Ekaterina Khrustaleva, ImmuniWeb: There's No Silver Bullet for IoT Security
Published on April 20, 2019
Over the years, a number of security researchers have managed to stand out from the crowd for the work they are doing and for the push they managed to create in the industry and Scott Helme is one of the names that stand out.
On top of being a well-known security researcher that really likes to dive into web issues, he's also an international speaker. In fact, he'll be going on a workshop tour with none other than Troy Hunt, the man behind Have I Been Pwned, which we interviewed a while back. We wanted to know how Helme sees the security world, how he sees the threats that surround us, how encryption is keeping us safe, and what should we all do to be safer online. Here's our interview with Scott Helme!
TechNadu: First, let's discuss Hack Yourself First, which is a workshop you'll be doing alongside Troy Hunt. What will it be about and why should people come to see you guys?
Scott Helme: The HYF Workshop is a 2-day workshop where we learn all about security from an attacker’s perspective with the goal of learning how to secure applications. We cover many of the top 10 threats that online applications face, explain them in detail, carry out an attack ourselves on our demo application and look at remediation steps.
TechNadu: You spend a lot of time researching web security. What have you been working on lately and what can you tell us about the state of things in 2019?
Scott Helme: We’ve seen great progress in the adoption of HTTPS throughout 2018 and into 2019 which is the baseline for having a secure web. Whilst we also continue to see progress in application security, we are also continuing to see common problems being exploited and causing significant harm to organizations. As 2019 progresses another are I’m becoming increasingly concerned about is IoT and how things often lack security when we connect them to the web.
TechNadu: Let's discuss encryption for a bit. We've seen a rising number of websites using HTTPS, but the overall adoption rates are still relatively low. Is there a need for everything to be encrypted and do we want all websites to use HTTPS? Are there any downsides to this pipe dream?
Scott Helme: I believe the entire web should be encrypted, yes. Even if a webpage is static or doesn’t contain sensitive information, an attacker can still monitor you or make malicious changes to a webpage like inserting malware. There did use to be downsides to using encryption on your website now, but great effort has been put into removing these and often it can be beneficial to use encryption. SEO boosts, better performance and a faster website are just a few of the things that website operators can see in the switch to HTTPS.
TechNadu: Encryption across communication apps has become a mandatory feature following Snowden's NSA scandal a few years back. Does he also play a part in the rise of encryption used in websites too? How have you seen things change in the past few years?Â
Scott Helme: I think Snowden certainly opened our eyes to a lot of things and his revelations were no doubt a contributing factor to the recent rise in adoption of HTTPS. That said, there has been a huge industry-wide push in the interests of security and privacy and HTTPS has been at the forefront of that. The biggest factors for me must be Let’s Encrypt and the Chrome Security Team without a doubt.
TechNadu: You discussed Certificate Transparency a lot in the past year or so. What are some advantages and how can we use them to spot malicious websites more easily?Â
Scott Helme: With the ability to use CT to monitor all certificate issuance we’ve seen features and services that allow us to monitor for phishing sites too. If a website gets a certificate for apple.com.somewebsite.net then we can see that certificate get logged in CT and detect that familiar subdomain which could be a phishing scam for Apple accounts. This gives the genuine site operator, like Apple, an early warning system and an additional piece of information that they can act upon to protect their users.
TechNadu: What about the bad actors that are getting certificates for their sites? How do we spot those? Are we relying too much on our browsers to tell us when we're in danger?Â
Scott Helme: There’s a common misconception around certificates and whether a site is a good site or a bad site. We need to spread the information that having HTTPS doesn’t mean anything other than an encrypted connection, you could be a genuine website or a fake website, the encryption can’t help us there. We’ve recently started to see browsers removing the ‘Secure’ text and other things that might confuse the user by giving a positive indicator and instead only showing the user a warning when there is a problem. We do rely on the browser a lot to help us here and whilst it would be great for everyone in the world to know how to be safe online, I think the browser has to help us by default or people will always become victims.
Technadu: Tell us about your security routine. What do you do to stay safe online?Â
Scott Helme: I’m cautious about the sites I visit and give my information to. For example, if I’m going to buy something, I will find reviews for the retailer to make sure they’re legitimate. Links in emails or downloads are always clicked after thinking about the safety of doing so and I always make sure my devices and browsers are up to date.
TechNadu: The IoT industry security levels are notoriously low. Do you have any smart devices in your home and how do you keep them and yourself safe?Â
Scott Helme: I probably go a little over the top here but I have a separate Wi-Fi network at home for IoT devices so I can keep them away from my other devices like phones and laptops that contain my data. The big-name manufacturers tend to be ok, I have Philips Hue bulbs and Samsung SmartThings in my house, but I’m always extra cautious around small brands or brands I haven’t heard of before. I see and appreciate the benefits of smart/IoT devices but the security and privacy do concern me, we need to do better in this space.
TechNadu: We've seen a lot of talk about whether or not to use VPNs on a daily basis. Where do you stand on this? Do you use a VPN and if yes, which one? What features should we look for when picking one?Â
Scott Helme: I don’t think you should need to use a VPN daily, but I do use one when I’m traveling, so if I’m in a hotel or an airport I can have a little extra protection and privacy. I use Freedome VPN myself and you can get a deal for all of your devices, so I have it on my phone, laptop, and tablet. We have to remember that a VPN is not an ultimate privacy and security fix, as the VPN company can still see what you’re doing, but it does make me feel a little more comfortable using Wi-Fi in busy, public places.
TechNadu: To wrap it up - How secure is the web today? What can be done to make everyone safer going forward?Â
Scott Helme: The web is more secure than it was, but we still have a lot of work to do. The recent push towards HTTPS is a great start but we need to continue that push for HTTPS and look at other areas too. Email security, application security and much more like IoT. Our rate of progress is increasing and as long as we can maintain that momentum, things will continue to improve year after year.
What do you think of Scott Helme's statements? Drop us a note in the comments section below the article! Share the article online so others can read it too and follow TechNadu on Facebook and Twitter for more tech news, guides, reviews, and interviews.Â