cips logo

CIPS CONNECTIONS


INTERVIEWS by STEPHEN IBARAKI, FCIPS, I.S.P., MVP, DF/NPA, CNP

Markus Jakobsson, Top International Security Authority, Principal Scientist at PARC and founder of RavenWhite, Past Principal Research Scientist at RSA Security

This week, Stephen Ibaraki has an exclusive interview with Markus Jakobsson.

Markus JakobssonDr. Markus Jakobsson is a Principal Scientist at Palo Alto Research Center. He is a founder of the security startup RavenWhite, which addresses security problems associated with authentication, malware and click-fraud. He is also one of the founders of SecurityCartoon, an educational approach targeting typical Internet users.

Previously, he has held positions as Associate Professor at Indiana University, Adjunct Associate Professor at New York University, Principal Research Scientist at RSA Security, and was a member of the Technical Staff at Bell Labs. He is a visiting research fellow of the Anti-Phishing Working Group (APWG), serves on the technical advisory board of Cellfony, and is a consultant to the financial sector.

Dr. Jakobsson teaches on phishing and counter-measures, click-fraud, the human factor in security, cryptography, network security and protocol design. He is an editor of "Phishing and Countermeasures" (Wiley, 2006) and co-author of "Crimeware: Understanding New Attacks and Defenses" (Symantec Press, 2008). He received his PhD in computer science from University of California at San Diego in 1997. He can be reached at markus.jakobsson@parc.com.

Markus Jakobsson
http://www.markus-jakobsson.com
Forgot your password? Go to
http://I-forgot-my-password.com
APWG - Anti-Phishing Working Group
http://www.antiphishing.org/

To listen to the interview, click on this MP3 file link

The latest blog on the interview can be found in the IT Managers Connection (IMC) forum where you can provide your comments in an interactive dialogue.
http://blogs.technet.com/cdnitmanagers/

DISCUSSION:

Interview Time Index (MM:SS) and Topic

:00:41: As a Principal Scientist at Palo Alto Research Center, what does your work entail?
"....I'm in charge of trying to figure out the trends, to understand fraud online, and to develop countermeasures...."

:01:14: Markus explains the catalyst for the security startup RavenWhite?
"....We had a very different approach from the typical industry approach and that is what we wanted to give air to...."

:01:45: What is the impetus behind SecurityCartoon?
"....You can't put a textbook in front of people and say, 'You've got to become a security professional and good luck reading this book'....You've got to make it easy and enjoyable to take part in education and to understand very critical and often complex elements...."

:02:50: Markus shares some security lessons from the startup RavenWhite.

:04:00:  Markus shares a little known but essential security tip about each of the following topic areas.

  • (:04:17:) Authentication
    "....A good security lesson is that you have to avoid things which can be data mined..."

  • (:06:14:) Phishing and counter-measures
    "....The first four digits of a credit card is the issuer code...absolutely predictable to an attacker..."

  • (:08:12:) Click-fraud
    "....People don't quite understand exactly how they could be taken advantage of.....You are just the launching pad for an attack. If an attacker could put malware on your computer that clicks on various things, that's not because you are you, it is because you have a computer...."

  • (:09:28:) The human factor in security
    "....The number one problem that security experts have is that they think everybody thinks like them. That I would never fall for this therefore people would never fall for this.....They don't realize just how vulnerable people are to social engineering attacks....The vulnerability of society is that security people aren't able to anticipate what regular computer users will do in a particular situation and therefore they will build countermeasures which are just not appropriate for society as such...."

  • (:11:08:) Cryptography
    "....So there is this addiction to the notion that encryption will solve any problem. It's just not true. Encryption is great but it doesn't solve every security problem...."

  • (:12:25:) Network security
    "....People don't understand that their home routers, their access point to which they connect to the internet, is a computer. It's a computer typically running Linux and it's a rather powerful computer at that...."

  • (:14:10:) Protocol design
    "....A teeny tiny flaw in the way the protocol is designed could absolutely destroy the security of the system..."

:15:38: How did you get into computing? What drove your passion into computing?
"....I have a PhD in Computer Science with a focus on Cryptography. What guided me to do that was a mathematical inclination and a desire to stop others from cheating....I think it all comes down I'd say to being a sore loser...."

:16:58: Please share some key lessons and insights from the books: 'Phishing and Countermeasures' (Wiley, 2006) and Crimeware: Understanding New Attacks and Defenses (Symantec Press, 2008)
"....Both of these books, what they have in common is that they deal with fraud and very current types of attacks. They are also trying to anticipate what's going to come next and they are doing it based on what the entire system looks like...."

:19:28: What do you see as the most important broader IT and business challenges and solutions in 2008?
"....Phishing....Malware....Understanding the social aspects of computing...."

:21:19: Take the prior question and apply it to the next 5 years.
"....Crimeware could really change how people think about the internet...Most people will deal with a very small risk by saying that it's not going to happen to me....But if that risk increases to about 10% or 25% of all the transactions then people are going to take their computing elsewhere. It's going to regress the development of the internet...."

:23:21: In your current role, what are the biggest challenges and their solutions? How does this relate to business?

  • (:23:30:) The gap between security protocols and user
    "....You have to perform experiments to find out the true reactions of the average people out there and that is what you have to use when you build security...."

  • (:26:17:) Crimeware: datamining and spear attacks
    "....Datamining is becoming increasing used among criminals...."

  • (:28:37:) How security practitioners often think the world is logical, people do what they are told, and everything is configured correctly - that everybody is like them!
    "....One of the most common misunderstandings is that people will do what they should do...."

  • (:29:52:) Corrupting recommendation services (like yelp) and how easy it is.

:32:07: Markus shares three interesting stories from his work.

:35:40: Provide your predictions of future IT/Business trends and their implications/opportunities?

  • (:35:49:) Use of smart phones, lowered prices, sloppy security attitudes
    "....Prices are going to be lowered to the point that people are going to think of them as disposable....The trends in prices are going to hurt security...."

  • (:37:44:) Detect bad things that already happened (a machine infected with malware) - even if there are attempts to cover them up
    "....As technologists we need to develop sure ways of detecting the bad things that have happened and allowing to rewind the stakes in the context of malware which will do its best to hide its tracks...."

  • (:38:51:) how to "cure" or quarantine bots
    "....They are difficult to deal with because these are computers of average users and they are replaceable...."

  • (:43:06:) understanding how monetization drives online crime, make preemptive moves
    "....Today ....malware will stay silent so that if you don't know you won't remove it. They will try to steal money in various ways. They will monetize their existence on a machine. All the trends in online fraud is driven by this fact that things are monetized now...."

:44:50: From his research, Markus comments on the statistics and where this is all heading.

:47:02:  How can we as IT or business professionals access some of the research that you are doing?
"....You have to know when to educate users and when not to....Everything must fit together and any kind of education that is performed implicitly or explicitly must be in the right direction to make things more safe not less safe and that is difficult...."

:49:26: Markus gives his top recommended resources and explains why.
"....APWG website (anti-phishing working group)...McAfee and Symantec newsletters....Internal resources - having devious people on staff is useful - or as consultants....Don't undervalue public scrutiny of things....Magazines like IEEE Security and Privacy....and my books, of course...."

:51:24: If you were doing this interview, what questions would you ask and then what would be your answers?
"....What would you do if you were a phisher?....How about if you wanted to control a bot network?....What is the greatest mistake a CISO could make?....If you represented a large bank, what would you fear most of all?....Does it matter that people use the same few passwords at many sites?...."

:56:22: If this was the ideal world, what would you like to see happen and what are your personal goals?
"....I would like to see an integration of goals in the Security department and PR department of large financial institutions...I wish more organizations were a little bit humble when it comes to security....Personal goals....I'm trying to understand how security, in a holistic manner, affects us and how we could improve the security; how we could imagine what the next big wave of problems will be and preemptively fix it...."