Graham Cluley: Slaying the Cybersecurity Dragon Since 1991
British security blogger Graham Cluley has built a reputation on being able to translate complex cybersecurity jargon into clear understandable concepts. Robert Scammell caught up with him at IPO Expo Manchester to get his views on the state of cybersecurity, playing Garry Kasparov at chess and what the industry can learn from Tolkien
Graham Cluley is a British security blogger and the author o f grahamcluley.com, a daily blog on the latest computer security news.
He began working in cybersecurity in 1991, first as a Windows programmer for Doctor Solomon’s Antivirus Toolkit and then as a programmer for Sophos.
Now he’s on a mission to cut through the industry waffle and present cyber threats in simple language so that everyone can know how to stay safe in cyberspace.
During your 28 years’ experience in the industry, what have been the recurring themes, whether it’s a certain type of cyberattack or type of behaviour?
Maybe the most obvious thing is the human element. Fundamentally, computer security is a human problem, not a technological problem. And the problem, or difficulty, is that we can update computers with the latest security patches, but we can't roll out a patch to people's brains.
So people will continue to be tricked to click on a link, or open an attachment, or to believe somebody when they phone them and say they're somebody else. And that's a really hard thing to fix. It's a shame that we have to fix it.
I have elderly people in my family who are very trusting because they come from a different era and they haven't learnt to be as cynical as they have to be in the modern world. And those, sometimes, are the most vulnerable people.
“We can't roll out a patch to people's brains.”
We need to make people perhaps a little more cynical and questioning. But there's a cost to doing that as well, to society. Because isn't it wonderful that people are kind and helpful? It's a difficult problem to fix.
The media and Hollywood will try and present it as 'there's been this enormous breakthrough or some incredible thing or they've now got an uber weapon'. It's not normally the case.
Most of the attacks that happen are simple phishing attacks. Or the problem that people are still reusing the same password and still haven't learnt, or don't trust password managers. So there is a great deal of repetition – it just may be dressed up in slightly different clothes.
What's the worst data breach you've come across and why?
Worst comes in two ways. One example is Equifax. So hundreds of millions of people's details compromised. And what's particularly bad about that is not just the number, but the fact that those people never even realised.
They may never have heard of Equifax. They've never done business with Equifax. This is a company that took other information that companies gave them to check people's credit scores. That's very difficult for people to get their heads round – that they've been compromised in that way and are at risk of identity theft.
“In some cases the people whose lives had been ruined by that data breach may never have done anything wrong.”
Another example would be Ashley Madison. It was obviously a website that was set up with the intention of helping people find partners or have affairs. But the human impact on that is considerable. Because that data breach would have resulted in the breakup of marriages or people not being able to access their children any longer – or in some cases even suicide.
And in some cases the people whose lives had been ruined by that data breach may never have done anything wrong. It may be that you joined that website before you got into your current relationship, and you forgot about it. You just happened to be in the database. So everyone assumes 'oh you must be cheating on your wife'. Actually no, they just joined it ten years earlier.
Furthermore, with Ashley Maddison they never confirmed people's email addresses. So you could sign up with someone else's email address, which is why Tony Blair was in the database, I imagine. I imagine he didn't put his real email address in, right?
At least that's what his press team said.
That's what Cherie's been told.
But following the breach, we saw plenty – and we continue to see plenty to this day – of extortion emails. Because that list is available online for anyone to access scammers will email everyone on that list saying 'we know who you are, we know you're a member of that website.
We've worked out who your Facebook friends are and where you work, and unless you pay us so many Bitcoins by this date, we're going to tell your employers, we're going to tell your wife.' They've even, in some cases, gone beyond email and actually sent physical letters to people.
I've had victims of that contact me and send me the letters and sent me the emails that they've received saying 'should I pay or not'. In some cases they admit they had affairs, or they were thinking of it. In others, they said they are completely innocent. But they're petrified as to what might happen.
My advice is not to pay and ignore it, because I don't see what's in it for the criminal to go through with their plan. When you talk about the worst, that's just so horrendous.
What is your favourite cybersecurity film or TV show?
Here's the thing: I’ve never seen Hackers. I've never seen WarGames. I've never seen Sneakers. Those I believe are the top three. I can't stand the Matrix. I really hated the Matrix. I remember going to see at in the cinema and I just thought there's too much shooting in this. It really disturbed me, that movie.
“I really hated the Matrix.”
People like Mr Robot because there were some things they got right. By the standards of most TV and films, they got more things right, and so it's kind of fun as a geek to watch, it's a bit more valid, it's less painful. But normally I prefer documentaries and also outside of my work life I want to keep it separate. I'm really into chess, that's what I get excited about.
I got to play Garry Kasparov a couple of years ago.
How many moves was it?
I think it was about 20. He mated me beautifully. I was playing him and I thought, 'oh my God, I've won this'. There was a point where I thought I've got a trick. But he was all over it, he'd seen this way out of it and I just walked into it. I did something rash thinking 'I’ve got him'. I'm not a very good chess player but I am obsessed with chess.
I'd be more likely to watch a chess documentary or watch the world chess championships. I'm not really a big movie buff.
2017 was dubbed the year of ransomware, 2018 the year of cryptojacking. Some are saying 2019 will be the year of the supply chain attack – do you agree?
I think that's probably the most likely one. I think what's happening is that many big companies have hardened their security and it's pretty hard to get inside them – they've had time to mature now. And so the bad guys are looking for other ways in. And, the thing is, all organisations are dependent on other organisations supplying them either with code or with software. We saw with Asus, the ShadowHammer attack – Asus updates basically being poisoned. And the bad guys – probably a nation state, probably China – signing those malicious updates with Asus' own digital certificates, so it really looks like it comes from Asus.
“Targeted attacks are something that we never saw 15-20 years ago.”
That's one way. The other kind of supply chain is where we see these see these scripts, like Magecart, being used to skim people's payment details. And I think this is a real problem, because how are you meant to verify and vet if you've done everything right, if you've checked the certificates and said this really is from them?
Then, you expect them to have their security in order. It's not easy for the typical criminal to pull off, but if they manage it, they have the potential to either target it or hit a very large number of people at once.
When Bilbo tries to kill Smaug at the end of the Hobbit, you don't go in through the scaly bits, you're gonna find the soft underbelly.
You need Bard the Bowman for that.
I actually haven't read the book for 45 years so I've probably got the story all wrong.
Bard the Bowman was the best archer, and pierced Smaug through a missing scale, so you're on the right lines.
That's the point. You find that weakness, and that's the way that you go in. And targeted attacks are something that we never saw 15-20 years ago. This is where things are getting much more serious because they're not just after money.
It's not just money, money, money, it may be information about that particular company because we've got someone we can sell it to or we're working on behalf of a nation.
If you could only give one piece of cybersecurity advice to Encrypt readers, what would that be?
This happens every time I catch a taxi and they ask me what I do. I’ve got like five minutes, and this is what comes up.
“Stop using the same bloody password because that's going to be your downfall.“
And I basically say to them 'do you use the same password in multiple places?’ And they say ‘yes we do, but it would be too difficult to remember all my passwords’. And I say ‘no, not only that I say you've got to make them gobbledy-gook.’
You can't have 'Arsenal' or something like that. And so my one piece of advice, if I can only give you one, is get a password manager and use it. Store your passwords securely, make sure your passwords are unique. Stop using the same bloody password because that's going to be your downfall.
This interview has been edited and condensed for clarity, sadly losing a seven minute discussion on Doctor Who (Cluley is a fan of Patrick Troughton and Tom Baker in the classic era, while it’s Matt Smith and Christopher Eccleston in the modern era).