Archive 9 min read


There is always new threat to worry about in cybersecurity. Keeping perspective about the likelihood of that threat being an actual issue is critical.


Watch the episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Good Morning builders. Hey there, how's it going? Um So first in hopefully a long series, uh let's see, this is gonna be mornings with Mark. Uh I'm obviously Mark, uh got a lot of stuff to work out on this um show.

This is uh just rough cut and the idea here is a couple of ideas in the morning. Um Go through some of the cool stuff that I'm researching. Um I get the opportunity, um which is really fantastic through my normal job to look at a lot of crazy stuff and um kind of just think, think about it, think it through.

Um And I thought every morning it would be kind of cool to hop online. Um Do a live, hopefully interactive um as more people kind of tune in. Um whether it's in the moment or afterwards. So this is gonna be streaming live um Monday through Friday on uh Facebook live, so you can get it at Facebook slash marknca

Um Just like that one. Look at that, got it in one pointing to the right side. Um And I'll post it up on youtube afterwards and probably linkedin as well. Because we get to have a lot more conversations back on linkedin.

So the first thing I needed to address um because this was brought up by my fact check team was um when I did the trailer on Friday. Initially, the vibe was, hey, you know, after a couple of coffees, we'll have a chat.

Um Number one thing I got called out on is I actually don't drink coffee. I'm a tea guy, so I apologize there. I've got a new intro in the works here um where it will actually be a steaming kettle of tea instead of uh implying that I am drinking coffee.

But the little um cup dude is not going away anywhere. So cheers first. Uh tea of the day, I'm a little behind today. Very important stuff. Um If you're a coffee person, totally respect that. Um But I needed to clarify that because we cannot start out this community relationship on a bold lie that I am a coffee guy.

I very much a tea guy. So um there you go. Uh opening up full uh honesty day one on this show. Um But what I wanted to talk about today was actually um something that came up a couple of times in a couple of different ways um last week and that's perspective around risk and technology.

Um Now that's kind of weird. Um But bear with me for a second here. Uh It does make sense. At least it makes sense up here. So last week there was a couple, um, mainstream articles that popped up on the insecurities of Amazon Key.

Now, if you haven't seen Amazon Key, this is a service for prime members where, um, what it does is it allows you to have a smart lock on your door and, uh cloud cam that's sitting there positioned watching the door and a delivery comes up, they type in a code door opens for them.

They drop the box in your house and close the door and off. They go and you get a video recording of the thing the whole time. Um, very cool technology. Um, but what ended up happening last week was somebody demonstrated a way to get around it a way to electronically hack this system.

Essentially, they walked up with a little Raspberry Pi, um, put it close, watch a legitimate transaction and then we're able to replay, um, some of the, the material in order to open the lock, um, without prior approval.

Um, now that's a vulnerability that needs to be addressed and Amazon is addressing it. But I think, um, this is the first example for me where perspective really comes into play. A lot of people said, oh my God, you know, why would you do that?

Um, uh, you, you're opening up your door to hacking unfortunately, and I'm sorry if this bursts some people's bubbles, uh, when it comes to physical doors, these are not a panacea of security. Um, lock picking is a long, long time honored tradition among thieves.

Um, and some security folks, um, where, uh, you can get into a physical lock simply by picking it. Right. Um, so in other words, if you're, we practice at it, sometimes you can get in extremely quick, like under 30 seconds, most people can kind of fumble through it in minutes.

It really depends on the threat scenario. And of course, so besides just picking your lock, the lock, the door itself is not normally physically reinforced beyond the dead bolt point, right. So it's a physical weakness, you can pound down the door or just throw a rock through the window and get in.

So it's this perspective of, you know, people were freaking out about this um technical security, this cybersecurity issue, which is legitimate and needs to be addressed. But they were not looking at the overall system, the overall system is insanely insecure.

Our homes are designed around the concept of uh social um accord. There's a social accord here that you're not just going to walk into my house or you're not going to try to break into my house or office and also on detection.

So this is why alarm systems are very um popular um in that it's the threat of if somebody does try to break in, they're going to get caught very, very quickly. And that's the second part of the Amazon system is that camera watching the door for people coming in.

Right. And that's really it, it's a social convention here where you're not going to do this and then there's a whole bunch of stuff around catching them with a bare minimum on prevention. That's the entire system in play.

And that's where people really lose perspective as we focus on one piece of it. We don't look at the entirety of the system. So yes, we need to address that system and we need to address that vulnerability and that weakness, my apologies.

Um But with the overall, oh my God, you don't need smart locks, blah, blah, blah, that's not a argument. Now, there are other arguments against smart locks. Like what are you really getting here? But that's where Amazon Key has a very useful proposition.

If you're in a place where it's unsafe to leave packages outside the door, here's a reasonable system and has a reasonable set of security checks and balances to mitigate the risk of your package being stolen off the front porch.

It's not bad, right? But you need to look at the overall system. So the second place that perspectives came up for me um was last week I posted that Google Chrome is going to be flagging all http uh sites as non secure come July.

I think it is. Um And that's a good thing. That's a very, very good thing. But I got a couple of questions offline or sort of direct message about um losing visibility into secure traffic in organizational networks.

Sounds like a big mouthful. So I'm gonna take a pit of the T and come back with. Um Yeah, it totally makes sense. People go if every piece of traffic going outbound from my corporate network is encrypted.

How can I see anything? And the answer is you can't um you need to put in what's called a web gateway um in place to essentially break that encryption. So you have a user making encrypted connection out to something and you're going to put a place in the middle and in the middle, you're going to decrypt that traffic and then reen it both ways, right?

So you're a person in the middle, that's your web gateway. That can be a good thing, it can be a bad thing. Again, you need to look at the overall, you need to have a broader perspective.

The challenge here is that you're now breaking a user trust, a user understanding. So you need to be very clear in your communication to the users that for security reasons only you are going to be breaking encryption on certain types of sites.

So you're going to exclude sites like finance. So banking, um health care, things like that will still be private for your users. You don't want to monitor that traffic, but you do do is check security risks, not hr risks.

And that's a big difference. Again, it's a security perspective you need to look at, ok, we have a potential security threat, but what's the bigger threat to our users? Is it the potential for them to go to bad websites?

Or is it the potential abuse of people monitoring their internet traffic and coming back to them saying you spent too much time on Facebook, there's a risk there. And again, it comes back to perspectives, you need this overall perspective to understand security of the system, not just security of one thing.

Third example, last example, because I want to keep these shows relatively tight. We're hitting the eight minute mark already. Um Is that um there was an announcement this morning where a number of websites, high profile government sites, um things like uh us,, um the U K's NHS and a few others were hit um with uh crypto crypto mor um malware.

So when visitors went to their website, the visitors, computers started mining malware for some hacker somewhere. Um We've seen that more and more. It's a direct line for hackers to make money. But people were kind of looking and saying, oh man, why, why were all these sites breached?

Well, it turns out the sites weren't breached. It was a third party service called brows allow that they use for accessibility. So they're providing um because they're government sites, they're mandated to provide accessible um internet um presence, which we all should be really trying to do is provide an accessible presence for everybody.

Um But the government sites were all uh farm out to um this plug in called Browse aloud and browse aloud was compromised. So first we had Amazon Lock with a lack of perspective um in as far as, you know, you've got one potential issue.

Um But now we are seeing uh you know, if you look at the overall hole, um it's not that bad of an issue. Um Then we saw with um the uh seats live. So I'm already phasing out with the http S question around man in the middle.

And then you know whether or not you can have that um the visibility for your organization. But again, what's the risk for a malware getting in versus the user trust, right? Or people spying on your users or compromising um the gateway um you need to balance there and normally you can offset that by communication.

Well, here we've got this issue with accessibility services being compromised. And now people's systems are being abused for the profit of a hacker. And of course, that doesn't look bad on the hacker on the third party service because the users don't even know it's a third party service.

They just say, you know, the NHS site was infected and now I'm infected as well or now my system is being used against my will. But the advantage that those systems get by using that plug in is the effort required to make those sites accessible themselves.

That's a compromise, right? You've got to look at the overall perspective of the security of that plug in versus the efforts to make that site accessible yourself. So now you're looking at supply chain security. So really what I wanted to tackle here was this ongoing theme of we have a problem in that we look at one thing for security.

We don't look at the entire chain. We tend to secure point by point by point by point through the chain as opposed to the overall thing. And you need the perspective of the overall workflow of the overall system.

Because if you're only making decisions for one step in the path, you don't know how that's going to impact the other part, way down the road. So security is all about that perspective and a lot of the time, unfortunately, we forget about it.

So that's what I'm thinking about today. I'm thinking a lot about perspectives um when it comes to security and risk and I'm sure I'll be writing up more or um talking about it more maybe uh in tomorrow's episode.

So again, this was the first episode mornings with Mark. Um I think it's gonna be fine. I got some technical stuff to work out, including other side, including figuring out which way I'm mirrored here. Uh But you can notice my whiteboard glass white board in the background is insanely reflective, which is uh a downside of being a beautiful glass whiteboard.

Um Even though it's really an IKEA tape, we'll talk more on that later. But you can see the reflection from the big giant window I've got here um starts to show uh all my video equipment.

So I need to figure out how to uh kill that reflection while keeping the light up. Um So some technical glitches there, but in the meantime, you can follow me up. There we go. Get it right.

Uh marknca hit me up here on Facebook, talk in the comments uh on linkedin, marknca on Twitter, all that kind of stuff. Um Thanks for spending a bit of your morning with me.

I look forward to talking to you tomorrow. Have a good one.

Read next