Technology and cybersecurity changes so fast. But when businesses fail to put basic protections and processes in place, who’s to blame? Graham Cluley – writer, blogger, and host of the Smashing Security podcast – shares his 30-year perspective on this question, and what’s going on in cybersecurity today.
He joins 1Password’s Matt Davey on the Random But Memorable podcast to talk about trends that come and go, the buzzwords that drive him crazy, why machine learning is yesterday’s news, and why we shouldn’t put all the blame for successful hacks on new technology like deepfakes.
Read the interview below or listen to the full podcast for (buzzword alert!) Cluley’s “VORIWGM”: voice of reason in a world gone mad.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Matt Davey: You’ve spent many years writing about security. How has the cybersecurity landscape changed since you started?
Graham Cluley: My first professional day in the cybersecurity industry was in January 1992. I was writing antivirus software for a company called Dr. Solomon’s, and in those days we saw about 200 new viruses every month. And people told us that was a lot!
We used to send out updates on floppy disks and most people received their updates every three months. They didn’t need them more regularly than that because viruses didn’t spread very quickly. Most people weren’t on the internet, so things were transferred via sneakernet: people taking a floppy disk from one computer to another.
The situation we have now is that there are millions and millions of attacks every day. It’s such an enormous industry with a conveyor belt of cybercrime going on all the time because everyone’s online. Everyone’s got a computer in their pocket and everyone’s doing everything online rather than the old-fashioned way with telephones and notepads.
“There are millions of attacks every day. It’s such an enormous industry with a conveyor belt of cybercrime going on all the time."
Way back then, it was all kids in their bedrooms, doing hacking as a form of electronic graffiti. And of course, what happened was that we began to see state-sponsored attacks. It’s pure James Bond, utter science fiction.
If you came to someone in 1992 and said, “One day the Chinese government will be planting malware or stealing passwords from other people or breaking into computers,” you’d think, “Oh, come off it. How likely is that to happen? It’s much more likely they’d be parachuting someone behind enemy lines.” Now, of course, we see countries spying on each other, stealing information, launching attacks, disrupting systems all the time.
Perhaps the biggest change of all is money. Because now cybercrime – business email compromise, ransomware – doesn’t just make money, it makes huge amounts of money. I’m sure we’ve seen criminal gangs move from old-fashioned crime into cybercrime. They’ve realized it’s maybe safer and more profitable.
“We’ve seen criminal gangs move from old-fashioned crime into cybercrime. They’ve realized it’s maybe safer and more profitable.”
Money has changed everything – for the vendors as well as the criminals. There’s lots of money to be made for the vendors. Computer security is a hot industry to be in. It’s something which companies continue to invest in. And cybercrime has escalated because of the sheer amount of money which can be made.
MD: Do you think we’ll see a LADbible-esque interview with a cybercriminal in 10 years? Like we do with gangsters now?
GC: In a way we already do. There are cybercriminals who have been caught. Some of them have gone to prison and then, once they get out, they set up cybersecurity consultancies because they pitch themselves as “poacher turned gamekeeper”.
Some of them have absolutely rested on the laurels of their notoriety to make themselves a substantial amount of money. That really riles me. There are people who have shown a real lack of ethics but have actually been able to have a more successful career in some cases than the people who remained honest.
Sometimes I think maybe we shouldn’t celebrate these guys as being such heroes. Let’s not forget they got caught. They weren’t as smart as they sometimes claim. Maybe the real smart ones are the ones we never hear of.
“We shouldn’t celebrate these guys as being such heroes. Let’s not forget they got caught."
I was emceeing an event a couple of years ago, and they had this guy on who was a hacker who had been caught. He stood up there for 45 minutes telling all these stories: “This is how I hacked these guys, this is how I hacked these guys.”
I thought, when are you going to get to the bit where you say what you did was wrong? When are you going to say, “Don’t do what I did. I realize now that I caused harm. I cost companies money and if companies lose money, they may have to let people go. There’s an impact on real people.”
“When are you going to say, ‘Don’t do what I did. I realize now that I caused harm. I cost companies money and if companies lose money, they may have to let people go.'"
I thought, you should be putting effort into classes where there are young kids who are beginning to dabble into these areas and saying, “Don’t do this because what happened was really bad and going to jail was a horrible experience and traumatic for my family and my friends. And it’s cast a shadow over the rest of my career.”
MD: Instead of jumping straight to: “Here’s how you protect against hacks like the one I did,” which is where most of them immediately go.
GC: Maybe I’m a bit of a stick in the mud. I’m getting old so maybe I have to recognize that new generations are different.
When I started in antivirus, for instance, we had a very simple rule: when we were hiring people, if they were too enthusiastic about computer viruses, we wouldn’t hire them.
People ask me all the time, “Did you ever write a virus?” Absolutely not. I could have, but I had a sense of ethics and morals. I didn’t think it would be right for my code to run on someone else’s computer without their permission and cause harm. I would love those people who have obviously taken the wrong path to make a more determined decision to not only go by the right path, but actually prevent others from taking the wrong path as well.
MD: Going back to your writing career, I’m sure you’ve seen some strange and creative terminology in some of the stories you’ve covered. What’s your favorite buzzword or jargon that’s come up recently?
GC: You just can’t get away from them, can you? First we had phishing, then we had smishing, then we had vishing. It’s just like, “For goodness’ sake can we not?” Sometimes as an industry we really gravitate towards these words.
I sometimes get requests from journalists saying, can you tell me about – and they put a random sequence of letters – and I have no idea what they’re talking about. I have to go on to Google and think, “Is this what they’re actually asking me about and what does that really mean?”
My favorite acronym was used by a former colleague of mine, Paul Ducklin, called VORIWGM. That stands for “voice of reason in a world gone mad”, which I think is something that is probably “random but memorable”.
“VORIWGM stands for ‘voice of reason in a world gone mad.'"
There’s one I do love, which is TEOTWAKI, “The End of the World As We Know It”. We hear about that, well, most Thursdays don’t we in the cybersecurity world? We’re always being told it’s the end of everything!
Right now, we’re surrounded by all this generative AI talk and chitchat. Every security company out there is now saying, “We’ve got to say we’ve got AI! We have to have machine learning!” Actually, machine learning is yesterday’s news. But these companies think, “We have to have this kind of component in our technology, otherwise it’s not going to be able to compete” Some of these things are things that products and services have had for years. They just haven’t been dressed up using these particular phrases.
In terms of cybersecurity, AI is going to democratize attacks. I think we’re going to start seeing that with deepfakes as well. There have been reports of CEOs who’ve been defrauded for millions. They thought they were speaking to the group chairman and moved millions into an attacker’s account. They say, “Well, it was because there was a deepfake call. It sounded just like my boss, and that’s why I did it.”
“AI is going to democratize attacks."
When I see these reports, I think, “Well, how does the CEO know it was a deepfake – it was just on the phone. How do they know it wasn’t just someone doing an impression of the group chairman? How do they know it wasn’t someone like Rory Bremner or John Culshaw simply doing a convincing impression of somebody?
Sometimes people are going to start blaming deepfakes and chatGPT and AI, just like they’re blaming state-sponsored hackers. And it’s like, “Oh, come on guys. You just need the normal checks, provisions and procedures, along with and a bit of technology in place to prevent your company from falling for these things.”
“People are going to start blaming deepfakes and chatGPT and AI, just like they’re blaming state-sponsored hackers.”
I’ve played around with AI. It’s amazing. It does an incredible job at pretending to be other people. We’ve all seen the deepfake Tom Cruise, and you can go on YouTube and see dead artists singing modern songs. Who knows where we’re going to be in two years’ time because this technology has moved so quickly and that’s kind of terrifying. But we also need a little bit of skepticism when everyone starts to blame the technology.
Looking at AI from the cybersecurity point of view, there are lots of new things for people to learn about how to protect themselves on these different services. There are subtleties and differences in the way some of these things work, which may mean they’re not as private as you imagined they were. It’s a confusing time.
MD: Do you have any other security tips or advice for listeners? Maybe ones that you give friends and family?
GC: When I travel to give talks, I take a taxi from the airport to the venue. When the driver asks what I do, I always share the same advice because I’ve only got a short amount of time and I can’t get too nerdy.
The top one is: Use different passwords on different websites. Stop using the same password because you can be sure the taxi driver and most of the people you encounter in regular life are reusing the same passwords in different places.
That inevitably causes them to say, “Well, how am I going to remember all these passwords?” And that’s when you say you get yourself a password manager, which will also generate the passwords randomly for you. It will also provide a level of protection against phishing because it won’t offer to enter your credentials if it doesn’t recognize the domain name as being for that particular password entry.
“Use different passwords on different websites. Stop using the same password."
Once they’ve swallowed that one, I then say, “Okay, for dessert, I’m going to tell you to turn on multi-factor authentication for as many accounts as you can. So when your password does get phished, when you make a mistake, or if you have made the mistake of reusing passwords, you’ve got an additional layer of security.” Now there are tricks for getting round multi-factor authentication but it requires a lot more effort by the criminal and normally they don’t bother.
The final one is: Keep your computer patched and up to date with the latest security patches and run security software on your computer. Don’t think that magic crystals sitting on your bookshelf are going to somehow defend your computer or “I’ve got a Mac and therefore I don’t have to worry.”
MD: Where can people go to find out more about you or the Smashing Security podcast?