministry of Education, announced the sending of e-mails with forms that schools and colleges had to comply with. Links to forms were malicious, but many secretaries did not question the authenticity of the call, followed by the intended e-mail.
So can goodness and trust be harmful?
Excuse me. That's part of the problem. Part of the defense is that we are more cynical and more skeptical, but this is very sad because it also discourages us from goodness and trust in those areas of life where that is even more important and where they should not be cruel to each other. I think part of the problem is also in generational differences – the most vulnerable are often elderly people who have not grown up in such a cruel world and do not expect those who persuade them to want to deceive them.
What example of this type of attack?
Even my taste called the rogue and presented himself as Microsoft's tech support who detected the virus on his computer. His computer was disconnected and stored in the basement, and the attackers waited for half an hour on the connection, while the dentist searched for the basement keys. It's good that he did not kiss the basement when he found the keys. He called the callers to call him the next day. Of course, they are not and still are not well. Under the pretense of the help program, he wanted to end the malicious connection through which he would gain remote control over his computer. This type of attack is normal.
Why is it difficult for people to recognize these attacks?
For those who are often in contact with computer security, this is something of everyday life and unfortunately quite common. People in other jobs are involved in their work and are not very in touch with it. They are dedicated to their main tasks and do not think about what they are capable of doing with the computer without law enforcement.
What's next for email scams is still profitable for non-peripheral computers?
Certain extortion programs (ransomware), whose frequency is increasing. There are also programs that hijack the power of the processor from the attacked computer and through it miners crypts to an attacker. If you feel that your computer is suddenly slow, you should suspect that this is happening. The frequency of such attacks generally depends on the price of the crypt on the market. There are several data locations and, even more preferably, credit card numbers.
How many of these and other malicious attacks were commissioned by governments in different countries?
Politically motivated hackers have become a hot topic in the last decade. A quarter of a century ago, it sounded like science fiction, but today it's a reality. Four centuries ago, hackers were being prostituted by teenagers and nowadays they are spying on the Internet with countries that have money for such ventures and will not hesitate before them. The good news is that most individuals and businesses are not interesting to foreign intelligence agencies.
Which countries spy on the Internet?
They are not just predictable relationships, for example, when Russia spies for the US. Other friendly countries also spy on and EU members spit on each other. It seems that most of this comes from Russia, Ukraine and China, but it would be naïve to think that there is a developed country that does not engage in espionage on the internet. This is done by Americans, the Greeks have their own Trojan horse, and that's not a joke, even if you do it. Why not? It would be disappointing if our informants did not do it because this espionage is safer, cheaper and more difficult to track. You can also deny it, which is harder if they find your spy alive.
The common denominator of all computer attacks is that at some point the victim is established. Why do the general public believe that we know enough about these dangers? How to bridge this gap?
Difficult I think we should continue to talk about fraud cases. People understand better when we describe something that happened to someone who knows and is close. Attackers often plan attacks, while educational institutions and other companies that lack the resources and computer security teams are an easy target. Sometimes they are so poorly protected that intruders put a malicious program on a legitimate site or send a message from a compromised legal email address. Will you really call the school for every file that appears on your site for each email?
However, the vast majority of phishing attacks or messages that hide such malicious connections are such that they are far from showing signs of fraud. How can these attacks be successful?
You may be wrong, maybe have a bad day, every one of them occasionally, maybe a baby crying in the background. It is not important for the attacker to recognize it at 99% if it succeeds in 1% of the messages sent. They usually distribute hundreds of thousands of messages, but they cost nothing, a single percentage of success is thousands of victims. If a person clicks in the wrong place, the avalanche is triggered and the attacker has reached his goal.
How to protect yourself?
The final tool is 2-step verification. Most of the time, you get another password on your mobile phone or email address. All serious providers allow this, but users are still underutilized by this extremely powerful security mechanism. Different passwords should be used for different accesses – one of the most common ways of hacking is to steal a username and password combination in one service and then try to use the same combination for other accesses. Many of them succeed. Of course, to manage a large number of complex passwords, you need reliable and good password management software.
How effective is the protection provided by antivirus programs?
It is very good for most users. The problem is that about half a million new threats come up every day.
Half a million every day?
Every day, even at Christmas. Yes, it is crazy But the good news is that we will never see many of them and that many of them are for small variations of known malicious programs created by computers under the control of hackers. When I first started working in the computer security industry in 1992, there were 200 new viruses every month. Antivirus signature updates were available for three months, and more demanding users received monthly.
Can users always be one step ahead of the non-process?
In the 1990s the media asked me how to deal with tens of thousands of viruses when the updates are too large for the floppy disk, and today there are about half a million a day. The Internet accelerated the spread of malware, but also accelerated the spread of anti-virus patches and signatures. It's important that users continue to update and update their applications, but unfortunately many do so only when a worm or other malicious software is on the move, even though we've warned you before. Apparently, people like Kim Kardashian, Melanio Trump, or whatever on the news, prefer to use computer security tips.
Some say that automatic correction is also a security risk.
It's potentially true, especially since Microsoft has in the past sent some bad updates to their systems and because non-administrators have used automatic updates for some programs, but for most users in the home or small business environment, automatic updating brings more benefits than weaknesses . I advise large companies to try their upgrades on a small number of computers first, so if all is well, even with everything else, and for the little ones who can not afford it, automatic updating is probably still the most appropriate choice.
What is the most common mistake in providing computer security for computer system administrators, but for individuals?
Usually, these are the same errors: simple passwords that can be easily guessed and failure to correct patches and security updates. In large corporate systems, it often happens that administrators do not even know what all and what devices are on their networks, or if, for example, the marketing department is set up by a web server over which you do not know anything . Today, every computer has its own or even in the pocket, and everyone thinks it is worked on it. I do not blame business for security incidents that happen to them, and their quality is seen in how they react quickly and effectively so they do not happen again.
What company can you expect to say that nothing can happen to them?
Not! They can still have good protection against external attacks, but can be attacked by outsiders, and perhaps some who have been dismissed are retaliated. These are not people, they steal passwords, these are the people who gave you the passwords. If you have a rotten apple in your system, fighting it is much harder.
If you could only give end users a tip, what would you say?
Use different passwords for different sites and enable 2-step verification whenever possible.
Finally, the question is: do you consider that the American accusations against Huawei in connection with espionage are justified?
I do not know, although some are sure to know. I did not see any evidence to confirm these claims. In any case, it is possible that such accusations are in the role of political turmoil with which some countries want to strengthen the role and power of their technology companies, not Chinese. Until we see clear and unquestionable evidence to support these charges, I believe that the jury should not think long ago about what is right.